About Wireguard

Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It can be a useful replacement for IPSec or OpenVPN.

Official website: https://www.wireguard.io/

Installation on Debian

Wireguard is packaged in unstable: wireguard-dkms and wireguard-tools

The packages also work on jessie and stretch, follow the instructions at https://www.wireguard.io/install/

Configuration on Debian

The following configuration examples focus on using /etc/network/interfaces as much as possible. Alternatives include using wg-quick directly or through a systemd service (see quickstart and man wg-quick). However, for a server, configuration based on /etc/network/interfaces is often the preferred way.

To generate key pairs, use:

wg genkey | tee wg-private.key | wg pubkey > wg-public.key

Point-to-point tunnel

This example builds a simple point-to-point tunnel between two machines.

# /etc/network/interfaces
auto wg-p2p
iface wg-p2p inet static
        address 10.88.88.1
        netmask 255.255.255.0
        pre-up ip link add $IFACE type wireguard
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
        post-down ip link del $IFACE
iface wg-p2p inet6 static
        address 2001:db8:1234:5678::1
        netmask 64

# /etc/wireguard/wg-p2p.conf 
[Interface]
PrivateKey = XXX
ListenPort = YYYY

[Peer]
Endpoint = <remote IP>:<remote port>
PublicKey = ZZZ
AllowedIPs = 0.0.0.0/0, ::/0

You can then simply add routes through the tunnel, either statically, or dynamically using e.g. OSPF or BGP. For static routes:

# ip route add 2001:db8:4242::/48 dev wg-demo
# ip route add 192.168.42.0/24 dev wg-demo

VPN client with default route

This allows a "client" to connect to a server, and redirect its default route through the tunnel. This example uses wg-quick, make sure you understand what it does to your routing tables!

# /etc/network/interfaces
auto wg-client
iface wg-client inet static
        address 10.88.88.1
        netmask 255.255.255.0
        pre-up wg-quick up $IFACE
        post-down wg-quick down $IFACE

# /etc/wireguard/wg-client.conf 
[Interface]
PrivateKey = XXX
ListenPort = YYYY

[Peer]
Endpoint = <server IP>:<server port>
PublicKey = ZZZ
AllowedIPs = 0.0.0.0/0, ::/0