Debian 10 set up WireGuard VPN server

How do I install and set up WireGuard VPN server on a Debian 10 Linux server? How can I configure Debian 10 as the WireGuard VPN server?

WireGuard is an open-source, free, modern, and fast VPN server with state-of-the-art cryptography. It is quicker and simpler as compared to IPSec and OpenVPN. Originally, released for the Linux kernel, but it is getting cross-platform support for other operating systems such as FreeBSD and others. This page explains how to install and set up WireGuard VPN on Debian 10 Linux server.
Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements Debian 10 Linux
Est. reading time 7 minutes

Procedure: Debian 10 set up WireGuard VPN server

Our sample setup includes a simple peer connection between a cloud server running Debian 10 LTS server, and a Debian/Ubuntu/RHEL/SUSE/OpenSUSE/CentOS Linux desktop client (or iOS/Android app):
How to Set Up WireGuard VPN on Debian 10 Linux LTS
The steps are as follows for installing and configuring WireGuard on a Debian Linux 10 as a VPN server.

Please note that {vivek@mum-vpn:~ }$ OR {vivek@debian-10-vpn-client:~ }$ is my shell prompt and is not part of actual commands. In other words, you need to copy and paste command after my shell prompt.

Step 1 – Update your system

Run the apt command/apt-get command to install Debian 10 security updates:
{vivek@mum-vpn:~ }$ sudo apt update
{vivek@mum-vpn:~ }$ sudo apt upgrade

Step 2 – Enable Debian 10 buster backports repo

Wireguard is in Debian backported repo. Hence, enable backports as follows, run:
{vivek@mum-vpn:~ }$ sudo sh -c "echo 'deb buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
Use the cat command to verify repo:
{vivek@mum-vpn:~ }$ cat /etc/apt/sources.list.d/buster-backports.list
Update the repo, run:
{vivek@mum-vpn:~ }$ sudo apt update

Hit:1 buster InRelease
Hit:2 buster/updates InRelease
Hit:3 buster-updates InRelease
Get:4 buster-backports InRelease [46.7 kB]
Get:5 buster-backports/main amd64 Packages [292 kB]
Get:6 buster-backports/main Translation-en [227 kB]
Get:7 buster-backports/contrib amd64 Packages [7,448 B]
Get:8 buster-backports/contrib Translation-en [5,492 B]
Get:9 buster-backports/non-free amd64 Packages [23.3 kB]
Get:10 buster-backports/non-free Translation-en [30.3 kB]
Fetched 632 kB in 2s (287 kB/s)       
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

Search for the WireGuard package

Run the following command:
{vivek@mum-vpn:~ }$ apt search wireguard

Sorting... Done
Full Text Search... Done
wireguard/buster-backports 1.0.20200319-1~bpo10+1 all
  fast, modern, secure kernel VPN tunnel (metapackage)
wireguard-dkms/buster-backports 0.0.20200318-1~bpo10+1 all
  fast, modern, secure kernel VPN tunnel (DKMS version)
wireguard-tools/buster-backports 1.0.20200319-1~bpo10+1 amd64
  fast, modern, secure kernel VPN tunnel (userland utilities)

Step 3 – Installing a WireGuard VPN server on Debian 10 LTS

Now, we got our server updates with the latest security patches and buster-backports is enabled. It is time for setting up a WireGuard VPN server on Debian 10 server. Enter:
{vivek@mum-vpn:~ }$ sudo apt install wireguard
Debian 10 install WireGuard using apt or apt-get command

Step 4 – Configuring WireGuard server

First we need to create a private and public key pair for the WireGuard server. Let us cd into /etc/wireguard/ directory using the cd command as follows:
{vivek@mum-vpn:~ }$ sudo -i
{root@mum-vpn:~ }# cd /etc/wireguard/

Execute the following command:
{vivek@mum-vpn:~ }# umask 077; wg genkey | tee privatekey | wg pubkey > publickey
To view keys created use the cat command and ls command:
{vivek@mum-vpn:~ }# ls -l privatekey publickey
{vivek@mum-vpn:~ }# cat privatekey
## Please note down the private key ##
{vivek@mum-vpn:~ }# cat publickey

Set Up WireGuard VPN on Debian Linux 10

Set Up WireGuard VPN on Debian by Editing wg0.conf

Edit or update the /etc/wireguard/wg0.conf file as follows:
{vivek@mum-vpn:~ }$ sudo nano /etc/wireguard/wg0.conf
## OR ##
{vivek@mum-vpn:~ }$ sudo vim /etc/wireguard/wg0.conf

Append the following config directives:

## Set Up WireGuard VPN on Debian By Editing/Creating wg0.conf File ##
## My VPN server private IP address ##
Address =
## My VPN server port ##
ListenPort = 51194
## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = eEvqkSJVw/7cGUEcJXmeHiNFDLBGOz8GpScshecvNHU
## Save and update this config file when a new peer (vpn client) added ##
SaveConfig = true

Save and close the file when using vim text editor.

Step 5 – Set up UFW firewall rules

I am assuming that you have UFW configured and we are going to open UDP 51194 port using the ufw command as follows:
{vivek@mum-vpn:~ }$ sudo ufw allow 51194/udp
Rule added
Rule added (v6)

See “How To Configure Firewall with UFW on Debian 10 LTS” for more info.

Step 6 – Enable and start WireGuard service

Turn the WireGuard service at boot time using the systemctl command, run:
{vivek@mum-vpn:~ }$ sudo systemctl enable wg-quick@wg0
Start the service, execute:
{vivek@mum-vpn:~ }$ sudo systemctl start wg-quick@wg0
Get the service status, run:
{vivek@mum-vpn:~ }$ sudo systemctl status wg-quick@wg0

Verify that interface named wg0 is up and running on Debian server using the ip command:
{vivek@mum-vpn:~ }$ sudo wg
{vivek@mum-vpn:~ }$ sudo ip a show wg0

Debian 10 set up WireGuard and verification commands for wg0

Step 7 – Wireguard VPN client configuration

The procedure for installing and configuring a VPN client is the same as setting up the server. Let us install the client on an Debian Linux 10 desktop:
{vivek@debian-10-vpn-client:~ }$ sudo sh -c "echo 'deb buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
{vivek@debian-10-vpn-client:~ }$ sudo apt update

Install wireguard on Linux desktop, run:
{vivek@debian-10-vpn-client:~ }$ sudo apt install wireguard
Next we need create VPN client config on Debian/Debian/CentOS Linux destkop:
{vivek@debian-10-vpn-client:~ }$ sudo sh -c 'umask 077; touch /etc/wireguard/wg0.conf'
{vivek@debian-10-vpn-client:~ }$ sudo -i
{root@debian-10-vpn-client:~ }# cd /etc/wireguard/
{root@debian-10-vpn-client:~ }# umask 077; wg genkey | tee privatekey | wg pubkey > publickey
{root@debian-10-vpn-client:~ }# ls -l publickey privatekey
## Note down the privatekey ##
{root@debian-10-vpn-client:~ }# cat privatekey

WireGuard VPN Debian Linux Desktop Client Configuration
Edit the /etc/wireguard/wg0.conf file:
{vivek@debian-10-vpn-client:~ }$ sudo nano /etc/wireguard/wg0.conf
## OR ##
{vivek@debian-10-vpn-client:~ }$ sudo vim /etc/wireguard/wg0.conf

Append the following directives:

## This Desktop/client's private key ##
PrivateKey = uJPzgCQ6WNlAUp3s5rabE/EVt1qYh3Ym01sx6oJI0V4
## Client ip address ##
Address =
## Debian 10 server public key ##
PublicKey = qdjdqh2pN3DEMDUDRob8K3bp9BZFJbT59fprBrl99zM
## set ACL ##
AllowedIPs =
## Your Debian 10 LTS server's public IPv4/IPv6 address and port ##
Endpoint =
##  Key connection alive ##
PersistentKeepalive = 20

Enable and start VPN client/peer connection, run:
{vivek@debian-10-vpn-client:~ }$ sudo systemctl enable wg-quick@wg0
{vivek@debian-10-vpn-client:~ }$ sudo systemctl start wg-quick@wg0
{vivek@debian-10-vpn-client:~ }$ sudo systemctl status wg-quick@wg0

Allow desktop client and Debian server connection over VPN (peer)

We need to configure the server-side peer-to-peer VPN option and allow a connection between the Desktop client computer and the server. Let us go back to our Debian 10 LTS server and edit the wg0.conf file to add [Peer] (client) information as follows (type commands on your server box):
{vivek@mum-vpn:~ }$ sudo systemctl stop wg-quick@wg0
{vivek@mum-vpn:~ }$ sudo vi /etc/wireguard/wg0.conf

Append the following config:

## Desktop/client VPN public key ##
PublicKey = 2H8vRWKCrddLf8vPwwTLMfZcRhOj10UBdc0j8W7yQAk=
## client VPN IP address (note  the /32 subnet) ##
AllowedIPs =

Save and close the file. Next start the service again, run:
{vivek@mum-vpn:~ }$ sudo systemctl start wg-quick@wg0

Step 8 – Verification

That is all, folks. By now, both Debian servers and clients must be connected securely using a peer-to-peer VPN called WireGuard. Let us test the connection. Type the following ping command on your client machine/desktop system:
{vivek@debian-10-vpn-client:~ }$ ping -c 4
{vivek@debian-10-vpn-client:~ }$ sudo wg
## try to ssh into server using our VPN connection ##
{vivek@debian-10-vpn-client:~ }$ ssh vivek@

Install Wireguard on Debian Linux 10 and test it with ping command

Step 9 – Firewall configurations

Now we have set up and configured peer-to-peer VPN networking for our server and client. However, you may want to give access to the Internet for all VPN clients. For these purposes, we need to set up IPv4 and IPv6 firewall rules, including NAT and IP forwarding. See the following tutorial:


Congratulation! You just learned about setting up a WireGuard VPN server on Debian 10 LTS server and peer (client machine) on both Debian/CentOS Linux desktop. I strongly suggest that you read WireGuard project documentation here.

This entry is 3 of 7 in the WireGuard moden Linux/Unix/*BSD VPN Tutorial series. Keep reading the rest of the series:
  1. Ubuntu 20.04 set up WireGuard VPN server
  2. CentOS 8 set up WireGuard VPN server
  3. Debian 10 set up WireGuard VPN server
  4. WireGuard Firewall Rules in Linux
  5. Wireguard VPN client in a FreeBSD jail
  6. Alpine Linux set up WireGuard VPN server
  7. Import WireGuard profile using nmcli on Linux

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 8 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
8 comments… add one
  • Joko Oct 18, 2020 @ 22:19

    To install Wireguard correctly, you have to install the linux headers corresponding to your kernel with:
    sudo apt-get install linux-headers-$(uname -r)

  • Guy Nov 1, 2020 @ 23:17

    You would think dkms would install the kernel headers automatically, but no! Joko’s tip is gold.

  • jonas Jan 8, 2021 @ 10:57

    So if i setup debian with wireguard like in this example, it would probably be a good idea to additional setup ssh-key within this vpn tunnel as a second layer of security, right? Is there anything to be considered, when settipng up the ssh keygen within this wireguard tunnel or would you just go and set it up like you would do without wireguard vpn?

  • jonas Jan 8, 2021 @ 11:07

    I have another question, would be glad if you could provide some information, as i am still not sure if wireguard is the right thing for me.
    Lets say i have a single webserver on which i want to run some php websites.
    Can i install wireguard on this productive, website hosting webserver, with the goal to protect my key-based ssh connection bewtween my website server and home desktop with an aditional security layer (wireguard), does this make any sense or did i get something wrong regarding the usual intended use case of wireguard? Do i need an additional, second server to use wireguard or is the described scenario with desktop computer and single, website hosting webserver enough? Thanks, Jonas

    • 🐧 Vivek Gite Jan 9, 2021 @ 17:54

      No need to have second server. Same server can be used.

  • Nawak Jan 16, 2021 @ 19:16

    Great post! But I wish you had been consistent with the different private/public keys shown in your screenshots, they often don’t match !

  • Sally Mar 23, 2021 @ 7:13

    Great article, thank you Vivek,
    The steps of the installation is easy, but according to the client side it’s not if I compare it with OpenVPN.
    I have OpenVPN server on Fedora, yes, the configuration isn’t easy on server side, but on the other hand, the client side just needs one file to be exist and the password which I have to provide it them.


Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum