Wireguard

Installation

Debian 9 (stretch) or Debian 10 (buster)

If you do not use Debian 9 or 10, follow guides on Wireguard’s install page.

Run these commands with root user:

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install linux-headers-$(uname -r) wireguard

Or run these commands on your normal user:

echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install linux-headers-$(uname -r) wireguard

Raspbian 9 (stretch)

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install raspberrypi-kernel-headers
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee -a /etc/apt/sources.list.d/unstable.list
sudo apt-get install dirmngr
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 8B48AD6246925553
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee -a /etc/apt/preferences.d/limit-unstable
sudo apt-get update
sudo apt-get install wireguard
sudo reboot

(Source)

Generate keys

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

(recommended to run as root)

Client configuration

/etc/wireguard/wg0.conf:

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0

[Peer]
PublicKey = Server_Public_Key
AllowedIPs = 0.0.0.0/0 # or subnets you want to allow
Endpoint = ip:51820
# PersistentKeepalive = 25 # optional

Server configuration

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE

[Peer]
PublicKey = Client_Public_key
AllowedIPs = 10.x.x.x/32

Replace PUBLIC_INTERFACE with your interface, such as eth0.

Enable IPv4 packet forwarding

In /etc/sysctl.d/99-sysctl.conf, uncomment line #net.ipv4.ip_forward=1.

To apply, reboot or run sudo sysctl -p.

Daemonizing

Replace wg0 with the filename (without extension) you have in /etc/wireguard/.

sudo systemctl enable --now wg-quick@wg0

Restarting

wg-quick down wg0 && wg-quick up wg0

Further reading