Skip to main content

WireGuard

WireGuard® is an extremely simple yet fast and modern VPN. Instructions for installing WireGuard on Raspberry Pi 2/3/4

Installation

At the time of this writing, the WireGuard module has yet to be included in the Raspberry Pi kernel. The Debian Testing repository must be added to the Raspberry Pi in order to install the necessary tools and the kernel module.

Add the Debian Testing Repository

The following Commands will add the Debian testing repository and set it's priority lower than the Raspberry Pi OS stable repository. This way, all packages will be updated against the stable repos, unless they are not available in which case apt will fall back to check the Debian testing repo.

$ echo "deb http://archive.raspbian.org/raspbian testing main" | sudo tee --append /etc/apt/sources.list.d/testing.list
$ printf 'Package: *\nPin: release a=testing\nPin-Priority: 50\n' | sudo tee --append /etc/apt/preferences.d/limit-testing
$ sudo apt update

Install the WireGuard Package

$ sudo apt install wireguard -y

Allow Remote Access to the Local Network

  • Configure a static IP address or DHCP reservation on the Raspberry Pi
  • Configure a static WAN IP address or DDNS service on the router
  • Port forward UDP port 51820 from the router to the Raspberry Pi

Enable IP Forwarding

On the Raspberry Pi, edit /etc/sysctl.conf uncommenting the following line:

...
net.ipv4.ip_forward=1
...

This will require a reboot to take effect.

Create the the server/client keys

WireGuard operates in more of a peer-to-peer manner rather than server/client, so the key generation is the same for all peers (the "server" and "client").

Start by creating a directory in a secure location for the keys. inside this directory run the following command for the "server" keys:

$ sudo wg genkey | tee server_privatekey | wg pubkey > sever_publickey

This will create two files, server_privatekey and server_publickey that each contain a hashed key.

For each "client" peer, run the same command as above, changing the output filenames to reflect which peer key-pair is being generated like so:

$ sudo wg genkey | tee client1_privatekey | wg pubkey > client1_publickey

Server Configuration

Create the file /etc/wireguard/wg0.conf containing the following, replace items indicated by <...> with the key hashes found in the files created above:

[Interface]
Address = 192.168.2.1/24  # IP address of the 'server' peers (clients) need to be in the same subnet
PrivateKey = <server_privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client1_publickey>
AllowedIPs = 192.168.2.2/24  # IP address of the first 'client' peer

[Peer]
PublicKey = <client2_publickey.client2_publickey>
AllowedIPs = 192.168.2.3/24  # IP address of the second 'client' peer

Activate the wg0 interface with systemd

Enable and start the WireGuard Interface with:

$ sudo systemctl enable wg-quic@wg0quick@wg0
$ sudo systemctl start wg-quick@wg0

Create the Client Config File(s)

Note: the filename of the config file determines the WireGuard interface name, for example wg0.conf creates an interface called wg0. Interfaces can be named whatever you want, it may be helpful to name them after the network you're connecting to.

Very similar to the "server" configuration above, each client config should contain the following, again replacing the items indicated by <...> with the key hashes:

[Interface]
Address = 192.168.2.2/24  # the 'client' peer's IP address from the 'server' config
DNS = 192.168.1.1  # the DNS server's IP address on the destination network
PrivateKey = <client1_privatekey>

[Peer]
PublicKey = <server_publickey>
AllowedIP = 0.0.0.0/24  # routes all traffic over the WireGuard tunnel
Endpoint = <DNS-resolvable-servername-or-IP>:51820

The endpoint can be either the router's WAN Ip address or the (D)DNS name, but must also contain the port number of the server, i.e. www.franklin57.com:51820.

Create a config file or enter the information above for each "client" device, remembering to change the Address and PrivateKey to match what is in the "server's" config and the specific client's public key file.

Back to top