Debian 13 Trixie After Install Guide

This guide documents my post-installation notes for Debian 13 "Trixie." I will show you how to refine a fresh system from start to finish. We will cover proprietary driver setup, kernel tuning, and advanced networking tools like GNS3, Scapy, and nftables.

My goal is to provide a clear, step-by-step roadmap. It simplifies the entire configuration process. I hope you find these insights useful for your own professional or personal workstation.

In general, my first steps after installing Debian usually include installation and configuration of the following:

1. Add User to Sudo Group
2. Add Contrib, Non-free and Backports Repositories
3. Reduce Reserved Blocks on /home and /home1 Partitions
4. Install Proprietary Nvidia GPU Driver and CUDA
5. Vim Editor, Bash path
6. Chrome and Tor
7. VirtualBox and Qemu/kvm
8. GNS3, Wireshark, Ubridge, Scapy
9. KolourPaint and VLC
10. nftables - IPv4 and IPv6 firewall
11. ClamAV Antivirus
12. Setting Up WireGuard VPN

1. Add User 'brezular' to Sudo Group

We need to add a user to the sudo group to allows user to execute commands as root.

$ su
# /sbin/usermod -a -G sudo brezular

We have addedd a user brezular  to the group sudo (Figure 1). The command 'groups' lists of all the groups where user brezular belongs to.

Figure 1 - List Groups where User 'brezular' is Assigned

As we can see the user brezular is not yet assigned to the sudo group. (Figure 1). We need either to logout and login from GUI or use 'su yourself' in terminal to login again.

$ su brezular

In the new session 'brezular' will be shown as member of the sudo group (Figure 2).

Figure 2  - List Groups where User 'brezular' is Assigned

2. Add Contrib, Non-free and Backports Repositories

To ensure your Debian has access to the widest range of software (including proprietary drivers and the latest backported features), follow these steps to update your repository configuration.

First, synchronize your local package index with the remote repositories:. Here is the original sources.list, we are going to change it:

$ sudo apt update -y

Open the APT configuration file using a text editor (such as vi or nano). As shown in the highlighted sections of the image add contrib and non-free repos. Also add Debian Backports so you can install new kernel and packages with new features on your Debian stable release (Figure 3).

$ sudo vi /etc/apt/sources.list

Figure 3 - Modified Debian 13 Trixie Repository List

After saving the file, run the update command again to register the new repositories:

$ sudo apt update -y
$ sudo apt upgrade -y

To install something from backports run one of:

$ sudo apt install -t trixie-backports <name_of_package>

3. Reduce Reserved Blocks for /home and /home1

By default, Debian reserves 5% of disk space for the root user. On large data partitions, this wastes gigabytes of storage. You can safely reduce this to 1% to reclaim space.

In my setup, the OS is installed on a separate partition /. If the /home or /home1 data partitions become 100% full, the OS will still boot and function normally. Therefore, it is safe to set reserved blocks  percentage from 5% to 1%.

Check available disk space with the df command. As seen in Figure 4, /home has 756 GB and /home1 has 891 GB available.

$ df -h

Figure 4 - Available Space for /home and /home1 Partitions Before Reducing Blocks for Root User

Reduce reserved space to 1% for data partitions:

$ sudo /sbin/tune2fs -m 1 /dev/mapper/freepc--vg-home
$ sudo /sbin/tune2fs -m 1 /dev/mapper/data--vg-home1

Check with df- h again (Figure 5):

$ df -h

Figure 5 - Available Space for /home and /home1 Partitions After Reducing Blocks for Root User

• Result for /home -  Available space increased from 756G to 789G.
• Result for /home1 -  Available space increased from 891G to 929G.

4. Install Proprietary Nvidia GPU Driver and CUDA

4.1 Install Proprietary Nvidia GPU Driver

The easiest way to determine which driver version your card requires is to use the nvidia-detect utility (Figure 6):

$ sudo apt install nvidia-detect
$ nvidia-detect

Figure 6 - NVIDIA RTX 3070 Ti with Active Kernel Drivers

Once identified, install the main driver along with the necessary firmware for your hardware:

$ sudo apt install nvidia-driver firmware-misc-nonfree

A system reboot is required to unload the nouveau driver and initialize the NVIDIA kernel modules:

$ sudo reboot

After rebooting, verify the installation by checking the NVIDIA System Management Interface (Figure 7):

$ nvidia-smi

Figure 7 - Nvidia Proprietary Driver 550.163.01 Installed

Note: After installing the NVIDIA drivers and rebooting, you may encounter a login loop where the system returns you to the login screen immediately after entering your password. This usually happens because the system is attempting to use Wayland, which can sometimes conflict with specific NVIDIA configurations on Debian 13.

The Quick Workaround  is to switch from Wayland to X11.  Therefore, if you are stuck at the login screen:

1. Click on your Username
2. Look for a small gear icon or a session menu in the bottom-right (or left) corner of the screen.
3. Change the selection from "KDE" (which uses Wayland) to "KDE on Xorg" (which uses X11).
4. Enter your password and log in.

4.2 Enabling CUDA and Hardware Video Encoding (NVENC)

If you plan on using your GPU for more than just displa such as AI workloads, 3D rendering or fast video encoding (OBS/FFmpeg) you need to install the CUDA toolkit and the NVENC/NVDEC headers.

On Debian, we can install the CUDA runtime and libraries directly from the repositories we enabled earlier:

$ sudo apt install nvidia-cuda-toolkit

To enable Hardware Accelerated Video Encoding (NVENC/NVDEC) so software like FFmpeg or OBS Studio can use your GPU for video encoding (saving CPU power), install these libraries:

$ sudo apt install libnvcuvid1 libnvidia-encode1

After installation, we can verify that the system recognizes the CUDA cores by running (Figure 8):

$ nvcc --version

Figure 8 - NVIDIA CUDA Installed

This output confirms that our system is ready to handle GPU-accelerated workloads, such as AI simulations or video rendering.

5. Vim Editor, Bash Path

5.1  Vim Editor

Vim is my editor of choice. If you prefer a different editor, feel free to skip this section and proceed to the next step.

$ sudo apt install vim

Configure Vim to allow copying and pasting outside the editor. The command prevents the mouse from entering "visual mode," allowing your terminal emulator to handle text selection.

$ echo "set mouse=r" >> ~/.vimrc

Apply the same configuration for the root user:

$ echo "set mouse=r" | sudo tee -a /root/.vimrc

5.2  Bash Path

6. Internet Browsers

6.1  Chrome

$ wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ sudo apt install ./google-chrome-stable_current_amd64.deb

Google repository the file /etc/apt/sources.list.d/google-chrome.list has been created.

6.2 Tor from Source

Install Tor Browser using the latest archive from the downloads page.

$ cd ~/Downloads
$ wget https://dist.torproject.org/torbrowser/16.0a1/tor-browser-linux-x86_64-16.0a1.tar.xz
$ tar xvf tor-browser-linux-x86_64-16.0a1.tar.xz
$ cd tor-browser/

Start Tor browser and register desktop icon.

$ ./start-tor-browser.desktop --register-app

Tor icon has been add to Applications-> Internet in K desktop environment (KDE).

7. Virtualization and Emulation Tools

7.1 Oracle VirtualBox

VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use.

Add Oracle GPG key to /usr/share/keyrings:

$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo gpg --dearmor --yes -o /usr/share/keyrings/oracle-virtualbox-2016.gpg

Check if the gpg key has been added (Figure 9):

$ ls -l /usr/share/keyrings/ | grep oracle

Figure 9 - Oracle VirtualBox GPG Key

Add Oracle repository:

$ echo "deb [arch=amd64 signed-by=/usr/share/keyrings/oracle-virtualbox-2016.gpg] https://download.virtualbox.org/virtualbox/debian trixie contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list

Update system and install VirtualBox:

$ sudo apt update -y
$ sudo apt  install VirtualBox-7.2

The Oracle VirtualBox extension pack extends functionality of VirtualBox for USB 3.0 and VirtualBox Remote Desktop Protocol (VRDP) support. Firstly, download an extension pack.

$ wget http://download.virtualbox.org/virtualbox/$(vboxmanage --version | cut -d 'r' -f1)/Oracle_VirtualBox_Extension_Pack-`echo $(vboxmanage --version | cut -d 'r' -f1)-$(vboxmanage --version | cut -d 'r' -f2)`.vbox-extpack

Now, we can install the pack with vboxmanage:

$ sudo vboxmanage extpack install Oracle_VirtualBox_Extension_Pack-`echo $(vboxmanage --version | cut -d 'r' -f1)-$(vboxmanage --version | cut -d 'r' -f2)`.vbox-extpack

During the installation of VirtualBox, a system group named vboxusers is automatically created. To allow a VirtualBox guest machine to access USB devices, your user account must be a member of this group.

$ sudo usermod -a -G vboxusers $(whoami)

Note that adding an active user to that group will require that user to log out and back in again.

7.2 Qemu and KVM Virtualization

System Requirement: To enable the KVM kernel virtual machine, hardware virtualization support (VT-x for Intel or AMD-V for AMD CPUs) must be enabled in your system's BIOS/UEFI.

$ sudo apt install qemu-kvm

Run the following egrep command to verify that Intel VMX or AMD SVM supported on your CPU (Figure 10):

$ egrep --color 'vmx|svm' /proc/cpuinfo

Figure 10 - Checking Hardware Virtualization Support for Intel CPU on Linux

7.3 Troubleshooting VirtualBox and KVM Conflict

8. GNS3 and Auxiliary Tools

8.1 Install GNS3 Server and GUI

GNS3 (Graphical Network Simulator-3) is a powerful network software emulator. We will install the GNS3 using pipx, which provides a clean, isolated installation without interfering with your system's Python packages.

8.1.1 Install the core Qt5 libraries

$ sudo apt update
$ sudo apt install python3-pyqt5 python3-pyqt5.qtsvg python3-pyqt5.qtwebsockets python3-pyqt5.qtmultimedia python3-pyqt5.sip

8.1.2 Install pipx

Pipx manages the GNS3 installation in an isolated environment.

$ sudo apt install pipx python3-full
$ pipx ensurepath

Note: Restart your terminal after running ensurepath.

8.1.3 Install GNS3 Server and GUI

Install both the server and the GUI. The  flag --system-site-packages allows GNS3 to find the PyQt5 libraries we installed in a previous step.

$ pipx install gns3-server --system-site-packages
$ pipx install gns3-gui --system-site-packages

8.1.4 Update GNS3 Server and GUI Installation

One of the best features of pipx is that it remembers the installation flags. Since we installed GNS3 with --system-site-packages, pipx will continue to use that setting during updates.

To update GNS3 components to the latest version run:

$ pipx upgrade gns3-server
$ pipx upgrade gns3-gui

8.2 Create a GNS3 Desktop Launcher

To make GNS3 easily accessible, we will create a desktop entry that appears in your application menu and copy it directly to your desktop.

8.2.1 Download the High-Resolution Icon

Standard wget requests might be blocked (403 Forbidden). We use a custom User-Agent to mimic a browser and download the 512px icon to your local icons folder:

$ mkdir -p ~/.local/share/icons

$ wget -U "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" \
-O ~/.local/share/icons/gns3.png \
"https://icon-icons.com/download-file?file=https%3A%2F%2Fimages.icon-icons.com%2F1381%2FPNG%2F512%2Fgns3_94911.png&id=94911&pack_or_individual=pack"

8.2.2 Create the .desktop File

The .desktop file is the standard way Linux handles application shortcuts. Create the file using:

$ vi ~/.local/share/applications/gns3.desktop

[Desktop Entry]
Type=Application
Name=GNS3
GenericName=Network Simulator
Comment=Graphical Network Simulator 3
Exec=/home/brezular/.local/bin/gns3
Icon=/home/brezular/.local/share/icons/gns3.png
Terminal=false
Categories=Education;Network;
MimeType=application/x-gns3;

8.2.3 Make it Executable and Copy to Desktop

To see the icon on your desktop wallpaper, you need to copy the file and set the correct permissions:

Make the launcher executable
$ chmod +x ~/.local/share/applications/gns3.desktop

Copy it to your Desktop folder
$ cp ~/.local/share/applications/gns3.desktop ~/Desktop/

8.3 Wireshark

$ sudo apt install wireshark

Add the current user to the Wireshark group to be able to run Wireshark as a non-root user and capture on the interfaces.

$ sudo usermod -a -G wireshark $USER

8.4 Ubridge from Source

uBridge is a simple application to create user-land bridges between various technologies. Currently bridging between UDP tunnels, Ethernet and TAP interfaces is supported. Packet capture is also supported.

$ sudo apt install git build-essential pcaputils libpcap-dev

$ git clone https://github.com/GNS3/ubridge.git

$ cd ubridge
$ make
$ sudo make install

8.5 Scapy

Scapy is a powerful interactive packet manipulation program capable of forging or decoding packets for a wide range of protocols.

8.5.1 Install Scapy

On Debian 13, due to PEP 668 (externally managed environments), you should not use sudo pip. Instead, use pipx to install Scapy with its full feature set (complete extras) in an isolated environment:

$ pipx install "scapy[complete]"

8.5.2 Running Scapy as Root Always

Scapy needs root privileges to send and receive packets on network interfaces. However, because it is installed via pipx in your user directory, a standard sudo scapy command will fail because root does not have ~/.local/bin in its PATH.

To fix this permanently so that typing scapy always runs it as root, add an alias to your shell configuration.. Edit your bash configuration:

$ vi ~/.bashrc

Add the following line at the end of the file ~/.bashrc:

# Always run scapy as root with user's PATH
alias scapy='sudo env "PATH=$PATH" scapy'

Apply the changes:

$ source ~/.bashrc

9. Media Tools

KolourPaint is a free, easy-to-use paint program by KDE; while VLC is a favourite tool for playing and streaming videos.

$ sudo apt install kolourpaint vlc

10. nftables 

The nftables is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework.

The nftables makes no distinction between temporary rules made in the command line and permanent ones loaded from or saved to a file. All rules have to be created or loaded using nft command line utility. We are going to create a typical ruleset to protect one laptop in IPv4 and IPv6.

Netfilter tables are organized hierarchically. Tables contain chains and chains contain rules, for example:

• Table 1
  • Chain 1
    • Rule 1
    • Rule 2
  • Chain 2
    • Rule 3
• Table 2
  • Chain 3
    • Rule 4

10.1 IPv4 Firewall

10.1.1 Create table mytable_ipv4_ipv4

$ sudo nft add table mytable_ipv4

10.1.2 Add a chain to a table

Note: The nft re-uses special characters, such as curly braces and the semicolon. If you are running these commands from a shell such as bash, all the special characters need to be escaped. The simplest way to prevent the shell from attempting to parse the nft syntax is to quote everything within single quotes.

Create a chain for incoming packets that drops all packets that are not explicitly allowed by any rule in this chain:

$ sudo nft 'add chain mytable_ipv4 input {type filter hook input priority 0; policy drop;}'

Note: Alternatively, you can run the command:

$ sudo nft add chain mytable_ipv4 input {type filter hook input priority 0 \; policy drop \;}

10.1.3 Add rules to a chain input

Add a new rule to our input chain in mytable_ipv4 to accept incoming established and related traffic network traffic.

$ sudo nft add rule mytable_ipv4 input ct state established accept
$ sudo nft add rule mytable_ipv4 input ct state related accept

Add a rule to our input chain in mytable_ipv4 to accept all network traffic from localhost.

$ sudo nft add rule mytable_ipv4 input iif lo accept

Add a rule to our input chain for mytable_ipv4 to accept traffic for SSH.

$ sudo nft add rule mytable_ipv4 input tcp dport 22 counter accept

Log dropped traffic.

$ sudo nft add rule mytable_ipv4 input counter log drop

10.2 IPv6 Firewall

Configure IPv6 firewall which contains rules for IPv6 traffic.

$ sudo nft add table ip6 mytable_ipv6
$ sudo nft 'add chain ip6 mytable_ipv6 input {type filter hook input priority 0; policy drop;}'
$ sudo nft add rule ip6 mytable_ipv6 input ct state established accept
$ sudo nft add rule ip6 mytable_ipv6 input ct state related accept
$ sudo nft add rule ip6 mytable_ipv6 input iif lo accept
$ sudo nft add rule ip6 mytable_ipv6 input tcp dport 22 counter accept
$ sudo nft add rule ip6 mytable_ipv6 input icmpv6 type {nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert} accept
$ sudo nft add rule ip6 mytable_ipv6 input counter log drop

10.3 Make Our Firewal Configuration to Service Restart

Nftables comes with a simple and secure firewall configuration stored in the /etc/nftables.conf file. The nftables.service will load rules from that file when started or enabled.

First, we need to create a file /etc/nftables.conf, in which we insert the following three lines.

$ sudo su
# echo '#!/usr/sbin/nft -f' > /etc/nftables.conf
# echo 'flush ruleset' >> /etc/nftables.conf
# echo >> /etc/nftables.conf

$ exit

Now we can view the configured rules we entered via the CLI and add them to the /etc/nftables.conf file:

$ sudo nft -s list ruleset >> /etc/nftables.conf

Enable and start ntf service. The configuration file /etc/nftables.conf file will be loaded.

$ sudo systemctl enable nftables
$ sudo systemctl start nftables

10.4 Useful Commands for Managing nftables

Display all rules along with handles (Figure 11):

$ sudo nft -a list ruleset

Figure 11 - IPv4 and IPv6 Rulesets

For example, to delete a specific rule, such as a rule that accept IPv4 traffic from a loopback, enter the command:

$ sudo nft delete rule mytable input handle 4

To backup firewall configuration to the file firewall.txt:

$ sudo nft -s list ruleset | tee firewall.txt

To load rules from the firewall.txt file and add them to the rules that are already in use, enter the following:

$ sudo nft -f save_firewall.txt

Note: If you only want to use the rules saved in save_firewall.txt file, you must flush the rules that are already in use with the command below:

$ sudo nft flush ruleset

After that load ruleset from the file with the sudo nft -f firewall.txt command.

11. ClamAV Antivirus

ClamAV easy-to-use tool for detecting virus infections on Linux systems is ClamAV. It is open source and free, and runs on many Linux systems.

$ sudo apt install clamav clamav-daemon

ClamAV's tools are clamscan to do the scanning and freshclam to update the list of known virus signatures.

To start running freshclam as a service, we should run a command like this:

$ sudo systemctl start clamav-freshclam

Freshclam will run as a daemon (Figure 12) and try to check the signature database 24 times per day by default. The config file for freshclacm is /etc/clamav/freshclam.conf.

Figure 12 - Freshclam Process

To to see if it works, simply "tail" the log file to see what the background service is doing:

$ sudo tail -f /var/log/clamav/freshclam.log

To update the signature database manually, enter the command:

# sudo freshclam

To scan directory /home/brezular/ and all subdirectories, enter the command with the following options:

$ sudo clamscan --infected --remove --recursive /home/brezular/

• --infected: prints only infected files
• -–remove: removes infected files
• -–recursive: all the subdirectories in the directory will be scanned

Note: clamscan can only read files that the user running the tool can read, so using sudo is generally required.

12. Setting Up WireGuard VPN

WireGuard is a modern, high-performance VPN. On Debian 13, it is included in the kernel, but we need the user-space tools and a DNS helper to manage the connection properly.

12.1 Install WireGuard and resolvconf

The openresolv package is crucial. It allows WireGuard to modify your DNS settings (e.g., using a DNS server inside your VPN) without breaking the system's local resolution.
Bash

$ sudo apt update
$ sudo apt install wireguard openresolv

12.2 Key Generation and Security

Security is the most important part of a VPN setup. By default, keys might be created with loose permissions. We must restrict access so only the root user can see them.

Navigate to the configuration directory:

$ sudo cd /etc/wireguard

Set strict directory permissions first:

$ sudo chmod 700 /etc/wireguard

# Generate private and public keys

$ wg genkey | sudo tee client_priv.key | wg pubkey | sudo tee client_pub.key

Set file permissions (keys and config) to root only (read/write)

$ sudo chmod 600 /etc/wireguard/*

12.2 Managing the Connection

To start your VPN tunnel:

$ sudo wg-quick up /etc/wireguard/wg0.conf

To disconnect:

$ sudo wg-quick down wg0

To check the status and see if data is flowing:

$ sudo wg show