These are the configuration files I ended up using for setting up a Wireguard-based anonymizing VPN on Debian Buster (the current stable), formatted as a shell script. It requires the Wireguard kernel module and userland tools from backports: apt-get install -t buster-backports wireguard-tools
The idea here is to set up a network namespace containing the configuration for the wireguard interface wg0. Any program which wants to use the Wireguard interface needs to be run in that namespace. For example, ip netns exec wireguard ping google.com
. All sockets opened by that program and its children will go out over the tunnel, including DNS resolution, so they won't be able to interact in any way with the local network. Conversely, other processes (which were not started with ip-netns) will continue to use the original routing tables and DNS configuration, so things like SSH, remote desktop, and NFS