Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

WireGuard Installation (Debian 11) – Modern, Secure and Fast VPN Guide

WireGuard is a VPN technology that works on both IPv4 and IPv6 and offers high speed and security with its modern design. In this guide, you will install a WireGuard server on Debian 11, configure IPv4/IPv6 and manage client connection.

📝 What Will You Learn in This Guide?

  • WireGuard installation
  • Creating key pairs
  • Specifying IPv4/IPv6 address blocks
  • NAT and forwarding settings
  • Client (peer) configuration
  • Management of the tunnel

🚀 WireGuard Installation Steps

1. Install WireGuard

📌 These commands update the package list and install WireGuard on your system

sudo apt update
sudo apt install wireguard

2. Generate Server Keys

🔐 Generate Private Key

📌 Creates the private key of the server and makes it readable only by root.


wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

🔑 Generate Public Key

📌 Generates the public key derived from the private key; This is given to clients.


sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

3. Determine VPN IP Ranges

📌 These IP blocks become your virtual network in the WireGuard tunnel.


IPv4: 10.8.0.0/24
Sunucu: 10.8.0.1/24
İstemci: 10.8.0.2/24

IPv6: fd24:609a:6c18::/64
Sunucu: fd24:609a:6c18::1/64

4 Create the Server Configuration File

📌 This is the main configuration file containing WireGuard tunnel interface settings.


sudo nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = SUNUCU_PRIVATE_KEY
Address = 10.8.0.1/24, fd24:609a:6c18::1/64
ListenPort = 51820
SaveConfig = true

5. Turn on IP Forwarding

📌 It is necessary for the server to forward client traffic to the internet.


sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Load changes: 📌 Activates new forwarding values.


sudo sysctl -p

6. NAT Masquerading and Firewall Settings

Find the network interface 📌 Shows the physical interface name of the server facing the internet (eth0/ens3).


ip route list default

Add NAT rules in wg0.conf 📌 These rules route client traffic to the internet through the server's IP.


sudo nano /etc/wireguard/wg0.conf

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Port Opening 📌 Access is allowed for VPN 51820/udp and SSH.


sudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

7. Start WireGuard Service

📌 Runs the WireGuard tunnel as a systemd service.


sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service

8. Generate Peer (Client) Keys

📌 Generates new private/public key pair for the client.


wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

9. Prepare the Client Configuration File

📌 Creates wg0.conf file on the client side.


sudo nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = PEER_PRIVATE_KEY
Address = 10.8.0.2/24, fd24:609a:6c18::2/64
DNS = 67.207.67.2

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER_PUBLIC_IP:51820
PersistentKeepalive = 25

📌 AllowedIPs Description: 0.0.0.0/0, ::/0 → all traffic goes to VPN

10.8.0.0/24 → access to in-VPN devices only

📌 PersistentKeepalive Description: Prevents the connection from dropping behind NAT. It is especially important on mobile devices.

10. Add Peer (Client) to Server

📌 Introduces the client's public key to the server.


sudo wg set wg0 peer PEER_PUBLIC_KEY allowed-ips 10.8.0.2,fd24:609a:6c18::2

View status:


sudo wg

11. Start Client Connection

📌 Activates the WireGuard tunnel on the client side.


sudo wg-quick up wg0

To close the connection:


sudo wg-quick down wg0

❓ Frequently Asked Questions (FAQ)

1. Why is WireGuard faster than OpenVPN?

It operates at the kernel level and uses a more modern cryptography set.

2. Why is AllowedIPs important?

It determines what traffic passes through the VPN. Incorrect value may interrupt your internet.

3. What does PersistentKeepalive do?

It prevents the connection of clients behind NAT from being closed.

4. How to add a new client?

Create a new key → Add it to the server → Restart the service.

5. How do I block a client?

Just delete the [Peer] block on the server and restart the service.

🎉 Conclusion

You have installed a fast, modern and completely secure WireGuard VPN on Debian 11. You have a VPN that supports IPv4 + IPv6, has NAT configuration and is compatible with mobile devices.

You can create an example on GenixNode and start using it immediately.