How to Set Up WireGuard VPN on a Debian 13 (Trixie) VPS from AVS ISP
Introduction
WireGuard is a fast, modern, and cryptographically secure VPN protocol built directly into the Linux kernel. Unlike heavier alternatives such as OpenVPN or IPSec, WireGuard\ is lightweight, simple to configure, and offers excellent performance โ making it an ideal choice for securing traffic through your AVS ISP VPS.
Debian 13 "Trixie" (released August 9, 2025) includes native WireGuard support in its default repositories, so no backports or third-party sources are required.
Prerequisites
Before you begin, ensure you have:
- A Debian 13 (Trixie) VPS from AVS ISP
- Root or
sudoaccess to the server - A local machine to act as the WireGuard client (Linux, Windows, macOS, Android, iOS)
- UDP port 51820 open in your AVS ISP VPS firewall/security group
Step 1 โ Update the System
Log in to your VPS via SSH and update all packages:
apt update && apt upgrade -y
Step 2 โ Install WireGuard
WireGuard is available in the Debian 13 default repositories:
apt install -y wireguard wireguard-tools iptables
Verify the installation:
wg --version
Step 3 โ Generate Server Keys
Set a strict umask to protect private key files, then generate the server key pair:
umask 077
wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub
View and save your keys:
cat /etc/wireguard/server.key # Server Private Key (keep secret!)
cat /etc/wireguard/server.pub # Server Public Key (share with clients)
Step 4 โ Generate Client Keys
Generate a key pair for the first client directly on the server:
wg genkey | tee /etc/wireguard/client.key | wg pubkey > /etc/wireguard/client.pub
cat /etc/wireguard/client.key # Client Private Key
cat /etc/wireguard/client.pub # Client Public Key
Step 5 โ Identify Your Network Interface
Find the name of your VPS's main network interface (commonly eth0 or enp1s0):
ip address show
Note the interface name โ you'll need it in the next step.
Step 6 โ Configure the WireGuard Server
Create the server configuration file:
nano /etc/wireguard/wg0.conf
Paste the following, replacing the placeholder values:
[Interface]
# Server's VPN IP address
Address = 10.8.0.1/24
# UDP port WireGuard listens on
ListenPort = 51820
# Paste your server PRIVATE key here
PrivateKey = <SERVER_PRIVATE_KEY>
# Enable IP forwarding and NAT when the tunnel starts
# Replace eth0 with your actual network interface (e.g., enp1s0)
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward; \
iptables -A FORWARD -i wg0 -j ACCEPT; \
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward; \
iptables -D FORWARD -i wg0 -j ACCEPT; \
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# โโ Peer (Client) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[Peer]
# Paste your client PUBLIC key here
PublicKey = <CLIENT_PUBLIC_KEY>
# VPN IP assigned to this client
AllowedIPs = 10.8.0.2/32
Save and close (Ctrl+O, Enter, Ctrl+X).
Step 7 โ Enable IP Forwarding Persistently
Edit /etc/sysctl.conf to make IP forwarding permanent across reboots:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
Step 8 โ Start and Enable WireGuard
Start the WireGuard service and enable it at boot:
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
Verify the interface is up:
wg show
ip address show wg0
You should see the wg0 interface with the address 10.8.0.1.
Step 9 โ Configure the Client
On your client machine, create a WireGuard configuration file
(e.g., wg0.conf or import into the WireGuard app):
[Interface]
# Client's VPN IP
Address = 10.8.0.2/32
# Client PRIVATE key (generated in Step 4)
PrivateKey = <CLIENT_PRIVATE_KEY>
# Optional: Use the VPS as your DNS resolver
# DNS = 10.8.0.1
[Peer]
# Server PUBLIC key (from Step 3)
PublicKey = <SERVER_PUBLIC_KEY>
# Your AVS ISP VPS public IP and WireGuard port
Endpoint = <YOUR_VPS_PUBLIC_IP>:51820
# Route ALL traffic through the VPN
# For split tunnel (only VPN subnet), use: 10.8.0.0/24
AllowedIPs = 0.0.0.0/0, ::/0
# Keep the connection alive through NAT firewalls
PersistentKeepalive = 25
Bring up the client tunnel:
# Linux client
wg-quick up wg0
For Windows / macOS / Android / iOS, import the config file or QR code into the official WireGuard app.
Step 10 โ Open the Firewall Port
If your AVS ISP VPS has a local ufw or iptables firewall, allow UDP port 51820:
# Using ufw
ufw allow 51820/udp
ufw reload
# Using iptables directly
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
Also verify the port is open in the AVS ISP control panel under your VPS firewall/security group settings.
Step 11 โ Verify the Connection
On the client, bring up the tunnel and test connectivity:
wg-quick up wg0
ping 10.8.0.1 # Ping the VPN server gateway
curl https://ifconfig.me # Should return your AVS ISP VPS public IP
On the server, confirm active peer sessions:
wg show
You should see the peer listed with a recent latest handshake timestamp.
Adding More Clients
For each additional client, repeat Steps 4 and 9, then add a new [Peer]
block to /etc/wireguard/wg0.conf on the server:
[Peer]
PublicKey = <NEW_CLIENT_PUBLIC_KEY>
AllowedIPs = 10.8.0.3/32
Reload WireGuard without dropping existing connections:
wg addconf wg0 <(wg-quick strip wg0)
# or restart the service
systemctl restart wg-quick@wg0
Useful Commands
| Action | Command |
|---|---|
| Show tunnel status | wg show |
| Start the tunnel | systemctl start wg-quick@wg0 |
| Stop the tunnel | systemctl stop wg-quick@wg0 |
| Restart the tunnel | systemctl restart wg-quick@wg0 |
| View WireGuard logs | journalctl -u wg-quick@wg0 -f |
| Check kernel module | lsmod | grep wireguard |
Security Tips
- Never share your private keys. Only exchange public keys between peers.
- Restrict SSH access to a specific IP or use key-based authentication only.
- Consider changing the default WireGuard port (51820) to a non-standard UDP port
to reduce noise from port scanners.
- Rotate key pairs periodically for long-running deployments.
- Use
PersistentKeepalive = 25on clients behind NAT to prevent session drops.
Guide written for AVS ISP VPS customers running Debian 13 "Trixie". WireGuardยฎ is a registered trademark of Jason A. Donenfeld.