DebianDebian Based

How To Install WireGuard on Debian 12

Install WireGuard on Debian 12

In this tutorial, we will show you how to install WireGuard on Debian 12. In an era of increasing concerns about online security and privacy, setting up a Virtual Private Network (VPN) has become a paramount need. WireGuard, a modern and highly efficient VPN protocol, offers a streamlined solution for secure communication over the Internet.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of WireGuard on a Debian 12 (Bookworm).


  • A server running one of the following operating systems: Debian 12 (Bookworm).
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • Make sure your Debian 12 system is connected to the internet. An active connection is essential for downloading the required packages and updates during the installation.
  • A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install WireGuard on Debian 12 Bookworm

Step 1. Before we install any software, it’s important to make sure your system is up to date by running the following apt commands in the terminal:

sudo apt update
sudo apt upgrade

This command will refresh the repository, allowing you to install the latest versions of software packages.

Step 2. Installing Dependencies.

You can install these dependencies with the following command:

sudo apt install linux-headers-$(uname -r) wget

Step 3. Installing WireGuard on Debian 12.

WireGuard is not included in the default Debian 12 repositories. We need to add the WireGuard repository to access the required packages:

sudo add-apt-repository ppa:wireguard/wireguard

Now that we’ve added the repository, update the package list to include WireGuard:

sudo apt update

Let’s install WireGuard and load the kernel module:

sudo apt install wireguard
sudo modprobe wireguard

To verify that WireGuard is installed correctly, let’s check the status of the module and ensure the WireGuard tools are available:

# Verify the WireGuard module is loaded
lsmod | grep wireguard

# Check if WireGuard tools are installed
wg --version

Step 4. Configuring WireGuard

With WireGuard installed, let’s configure it step by step.

  1. Generating Key Pairs

WireGuard uses key pairs for encryption and authentication. We need to generate key pairs for the server and client:

Server Key Pair:

# Generate the server's private key
wg genkey > server-private.key

# Derive the server's public key from the private key
wg pubkey < server-private.key > server-public.key

Client Key Pair:

# Generate the client's private key
wg genkey > client-private.key

# Derive the client's public key from the private key
wg pubkey < client-private.key > client-public.key
  1. Configuring the Server

Create a configuration file for the WireGuard server. Replace <server_ip> with your server’s public IP address:

sudo nano /etc/wireguard/wg0.conf

Add the following configuration, replacing <server_private_key> and <client_public_key> with the actual keys generated earlier:

Address =
ListenPort = 51820
PrivateKey = 

PublicKey = 
AllowedIPs =

Enable IP forwarding to allow traffic to pass through the server:

# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Set up firewall rules to allow WireGuard traffic:

# Allow WireGuard through the firewall
sudo iptables -A INPUT -i wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  1. Configuring a Client

Create a configuration file for the WireGuard client. Replace <server_public_key> with the server’s public key:

nano client.conf

Add the following configuration:

PrivateKey = 
Address =

PublicKey = 
Endpoint = :51820
AllowedIPs =
  1. Starting the WireGuard Interfaces

Let’s start the WireGuard interfaces for both the server and client:

# Start the server interface
sudo wg-quick up /etc/wireguard/wg0.conf

# Start the client interface
sudo wg-quick up ./client.conf
  1. Checking the Status of WireGuard Interfaces

To ensure everything is running smoothly, check the status of the WireGuard interfaces:

# Check the server interface
sudo wg show

# Check the client interface
wg show client

Step 5. Testing the WireGuard VPN.

Now that WireGuard is configured, let’s establish a connection between the server and the client:

sudo wg-quick up ./client.conf

To confirm that the VPN is working, try pinging the server from the client and vice versa:

On the client:


On the server:


Ensure that your real IP address is hidden by visiting a website like from the client.

Congratulations! You have successfully installed WireGuard. Thanks for using this tutorial to install the latest version of WireGuard on Debian 12 Bookworm. For additional help or useful information, we recommend you check the official WireGuard website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!


r00t is a seasoned Linux system administrator with a wealth of experience in the field. Known for his contributions to, r00t has authored numerous tutorials and guides, helping users navigate the complexities of Linux systems. His expertise spans across various Linux distributions, including Ubuntu, CentOS, and Debian. r00t's work is characterized by his ability to simplify complex concepts, making Linux more accessible to users of all skill levels. His dedication to the Linux community and his commitment to sharing knowledge makes him a respected figure in the field.
Back to top button