Sep 26, 2023 7 min read

How to Configure WireGuard VPN on Debian 11

Configure WireGuard VPN on Debian 11 with our step-by-step tutorial. A modern, secure VPN protocol known for simplicity and efficiency.

Configure WireGuard VPN on Debian 11
Table of Contents

Choose a different version or distribution


Before we start talking on how to configure WireGuard VPN on Debian 11, let's briefly understand - What is WireGuard?

WireGuard is a free and open-source VPN that employs innovative cryptography. VPN represents Virtual Private Network. It is a modern and highly efficient VPN (Virtual Private Network) protocol known for its simplicity and security.

It provides a secure connection between two or more devices over the internet, offering privacy and data protection.

This tutorial will guide you through setting up a WireGuard VPN on Debian 11, enabling you to create your own private network.

Step1: Installing WireGuard on Debian 11

First, let's install the WireGuard VPN. Repositories for back ports can be used to install it. The command that follows will allow us to add it to our system:

echo 'deb buster-backports main' | sudo tee /etc/apt/sources.list.d/buster-backports.list

Update our apt-cache now that the repository has been activated. To accomplish this, execute the following command:

sudo apt update

We must install the WireGuard module and tools after updating. To accomplish this, enter or copy the following command:

sudo apt install wireguard

It should be noted that WireGuard functions as a kernel module.

Step2: WireGuard Configuration

Let's configure WireGuard now that it has been installed on Debian 11. WireGuard may be managed and configured with the help of the wg and wg-quick commands.

As we stated in the beginning, every device in the WireGuard VPN network has a public and private key. The following command must be run in order to produce a key pair for this purpose:

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Once you have executed the above command, you will be able to see the key as seen in the screenshot. The /etc/wireguard directory is where the key pair files were created. In Debian 11, we can use the cat or less commands to see file content.

Note that the private key is confidential and must never be disclosed to anybody.

The pre-shared key is another key that WireGuard supports. This key's purpose is to provide an additional layer of symmetric key cryptography. It should be noted that this key is absolutely optional. Additionally, each peer pair's unique key should be used.

Configuring the tunnel device is the next stage in the WireGuard configuration process. Our VPN traffic will be able to be routed through the tunnel device. Let's configure our device using the command line interface for this purpose.

We'll launch the editor and make an entirely new file called wg0.conf. We must use a text editor to create the configuration. To launch the editor and start a new file, enter the following command:

sudo nano /etc/wireguard/wg0.conf

Add the following to your open editor:

Address =
SaveConfig = true
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE

Replace SERVER_PRIVATE_KEY with your server private key.

Press CTRL+S to save the file and CTRL+X to close it after that.

Before proceeding, it is critical that you replace the SERVER_PRIVATE_KEY in the above code with your private key. The following command will generate a private key for you:

umask 077 /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

You can use the command below to view the private key:

sudo cat /etc/wireguard/privatekey

Remember that the public network interface needs to be substituted for enp0s3, which is found after the Postrouting, in the above commands. You can use the following command to locate your public interface:

ip -o -4 route show to default | awk '{print $5}'

Using the properties in the config file, we must activate the wg0 interface after you have finished editing the file in the editor. To accomplish this, execute the following command:

sudo wg-quick up wg0

The output will appear as follows:

With the following command, we can view the settings and the interface state:

sudo wg show wg0

WireGuard must be brought up at boot time as the final configuration step. This is due to the fact that WireGuard can be controlled by systemd. Enter the command as follows:

sudo systemctl enable wg-quick@wg0

Step3: Server Networking and Configuration of Firewall

Networking and firewall configuration are done in this step. You must first turn on IP forwarding for NAT to function. To accomplish this, execute the following command:

sudo nano /etc/sysctl.conf

The sysctl.conf file will be opened as a result. The following line has to be added to that file:


After inserting the aforementioned line, save the document by clicking CTRL+S, and then press CTRL+X to exit the document.

In the terminal after that, enter the following command:

sudo sysctl -p

The last step is to manage our firewall. Port 51820 must be made available for UDP traffic. Only if one is utilizing the UFW, though. To accomplish this, execute the following command:

sudo ufw allow 51820/udp

Congratulations! The Debian peer has been set up effectively. Now it will function as a server.

Step 4: Setup of Windows Client

We now need to set up a client after configuring the server. We'll select windows for this purpose. Install the MSI package for the window in your browser by clicking the following link:

Click "Add Tunnel" in the bottom left corner after installing the downloaded file.

Then a drop-down menu will appear. Select "Add empty tunnel" from the menu. When finished, the following screen will appear:

Here, add the following lines to the file:

Address =

Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs =

It's important to keep in mind that you must enter both your private key and the server you built, which is a public key, in the respective fields. Additionally, you need to include the server IP address in place of the "Server_IP_ADDRESS" keyword. Set the name after that, then click "Save."

Step 5: Client Peer and Server Connection

The client and server are added in Step 5. The second-to-last step is when we connect the client's public key and IP address to the server. Run the following command on your Debian 11 server once more:

sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips

Change the public key with your client's public key. The client public key is located in the Window WireGuard application.

Once you have completed the previous steps, open the Windows WireGuard App on your client machine.

Step 6: Windows Client

You only need to click the "Activate" in the WireGuard App tunnel button in the final step to complete it.

The status of the tunnel will automatically change to Active after you click the activate button. And with that, we're done. Congratulations!

FAQs on Configuring WireGuard VPN on Debian 11

What are the requirements for setting up WireGuard on Debian 11?

To set up WireGuard on Debian 11, you need a Debian 11 system with root access, a public IP address, and basic knowledge of networking concepts.

Is WireGuard compatible with Debian 11? 

Yes, WireGuard is fully compatible with Debian 11, providing a straightforward setup process.

How can I install WireGuard on Debian 11? 

To install WireGuard on Debian 11, you need to add the WireGuard PPA (Personal Package Archive) repository, update the package list, and then install the necessary packages using the apt package manager.

Do I need a static IP address for setting up WireGuard on Debian 11?

Having a static IP address for the WireGuard server is recommended for easier access and configuration.

Can I set up WireGuard on a VPS (Virtual Private Server) or cloud provider like AWS or DigitalOcean? 

Yes, WireGuard can be set up on a VPS or cloud provider like AWS or DigitalOcean. The process is similar to setting up WireGuard on a local Debian 11 system.

Do I need to forward ports on my router for WireGuard to work?

Yes, to establish a connection from outside your network, you need to forward the WireGuard listening port (usually UDP) on your router to the WireGuard server.

Can I set up a site-to-site VPN using WireGuard? 

Yes, WireGuard supports site-to-site VPN setups, allowing you to connect multiple networks together securely.


Setting up a WireGuard VPN on Debian 11 offers numerous advantages for secure and private networking. With its simplicity, efficiency, and strong security features, WireGuard stands as a modern and robust VPN protocol.

By following the installation and configuration steps mentioned in the tutorial, you can create your own private network and enjoy the benefits of a secure connection.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to DevOps Blog - VegaStack.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.