Created
February 18, 2026 14:20
-
-
Save Dan-Q/374581e6b9fb222a6c079aca1f2d0c1f to your computer and use it in GitHub Desktop.
Launch script, originally intended to be used as a Linode StackScript but suitable for any Debian 13 box, for setting up a WireGuard VPN server.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # With thanks to: https://www.server-world.info/en/note?os=Debian_13&p=wireguard | |
| # | |
| # How to use: | |
| # 1. Spin up a tiny virtual machine (the cheapest one with a public IP address will usually do!) with your choice | |
| # of cloud provider (Linode, Google Cloud, AWS, Azure, whoever...) and region. | |
| # 2. Run this script (you can modify it to your liking if e.g. you want to support multiple simultaneous clients. | |
| # 3. Download the /root/wireguard.conf file it creates and load it into your WireGuard client. | |
| # 4. Use e.g. icanhazip.com or ipleak.net to check and see where in the world you now appear to be! | |
| # | |
| # More information: https://danq.me/run-your-own-wireguard-vpn | |
| # Debug logging: | |
| exec 3>&1 | |
| exec 4>&2 | |
| exec > >(tee -a /root/stackscript.log) | |
| exec 2> >(tee -a /root/stackscript.log >&2) | |
| # Installation | |
| export DEBIAN_FRONTEND=noninteractive | |
| apt update | |
| yes | apt upgrade -y | |
| apt -y install wireguard-tools iptables | |
| # Enable port forwarding | |
| sysctl -w net.ipv4.ip_forward=1 | |
| # Generate server keypair | |
| wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub | |
| # Generate client keypair | |
| wg genkey | tee /etc/wireguard/client.key | wg pubkey > /etc/wireguard/client.pub | |
| # Configure server | |
| printf "[Interface]\n" | tee /etc/wireguard/wg0.conf | |
| printf "PrivateKey = " | tee -a /etc/wireguard/wg0.conf | |
| cat /etc/wireguard/server.key | tee -a /etc/wireguard/wg0.conf | |
| printf "Address = 10.0.0.1/24\n" | tee -a /etc/wireguard/wg0.conf | |
| printf "ListenPort = 51820\n" | tee -a /etc/wireguard/wg0.conf | |
| printf "PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n" \ | |
| | tee -a /etc/wireguard/wg0.conf | |
| printf "PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\n\n" \ | |
| | tee -a /etc/wireguard/wg0.conf | |
| # Allow client to connect | |
| printf "[Peer]\n" | tee -a /etc/wireguard/wg0.conf | |
| printf "PublicKey = " | tee -a /etc/wireguard/wg0.conf | |
| cat /etc/wireguard/client.pub | tee -a /etc/wireguard/wg0.conf | |
| printf "AllowedIPs = 10.0.0.2/24\n" | tee -a /etc/wireguard/wg0.conf | |
| # Start server | |
| systemctl start wg-quick@wg0 | |
| # Pregenerate a convenient configuration file for the client | |
| printf "[Interface]\n" | tee /root/wireguard.conf | |
| printf "PrivateKey = " | tee -a /root/wireguard.conf | |
| cat /etc/wireguard/client.key | tee -a /root/wireguard.conf | |
| printf "Address = 10.0.0.2/24\n" | tee -a /root/wireguard.conf | |
| printf "DNS = 1.1.1.1\n\n" | tee -a /root/wireguard.conf | |
| printf "[Peer]\n" | tee -a /root/wireguard.conf | |
| printf "PublicKey = " | tee -a /root/wireguard.conf | |
| cat /etc/wireguard/server.pub | tee -a /root/wireguard.conf | |
| printf "AllowedIPs = 0.0.0.0/0\n" | tee -a /root/wireguard.conf | |
| printf "Endpoint = " | tee -a /root/wireguard.conf | |
| printf `hostname -I | cut -d' ' -f1` | tee -a /root/wireguard.conf | |
| printf ":51820\n" | tee -a /root/wireguard.conf | |
| # End debug logging: | |
| exec 1>&3 | |
| exec 3>&- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment