How to Setup a “Forever-Running” Debian Server (Laptop Edition)

A guide to power management, remote access, and resilient WireGuard connectivity.

Running a home server on a laptop is a great way to repurpose hardware. However, consumer laptops are designed to sleep when you close the lid — exactly what you don’t want a server to do.

In this guide, I will document how I set up my Debian server (running a Desktop Environment) to stay awake, handle the “lid closed” state, and maintain a persistent WireGuard VPN connection for remote access.

Part 1: The Basics (Sudo & SSH)

Debian is strict by default. If you just installed it and can’t use sudo or connect remotely, start here.

1.1 Fix “User is not in the sudoers file”

If you set a root password during installation, your default user wasn’t added to the sudo group.

Open a terminal and switch to root:

su -

Add your user to the group:

usermod -aG sudo <your_username>

Log out and log back in for this to take effect.

1.2 Install OpenSSH Server

To manage the server remotely, you need SSH.

sudo apt update 
sudo apt install openssh-server 
sudo systemctl enable --now ssh

Verification: Run sudo systemctl status ssh to ensure it is active.

Part 2: Power Management (The “Laptop Mode” Fix)

We need to ensure the laptop doesn’t sleep when the lid is closed, but the screen turns off to save power.

2.1 Ignore the Lid Switch

This setting ensures the OS keeps running even if you close the laptop.

Edit the login configuration:

sudo nano /etc/systemd/logind.conf

Find the lines for LidSwitch. Uncomment them (remove #) and set them to ignore:

Ini, TOML

[Login]  
HandleLidSwitch=ignore HandleLidSwitchExternalPower=ignore HandleLidSwitchDocked=ignore

Apply changes:

sudo systemctl restart systemd-logind

2.2 Screen Blanking (Save Energy)

Since this is a server, we don’t need the screen on. We’ll set it to turn off after 1 minute of inactivity.

For Debian Desktop (GNOME/GUI):

Run this command in your terminal:

gsettings set org.gnome.desktop.session idle-delay 60

For the Console (GRUB backup):

If the GUI fails, we want the text console to blank too.

• Edit GRUB: sudo nano /etc/default/grub
• Add consoleblank=60 to the default line:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash consoleblank=60"

• Update GRUB: sudo update-grub

Part 3: Setup WireGuard for Resilient Access

Exposing ports to the open internet is a risky practice. Instead, I use WireGuard to create a secure tunnel to my server. This allows me to access services (like SSH or Docker containers) as if I were on the same local network.

Important Notes

• One device, one config: Do not share the same configuration file across multiple devices.
• Unattended Access: The settings below are crucial to ensure the VPN stays up without human intervention.

3.1 Install WireGuard

First, install the necessary tools. resolvconf is often needed for DNS handling within the VPN.

sudo apt update 
sudo apt install wireguard-tools resolvconf

3.2 Configure the Connection

• Prerequisite: Generate your configuration (e.g., from your VPN server dashboard).
• Warning: By default, configs often use AllowedIPs = 0.0.0.0/0. We must change this. If the VPN server goes down, that setting will kill your server's entire internet connection.

Create the configuration file:

sudo nano /etc/wireguard/wg0.conf

Paste your configuration, but apply these specific changes:

Ini, TOML

[Interface] 
PrivateKey = <YOUR_PRIVATE_KEY> 
Address = 10.8.0.2/24 
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = <YOUR_PRESHARED_KEY>
Endpoint = x.x.x.x:51820# CRITICAL CHANGE 1: Keepalive
# Keeps the connection alive even when idle.
# 0 = Off. We set to 25 seconds to ensure the tunnel stays up.
PersistentKeepalive = 25# CRITICAL CHANGE 2: Split Tunneling
# Default is often 0.0.0.0/0 (Route ALL traffic).
# We change this to 10.8.0.0/24 so ONLY VPN traffic goes through the tunnel.
# This prevents the server from losing internet if the VPN server goes down.
AllowedIPs = 10.8.0.0/24

3.3 Secure and Enable

WireGuard configuration files contain private keys, so we must secure them.

Restrict permissions:

sudo chmod 600 /etc/wireguard/wg0.conf

Test the connection:

sudo wg-quick up wg0

Check the status with sudo wg.

Enable on Boot:

This ensures the VPN reconnects automatically if the server reboots.

sudo systemctl enable wg-quick@wg0

Cheatsheet

• Stop VPN: sudo wg-quick down wg0
• Disable Auto-Start: sudo systemctl disable wg-quick@wg0