WireGuard VPN Setup for Debian 13
Overview
Personal WireGuard VPN server with IPv4/IPv6 support, client management via /etc/wireguard/peer.d/, designed for 1 CPU / 1GB RAM VPS.
Configuration
- Server Domain: velkhana.calmcacil.dev
- Port: 51820
- VPN IPv4 Range: 10.10.69.0/24
- VPN IPv6 Range: fd69:dead:beef:69::/64
- DNS: 8.8.8.8, 8.8.4.4 (Google)
- Server-side peer configs: /etc/wireguard/peer.d/*.conf (loaded dynamically)
- Client-side configs: /etc/wireguard/clients/*.conf (for distribution)
Installation
1. Upload files to VPS
scp install-wireguard.sh wg-client-manager calmcacil@velkhana.calmcacil.dev:~/
2. Run installation
chmod +x ~/install-wireguard.sh ~/wg-client-manager
sudo ~/install-wireguard.sh
3. Install client manager
sudo mv ~/wg-client-manager /usr/local/sbin/
sudo chmod +x /usr/local/sbin/wg-client-manager
Usage
Dynamic client loading
WireGuard automatically loads clients from /etc/wireguard/peer.d/:
- Add/remove client configs in
/etc/wireguard/peer.d/*.conf - Run
sudo /usr/local/sbin/wg-load-clientsto reload - Changes are applied immediately without restarting
Add a new client
sudo /usr/local/sbin/wg-client-manager add myphone
This creates:
- Server config in
/etc/wireguard/peer.d/myphone.conf - Client config in
/etc/wireguard/clients/myphone.conf - QR code in
/etc/wireguard/clients/myphone.qr
List all clients
sudo /usr/local/sbin/wg-client-manager list
Show client config
sudo /usr/local/sbin/wg-client-manager show myphone
Show QR code
sudo /usr/local/sbin/wg-client-manager qr myphone
Remove a client
sudo /usr/local/sbin/wg-client-manager remove myphone
Server Management
Check WireGuard status
sudo wg show
Check service status
sudo systemctl status wg-quick@wg0
Restart WireGuard
sudo systemctl restart wg-quick@wg0
Reload clients (automatic on add/remove)
sudo /usr/local/sbin/wg-load-clients
Firewall management
The setup configures nftables with:
- Dual-stack IPv4/IPv6 support in a single ruleset
- Default drop incoming, accept outgoing
- SSH access allowed (port 22)
- WireGuard allowed (UDP 51820)
- Forwarding from wg0 interface allowed
- NAT masquerade for VPN internet access
View firewall rules:
sudo nft list ruleset
Enable/disable firewall:
sudo nftables-firewall disable
sudo nftables-firewall enable
Allow additional ports if needed:
sudo nftables-firewall allow 80/tcp # HTTP
sudo nftables-firewall allow 443/tcp # HTTPS
Manual Client Configuration
To manually add a client, create a file in /etc/wireguard/peer.d/:
[Peer]
# mydevice
PublicKey = <client_public_key>
AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128
Then run:
sudo /usr/local/sbin/wg-load-clients
Client Setup
Importing the config
- Desktop: Import
/etc/wireguard/clients/<name>.confinto WireGuard app - Mobile: Scan QR code with WireGuard app, or import config file
Test connectivity
# On client
ping 10.10.69.1
ping -6 fd69:dead:beef:69::1
# Check your IP
curl -4 https://ifconfig.me
curl -6 https://ifconfig.me
Troubleshooting
Check firewall
sudo nft list ruleset
Check IP forwarding
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding
View logs
sudo journalctl -u wg-quick@wg0 -f
Check client directory
ls -la /etc/wireguard/peer.d/
Manual reload if needed
sudo /usr/local/sbin/wg-load-clients
Notes
/etc/wireguard/peer.d/- Server-side peer configs, loaded automatically by wg-load-clients/etc/wireguard/clients/- Client-side configs (import to WireGuard apps) and QR codes- Clients are automatically reloaded when added/removed
- IPv4 and IPv6 NAT are configured (MASQUERADE)
- nftables firewall is configured with dual-stack IPv4/IPv6 support
- Single nftables ruleset handles both IPv4 and IPv6
- SSH (port 22) and WireGuard (UDP 51820) are allowed by default
- Keepalive is set to 25 seconds for better stability
- Server private keys are stored in
/etc/wireguard/server_private.key - Server public key is displayed after installation
- Use
nftables-firewallscript for easy firewall management