blue-ox.nl From coffee-fueled fruity tech to fast runs—think different, let’s run them.

WireGuard on Raspberry Pi

By Erik
In Raspberry Pi
7 months ago
Add comment
W

introduction / background

How to add a user in WireGuard and how to quickly install the profile on your mobile.

requirements / my setup

  • Raspberry Pi + SSH connection
  • Mobile

how-to

Prepare

Take care of updating your Pi

sudo apt update
sudo apt full-upgrade

Install curl to be able to install the WireGuard packages

sudo apt install curl -y

Installing WireGuard

Start the process:

curl -L https://install.pivpn.io | bashCode language: JavaScript (javascript)

This command will use curl to download the PiVPN setup script from their website and then pipe it straight to bash.
Next, the installer will start and open,

  • PiVPN Automated Installer
    • <Ok>
  • Static IP Needed
    • <Ok>
  • DHCP Reservation – note: choose right solution
    • [Yes] – Keep DHCP (only possible when router gives the RPi a static IP address) >> my choice: DHCP/YES
    • [No] – When RPi as client keeps the given IP address as static
  • Static IP Adress
    • <Yes>
  • If choosen for NO > FYI: IP Conflict
    • <Yes>
  • Local Users
    • <Yes>
  • Choose A User
    • With arrow and space-bar choose the wanted user
    • <Ok>
  • Installation mode
    • With arrow and space-bar choose the wanted VPN server >> my choice: WireGuard
  • Default wireguard Port
    • Enter the VPN port to be used
    • No real reason to change the default one (51820) >> my choice: keep default
  • Confirm Custom Port Number
    • <Yes>
  • DNS Provider
    • With arrow and space-bar choose the wanted DNS provider >> my choice: CloudFlare
  • Public IP or DNS
    • Choose option for reaching WireGuard server
    • IP address by Internet Service Provider
    • DNS Entry >> my choice: domain-name pointing to my router, port-forward in router towards WireGuard RPi
  • Server Information
    • <Ok>
  • Unattended Upgrades
    • <Ok>
  • Unattended Upgrades
    • <Yes>
  • Installation Complete!
    • <Ok>
  • Reboot
    • <Yes>

WireGuard has been installed succesfully! Advise: create for every user and every device a seperated user profile

creating user(s)

sudo pivpn add

Type user-name, e.g. Name-Device

pivpn -qr

A numbered list with all WireGuard users/profiles will be presented. Answer on the question, Please enter the Index/Name of the Client to show:, choose the number of the user/profile you want the QR-code created and presented.
Open the WireGuard app on your mobile phone and add a profile

WireGuard was reachable, but I couldn’t do anything

With the help of AI I manged:

Check of IP forwarding is ingeschakeld
(IP forwarding op systeemniveau (ip_forward=1) zodat je Raspberry Pi verkeer kan doorsturen)

cat /proc/sys/net/ipv4/ip_forward

The following lines must be added to (or already been added) to your UFW firewall rules
(they take care to let the WireGuard traffic pass the firewall)

sudo ufw allow 51820/udp  # WireGuard port
sudo ufw allow from 10.6.0.0/24  # Replace this with your WireGuard subnetCode language: PHP (php)

Om het verkeer door te sturen (FORWARD) van je WireGuard interface naar het internet NAT (Network Address Translation), zodat je privé WireGuard IP-adressen kunnen communiceren met het internet, regelen we dat via MASQUERADE.
Zorg dat de volgende regels zijn toegevoegd aan de wg0.conf (/etc/wireguard/wg0.conf)

# In /etc/wireguard/wg0.conf
[Interface]
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADECode language: PHP (php)

sources (references) & credits

Basically all input/information came from the websites below. So credits and thanks to those content creators and subject matter experts. The only reason I mainly copy/paste their content is to guarantee I have a backup for myself and because multiple times I had to change and adapt. So archiving the “scripts” as I executed it succesfully is inportant for me.

https://pimylifeup.com/raspberry-pi-wireguard
https://claude.ai

sudo apt install resolvconf
sudo systemctl restart wg-quick@wg0Code language: CSS (css)

sudo nano /etc/pivpn/wireguard/setupVars.conf

pivpnDNS1=10.233.161.1
pivpnDNS2=1.1.1.1

sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = eLOH7aR7fyZKlMkBHzi//b/lGAlMDclH0xrjvGni3Ug=
Address = 10.233.161.1/24
MTU = 1420
ListenPort = 51820
DNS = 10.233.161.1, 1.1.1.1

Rules to split trafic for certain clients (e.g. blocking them from the internal network)

# PostUp regels voor forwarding, NAT en toegangsrestricties PostUp = iptables -A FORWARD -i wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Regels voor client met beperkte toegang (client2) PostUp = iptables -I FORWARD -i wg0 -s 10.0.0.3/32 -d 192.168.1.0/24 -j DROP PostUp = iptables -A FORWARD -i wg0 -s 10.0.0.3/32 -d 0.0.0.0/0 -j ACCEPT # PostDown regels om alles op te ruimen PostDown = iptables -D FORWARD -i wg0 -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -s 10.0.0.3/32 -d 192.168.1.0/24 -j DROP PostDown = iptables -D FORWARD -i wg0 -s 10.0.0.3/32 -d 0.0.0.0/0 -j ACCEPT

About the author

Erik
View all posts

Add comment

Read more

By Erik 7 months ago
Add comment
blue-ox.nl From coffee-fueled fruity tech to fast runs—think different, let’s run them.

Pages

Tags

Albums backup boot Browser cronjob emergency exFAT external-drive File FireWall Folders HAT+ How to Hyper Backup Immich Local DNS M.2 NAS NGINX NPM NVMe password Proxy Manager Raspberry Pi Reverse Proxy RPi script SD Security setup SSD Synology troubleshooting UFW USB user VPN web webdav WireGuard