Wireguard on Raspberry

Wireguard on Raspberry
	Chapter 3. Raspberry PI OS Installation

sudo apt-cache policy wireguard to see if it is in the repository

sudo apt install wireguard -y to get it

To created the keys

sudo su to not type in sudo for the following commands

cd /etc/wireguard

$(umask 077; wg genkey | tee privatekey | wg pubkey > publickey) produce new private and public keys

Important

Especially the privatekey should be kept in a secret location, it is also recommended to recreate new keys for new things and changing them would not hurt either. However when having lots of devices connected to a central server over long distances, it is a disaster loosing the privatekey of the server. It is therefore recommended to do a backup of it.

When changing or updating the server hardware then use the keys from the old server. Prepare everything and then change the routers port forwarding from the old server to the new server.

exit to require the use of sudo again

Now it needs to be decided if the raspberry will act as a server or a client.

Server Examples:
- A Raspberry at home that runs 24h a day and can be accessed from everywhere used router to a other location is a typical wireguard server.
- It will be used as a webserver
Client Examples:
- A IoT device located somewhere that needs access to the home network is a typical wireguard client

sudo touch /etc/wireguard/wg0.conf and edit the wireguard configuration file.

Note

When having multiple tunnels do not call them wg0.conf and wg1.conf give more meaningful names as wg_<tunnel destination>.conf

Wireguard client Configuration

Put an entry in the wireguard server to know the raspberry public key and its VPN wireguard address.

[Interface]
Address = <Raspberry VPN wireguard address>
PrivateKey = </etc/wireguard/privatekey of the raspberry>

[Peer]
PublicKey = </etc/wireguard/publickey of the wireguard server>
AllowedIPs = <wireguard address of the server> <optional Addresses that will be accessed using the tunnel>
Endpoint = <url or IP address of the server>:51820

Important

A tunnel can not be created to a client, the tunnel must be created by the client. Methods to create the tunnel from the client:

rpi-connect
user accesses it from the clients local network
use monitor and keyboard attached to the raspberry
cron job

Wireguard Server Configuration

and edit it

[Interface]
Address = <Raspberry VPN wireguard address>
ListenPort = 51820
PrivateKey = </etc/wireguard/privatekey of the raspberry>

[Peer]
PublicKey = </etc/wireguard/publickey of the client device>
AllowedIPs = <wireguard address of the client device>

For every device added to the server add a [Peer] entry

Turning on Wireguard

sudo wg-quick up wg0 to bring it up

sudo ifconfig to see if it is there

sudo wg show to see

sudo wg-quick down wg0 to bring it down

sudo systemctl enable wg-quick@wg0 to have it started automatically

sudo systemctl restart wg-quick@wg0

Important

Stopping the tunnel breaks it. Don’t saw off the branch you’re sitting on, use restart.

PersistentKeepalive = 25

Can be put optional into wg0.conf. It sends out every 25 seconds something so the tunnel will not collapse when not used. Without this the routers on the way of the tunnel will collapse it when not in use.


RPI Connect		Raspberry PI Zero W