This is an old revision of the document!
Table of Contents
Raspberry Pi 4 as Wireguard VPN server
Introduction
This howto describes how to install a Wireguard VPN server using minimal installation. Everything is done as the root user in this howto.
Installation
Raspberry OS Lite
Download Raspberry OS Lite 64bit at: https://www.raspberrypi.com/software/operating-systems/ Use Etcher or whatever to install the downloaded zip on a SD card.
Initial settings to enable remote configuration
Use raspi-config to set network and change password of the pi user and change the hostname:
raspi-config
systemctl enable ssh.service systemctl start ssh.service
Setting fixed IP on interface
- /etc/dhcpcd.conf
. . . interface eth0 static ip_address=172.16.2.1/24 static routers=172.16.2.254 static domain_name_servers=172.16.1.50 208.67.222.222
Use SSH keys to login
ssh-keygen
- ~/.ssh/authorized_keys
ssh-rsa ... ssh-rsa ... ssh-rsa ...
Making the system as read-only as-possible
apt update apt upgrade -y apt remove -y --purge triggerhappy logrotate dphys-swapfile dc nano apt autoremove --purge -y
Edit the following file and add “fastboot noswap ro” to the end of the line so it looks something like this:
- /boot/cmdline.txt
console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fastboot noswap ro
apt install -y busybox-syslogd apt remove -y --purge rsyslog
Bashrc aliases
Add the following at the end of the following file:
- /etc/bash.bashrc
alias temp='/usr/bin/vcgencmd measure_temp'
Wireguard
Packages
apt install -y wireguard
IP forwarding
- /etc/sysctl.conf
. . net.ipv4.ip_forward=1 . .
sysctl -p /etc/sysctl.conf
Configuration
I am not going to explain how Wireguard works. There is plenty to find on internet. In this example we ha defined two clients (peers) who can connect to the server
- /etc/wireguard/wg0.conf
[Interface] Address = 192.168.168.1 ListenPort = 51820 PrivateKey = <PRIVATE-KEY-SERVER> [Peer] PublicKey = <PUBLIC-KEY-CLIENT1> AllowedIPs = 192.168.168.2/32 [Peer] PublicKey = <PUBLIC-KEY-CLIENT2> AllowedIPs = 192.168.168.3/32
Enable the wg-quick service
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
Active: active (exited) since Thu 2022-02-17 19:52:38 CET; 7s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 913 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 913 (code=exited, status=0/SUCCESS)
CPU: 144ms
Feb 17 19:52:38 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link add wg0 type wireguard
Feb 17 19:52:38 wireguard wg-quick[913]: [#] wg setconf wg0 /dev/fd/63
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 address add 192.168.168.1 dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link set mtu 1420 up dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.3/32 dev wg0
Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.2/32 dev wg0
Feb 17 19:52:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
</code>
