Introduction
WireGuard is a fast and secure alternative to other VPN software such as IPSec and OpenVPN. The benefit of WireGuard is that it is multithreaded and built into the kernel, meaning you can achieve symmetrical throughputs of 1 Gbps even on lower end boxes. The server is very lightweight and easy to set up. There are clients for most operating systems including Windows.
Some other benefits include being able to run internal services such as SSH, FTP, and remote desktop on the VPN IP instead of the main IP of the server, which reduces the possible attack vectors. You can also tunnel part or all of your internet traffic over WireGuard and easily achieve speeds of over 1 Gbps. If you are behind NAT and cannot port forward, a simple WireGuard server on a low end VPS is a good way to allow servers running on your computer to be accessible from the internet.
This tutorial will focus on installing WireGuard on a Debian server.
- Public IP of your server (example): 203.0.113.1 – replace with your own IP.
- Subnet for the WireGuard tunnel: 10.0.0.0/24
Step 1 – Installation
Connect to your server via SSH, then run:
sudo apt update && sudo apt install wireguard
wg --versionStep 2 – Server configuration
This guide assumes one server with a single client. For more clients, add another peer to wg0.conf and repeat the client steps.
Generate the server's public and private keys (the public key will be printed):
wg genkey | sudo tee /etc/wireguard/wg-private.key | wg pubkey | sudo tee /etc/wireguard/wg-public.keyRetrieve keys later with sudo cat /etc/wireguard/wg-private.key and wg-public.key.
Create and edit /etc/wireguard/wg0.conf. Here, 203.0.113.1 is the server's public IPv4, 10.0.0.1 the VPN server IP, 10.0.0.2 the client. Use 10.0.0.3, etc. for more clients within 10.0.0.0/24.
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = PRIVATE KEY YOU GENERATED GOES HERE
[Peer]
PublicKey = NOTHING GOES HERE YET
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25- Address: Private VPN IP of the server; /24 means 10.0.0.1–10.0.0.254.
- ListenPort: Server listening port (e.g. 51820); must be opened in the firewall.
- PrivateKey: Server private key; the public key is given to clients.
- AllowedIPs (peer): Subnet/IP for clients; restrict as needed.
- PersistentKeepalive: Keeps the connection alive (e.g. every 25 seconds).
Step 3 – Client configuration
On the client: On Linux repeat step 1 and 2 up to configuration; on Windows/Android install the WireGuard client – it can generate a key pair when adding a tunnel. Add the client's public key to the server's /etc/wireguard/wg0.conf in the peer's PublicKey field.
Example client config (only VPN traffic 10.0.0.0/24, not full internet). Replace 203.0.113.1 with your server IP:
[Interface]
Address = 10.0.0.2/24
PrivateKey = PRIVATE KEY OF CLIENT GOES HERE
[Peer]
PublicKey = PUBLIC KEY OF SERVER GOES HERE
AllowedIPs = 10.0.0.0/24
Endpoint = 203.0.113.1:51820
PersistentKeepalive = 25Example tunnelling all traffic through the server, with IPv6:
[Interface]
DNS = 8.8.8.8
Address = 10.0.0.2/24, 2a01:4f8:1234::2/128
PrivateKey = PRIVATE KEY OF CLIENT GOES HERE
[Peer]
PublicKey = PUBLIC KEY OF SERVER GOES HERE
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 203.0.113.1:51820
PersistentKeepalive = 25Remove IPv6 addresses if you do not want IPv6. For IPv6, add the client's IPv6 to the server peer's AllowedIPs.
Step 4 – Routing all your traffic through VPN
For AllowedIPs = 0.0.0.0/0 you need IP forwarding and NAT on the server.
sudo sysctl net.ipv4.ip_forward=1To make it persistent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf.
Add these iptables rules (replace enp1s0 with your main interface, 203.0.113.1 with your server IP):
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j SNAT --to-source 203.0.113.1
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADETo save rules across reboots: sudo apt install iptables-persistent, then sudo iptables-save -f /etc/iptables/rules.v4.
Step 5 – Port forwarding (optional)
Example: make a TCP service on VPN client 10.0.0.2:48000 accessible at 203.0.113.1:45000. enp1s0 = main interface, 203.0.113.1 = server IP:
sudo iptables -t nat -A PREROUTING -d 203.0.113.1/32 -i enp1s0 -p tcp -m tcp --dport 45000 -j DNAT --to-destination 10.0.0.2:48000An nginx reverse proxy with proxy_pass is an alternative.
Step 6 – Start the server
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0Check status with sudo wg. If the client connected you will see "latest handshake" and "transfer". Ping test: ping 10.0.0.1. To restrict services to VPN only, bind them to 10.0.0.1 or limit access to 10.0.0.0/24 (e.g. sshd AllowUsers [email protected].*). Always keep one access path open to avoid locking yourself out.
Step 7 – Reloading configuration
sudo systemctl restart wg-quick@wg0Optional – reload without disrupting active sessions: sudo wg syncconf wg0 <(wg-quick strip wg0) (as root).
Step 8 – Troubleshooting
- Can you connect to the server at all? (Ping, port 51820 open?)
- Connected but no internet with 0.0.0.0/0? (Check IP forwarding, NAT/iptables.)
- Can't ping a Windows client? (Firewall, AllowedIPs.)
- Slow speeds? (CPU, network, MTU.)
- Can't access a service at https://10.0.0.1:PORT? (Bind address, firewall.)
- As a client, can't access something on another client? (Routing, AllowedIPs.)
Conclusion
By now you should have a working WireGuard VPN server on Debian. For hosting or VPN server questions: Open a support ticket with MagicHosting.
Was this post helpful?
MagicHosting – Hosting with real value
Hosting pays off with MagicHosting: fair pricing, current deals and reliable operation from Frankfurt. We offer servers, domains and personal support – no hidden costs.
- Current special sales with discounts on servers and packages
- Affordable domains with transparent pricing and great offers
- Powerful DDoS protection for maximum availability
- Personal support when you have questions or issues