====== Raspberry Pi 4 as Wireguard VPN server ======
===== Introduction =====
This howto describes how to install a Wireguard VPN server using minimal installation. Everything is done as the root user in this howto.
===== Installation =====
==== Raspberry OS Lite ====
Download Raspberry OS Lite 64bit at: [[https://www.raspberrypi.com/software/operating-systems/]]
Use Etcher or whatever to install the downloaded zip on a SD card.
==== Initial settings to enable remote configuration ====
Use raspi-config to set network and change password of the pi user and change the hostname:
raspi-config
systemctl enable ssh.service
systemctl start ssh.service
==== Setting fixed IP on interface ====
.
.
.
interface eth0
static ip_address=172.16.2.1/24
static routers=172.16.2.254
static domain_name_servers=172.16.1.50 208.67.222.222
==== Use SSH keys to login ====
ssh-keygen
ssh-rsa ...
ssh-rsa ...
ssh-rsa ...
==== Making the system as read-only as-possible ====
apt update
apt upgrade -y
apt remove -y --purge triggerhappy logrotate dphys-swapfile dc nano
apt autoremove --purge -y
Edit the following file and add "fastboot noswap ro" to the end of the line so it looks something like this:
console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fastboot noswap ro
apt install -y busybox-syslogd
apt remove -y --purge rsyslog
==== Bashrc aliases ====
Add the following at the end of the following file:
alias temp='/usr/bin/vcgencmd measure_temp'
====Unattended upgrades====
I do not want to update manually.
apt install -y unattended-upgrades apt-listchanges
cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/52unattended-upgrades
.
.
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"${distro_id}:${distro_codename}";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
.
.
.
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
.
.
Test
unattended-upgrades -d
This should not give any error
dpkg-reconfigure -plow unattended-upgrades
===== Wireguard =====
==== Packages ====
apt install -y wireguard qrencode
==== IP forwarding====
.
.
net.ipv4.ip_forward=1
.
.
sysctl -p /etc/sysctl.conf
==== Configuration====
I am not going to explain how Wireguard works. There is plenty to find on internet. In this example we ha defined two clients (peers) who can connect to the server
[Interface]
Address = 192.168.168.1
ListenPort = 51820
PrivateKey =
[Peer]
PublicKey =
AllowedIPs = 192.168.168.2/32
[Peer]
PublicKey =
AllowedIPs = 192.168.168.3/32
==== Enable the wg-quick service====
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
Active: active (exited) since Thu 2022-02-17 19:52:38 CET; 7s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 913 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 913 (code=exited, status=0/SUCCESS)
CPU: 144ms
Feb 17 19:52:38 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link add wg0 type wireguard
Feb 17 19:52:38 wireguard wg-quick[913]: [#] wg setconf wg0 /dev/fd/63
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 address add 192.168.168.1 dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link set mtu 1420 up dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.3/32 dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.2/32 dev wg0
Feb 17 19:52:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
==== Enable masquerading ====
Raspberry OS has changed to nftables instead of iptabes
.
.
.
add table wireguard-nat
table ip wireguard-nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "eth0" masquerade
}
}
systemctl enable --now nftables
systemctl start nftables
====Done====
Do a final reboot
shutdown -r now
{{tag>linux}}