Most of the instructions out there are far from something I would call “best practice”, so I wrote one my own.
Install Debian Keyring
debian-archive-keyring downloaded from Debian official site, through a secure connection.
wget https://deb.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2019.1+deb10u1_all.deb sudo apt install ./debian-archive-keyring_2019.1+deb10u1_all.deb
Required keys will be neatly shelved in directory
/etc/apt/trusted.gpg.d/, uninstalling will also be easy.
Do not use
apt-key to add keys here.
If we add keys with
apt-key, unless otherwise specified, those keys will all be jammed into file
/etc/apt/trusted.gpg. Moreover, figuring out which key is which from fingerprint before key adding/deleting is error-prone and tedious.
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Setup Debian Backports Suite
/etc/apt/sources.list.d/debian-buster-backports.list with following content.
deb http://deb.debian.org/debian/ buster-backports main contrib non-free # Uncomment line below then 'apt-get update' to enable 'apt-get source' #deb-src http://deb.debian.org/debian/ buster-backports main contrib non-free
The setting of
NotAutomatic: yes in its
Release file make backports deactivated by default, no additional priority adjustment needed.
ButAutomaticUpgrades: yes is also there so upgrades will be taken care of once packages are installed from this suite.
Do not use
unstable suite here.
Prepare the Kernel for DKMS
Make sure you have the latest kernel and its corresponding headers.
sudo apt update sudo apt install raspberrypi-kernel raspberrypi-kernel-headers
Reboot before proceeding.
sudo apt update sudo apt install wireguard
and you’re ready to ride.
Thanks, I tried this but wg was segfaulting. What worked for me (in October 2020) was installing from the raspbian testing repo, as described here: https://sigmdel.ca/michel/ha/wireguard/wireguard_02_en.html
Strange…. Checked all over again and everything (
wgcommand, connection, etc.) works for me.
Versions of related packages listed below:
Thanks for the write-up. Worked perfectly.
Glad it worked for you. 🙂
Yes, this is the best way. So many other write-ups on this get the details wrong, or do it in a way that is not as maintainable. Also, that reboot is crucial, wasted a lot of time for me, and wasn’t noted else. Thanks!
Will wireguard be upgraded when running apt full-upgrade?
Sure! There is also
ButAutomaticUpgrades: yesin suite
Ok, thank you. I was not sure about how those Release file directives work.
I’ve had some issues recently with Wireguard on other distros. Mostly what’s in the kernel and what’s not kind of stuff…..and if you don’t have all the “stuff” it looks like it’s working but just doesn’t handshake. I saw you’re header note and just wanted to ask in my best Joe Pesci voice…”Are you sure?
This is for a client machine so all I want to do is to create the keys, set up the wg0.conf file, swap publickeys between the server and the client, and type wg-quick up wg0 on the command line to check it before committing it to systemctl.