raspberry_wireguard
Table of Contents
Raspberry Pi 4 as Wireguard VPN server
Introduction
This howto describes how to install a Wireguard VPN server using minimal installation. Everything is done as the root user in this howto.
Installation
Raspberry OS Lite
Download Raspberry OS Lite 64bit at: https://www.raspberrypi.com/software/operating-systems/ Use Etcher or whatever to install the downloaded zip on a SD card.
Initial settings to enable remote configuration
Use raspi-config to set network and change password of the pi user and change the hostname:
raspi-config
systemctl enable ssh.service systemctl start ssh.service
Setting fixed IP on interface
- /etc/dhcpcd.conf
. . . interface eth0 static ip_address=172.16.2.1/24 static routers=172.16.2.254 static domain_name_servers=172.16.1.50 208.67.222.222
Use SSH keys to login
ssh-keygen
- ~/.ssh/authorized_keys
ssh-rsa ... ssh-rsa ... ssh-rsa ...
Making the system as read-only as-possible
apt update apt upgrade -y apt remove -y --purge triggerhappy logrotate dphys-swapfile dc nano apt autoremove --purge -y
Edit the following file and add “fastboot noswap ro” to the end of the line so it looks something like this:
- /boot/cmdline.txt
console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fastboot noswap ro
apt install -y busybox-syslogd apt remove -y --purge rsyslog
Bashrc aliases
Add the following at the end of the following file:
- /etc/bash.bashrc
alias temp='/usr/bin/vcgencmd measure_temp'
Unattended upgrades
I do not want to update manually.
apt install -y unattended-upgrades apt-listchanges
cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/52unattended-upgrades
- /etc/apt/apt.conf.d/52unattended-upgrades
. . Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). // Software will be the latest available for the named release, // but the Debian release itself will not be automatically upgraded. "${distro_id}:${distro_codename}"; // Archive or Suite based matching: // Note that this will silently match a different release after // migration to the specified archive (e.g. testing becomes the // new stable). // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; // "o=Debian,a=proposed-updates"; // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; }; . . . // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade Unattended-Upgrade::Automatic-Reboot "true"; // Automatically reboot even if there are users currently logged in // when Unattended-Upgrade::Automatic-Reboot is set to true Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" Unattended-Upgrade::Automatic-Reboot-Time "02:00"; . .
Test
unattended-upgrades -d
This should not give any error
dpkg-reconfigure -plow unattended-upgrades
Wireguard
Packages
apt install -y wireguard qrencode
IP forwarding
- /etc/sysctl.conf
. . net.ipv4.ip_forward=1 . .
sysctl -p /etc/sysctl.conf
Configuration
I am not going to explain how Wireguard works. There is plenty to find on internet. In this example we ha defined two clients (peers) who can connect to the server
- /etc/wireguard/wg0.conf
[Interface] Address = 192.168.168.1 ListenPort = 51820 PrivateKey = <PRIVATE-KEY-SERVER> [Peer] PublicKey = <PUBLIC-KEY-CLIENT1> AllowedIPs = 192.168.168.2/32 [Peer] PublicKey = <PUBLIC-KEY-CLIENT2> AllowedIPs = 192.168.168.3/32
Enable the wg-quick service
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
Active: active (exited) since Thu 2022-02-17 19:52:38 CET; 7s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 913 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 913 (code=exited, status=0/SUCCESS)
CPU: 144ms
Feb 17 19:52:38 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link add wg0 type wireguard
Feb 17 19:52:38 wireguard wg-quick[913]: [#] wg setconf wg0 /dev/fd/63
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 address add 192.168.168.1 dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link set mtu 1420 up dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.3/32 dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.2/32 dev wg0
Feb 17 19:52:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
Enable masquerading
Raspberry OS has changed to nftables instead of iptabes
- /etc/nftables.conf
. . . add table wireguard-nat table ip wireguard-nat { chain prerouting { type nat hook prerouting priority -100; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "eth0" masquerade } }
systemctl enable --now nftables systemctl start nftables
Done
Do a final reboot
shutdown -r now
raspberry_wireguard.txt · Last modified: by herwarth
