Preface
WireGuard needs no introduction. Currently, there are various WireGuard tutorials available online, including one-click scripts and old methods.
However, these installations are often slow and come with a bunch of unnecessary components. The official documentation also lacks detailed installation instructions.
For VPS servers, there are practical considerations to take into account, as random installations can result in errors.
Therefore, based on practical experience, I have written this WireGuard installation tutorial for the general-purpose operating system Debian 10+ to meet the needs of friends who require manual configuration of WireGuard.
Preparation
1.Install sudo and lsb_release
apt install sudo lsb-release -y
2.Add backports repository
1.echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" | sudo tee /etc/apt/sources.list.d/backports.list
2.sudo apt update
Install dependency components
1.Install necessary network tools
sudo apt install iproute2 openresolv -y
2.Install wireguard-tools (WireGuard configuration tools: wg, wg-quick)
sudo apt install wireguard-tools --no-install-recommends
Install WireGuard
First, execute the command uname -r to check the kernel version.
If the kernel version is 5.6 or higher, WireGuard is already integrated, and there is no need to install it.
Of course, most of the friends who see this tutorial are not in this situation because the default kernel version of Debian 10 is 4.19.
Therefore, there are several installation methods to choose from:
- Install a kernel version higher than 5.6
- Install the wireguard kernel module
- Install wireguard-go
Theoretical network performance: Kernel integration ≥ Kernel module > wireguard-go
However, not all VPS servers can be freely installed, and the final choice depends on the virtualization technology used by the VPS:
- KVM / HyperV / XEN HVM and other full virtualization VPS hosts. All of the above options are available, choose one according to the actual situation, and there are relevant explanations later.
- OpenVZ / LXC and other non-full virtualization VPS hosts. Since they share the host kernel, it is not possible to modify the kernel, so you can only install wireguard-go.
If you just want a convenient and quick installation without pursuing extreme network performance, or if you have no knowledge of the above information, please go directly to the “Install wireguard-go” section.
Install a new kernel
For KVM / HyperV / XEN HVM and other full virtualization VPS hosts that can handle any adverse consequences of kernel replacement, you can use this method.
For system stability, it is recommended to install the kernel from the backports repository (the version at the time of writing is 5.9). Here are the complete commands:
sudo apt -t $(lsb_release -sc)-backports install linux-image-$(dpkg --print-architecture) linux-headers-$(dpkg --print-architecture) --install-recommends -y
After installation, restart the system and execute the command uname -r to check the kernel version and confirm whether the new kernel is enabled.
Install wireguard kernel module
I do not highly recommend this installation method as it is prone to errors for those who are not familiar with Linux, especially for those who have used scripts to modify the kernel with unknown “BBR Acceleration Kernel” sources.
For KVM / HyperV / XEN HVM and other full virtualization VPS hosts with a kernel version below 5.6, you can try the following command to install the WireGuard dynamic kernel module:
sudo apt install wireguard-dkms -y
After installation, execute the command modprobe wireguard to load the WireGuard kernel module.
Finally, execute the command lsmod | grep wireguard to check if it has been successfully loaded.
Install wireguard-go
For OpenVZ or LXC VPS or for friends who do not want to tinker with the kernel and value stability, you can install wireguard-go.
The theoretical network performance may not be as good as the kernel integration solution, but it is more than sufficient for normal use.
TIPS: For OpenVZ or LXC VPS, you need to execute the command lsmod | grep tun to check if the TUN/TAP functionality is enabled. If not, please search for the method to enable it; otherwise, even after installation, it cannot be used.
Compile it yourself or use the one-click script I wrote to install the pre-compiled latest stable version of the wireguard-go binary:
curl -fsSL git.io/wireguard-go.sh | sudo bash
Conclusion
After the installation is complete, you can start your WireGuard journey.