md
Installing WireGuard on Raspbian Stretch and Buster
July 4, 2019

So far I have installed WireGuard "servers" on a Raspberry Pi 1 Model B running Raspbian Stretch, on a Raspberry Pi 3 Model B running Raspbian Stretch and then later Raspbian Buster, on an Orange Pi Zero running Armbian Stretch, and on an Orange Pi PC-2 running a DietPi'd Armbian Stretch. I have installed WireGuard "clients" on a couple of Android tablets and on an old Toshiba Portable computer running Linux Mint 19. After a few false starts, I must admit that installation is not difficult especially as there is good information available on the Web.

When starting to write this blog yesterday, I realized that what had worked very well previously was no longer functioning. I thought the problem had to do with the latest version of Raspbian, Buster, which has been out just a few days. But unfortunately it was also a problem if using the stable Stretch. So I rushed this post because I found that the Dietpi people have a workaround. I hope to update this post fairly soon and to finish the first post on VPNs which I started a couple of months ago.

Table of Contents

  1. Installing WireGuard on a Raspberry Pi 2 v1.2 or above
  2. Installing WireGuard on a Raspberry Pi 1, 2 (less than v1.2), or Zero (W)
  3. Configuring WireGuard
  4. Manage Users

Installing WireGuard on a Raspberry Pi 2 v1.2 or above toc

I have tested this installation on a Raspberry Pi 3 model B running Raspbian Stretch Lite and Raspbian Buster Lite.

Raspbian Stretch Lite
  Minimal image based on Debian Stretch
  Version:        April 2019
  Release date:   2019-04-08
  Kernel version: 4.14

Raspbian Buster Lite
  Minimal image based on Debian Buster
  Version:        June 2019
  Release date:   2019-06-20
  Kernel version: 4.19

Unless you have a new Raspberry Pi 4, I don't think there is a pressing need to use the newly available Raspian Buster and it might be a good idea to wait before switching to the new release. Raspbian Buster is available from the Raspberry Pi Foundation Raspbian dowloads page. Since Stretch is not the latest release of Raspbian, it is no longer available from that page. Nevertheless it can be downloaded.

Full versions of Raspbian Stretch or Buster are also available if that is the preferred OS. Even if the GUI version is installed, it will be necessary to open a terminal to install WireGuard.

In previous installations of WireGuard, I followed the very clear instructions provided by Adrian Mihalko on github. But, in the last couple of days I failed to install WireGuard on Buster following the instructions. Then, earlier today, I encountered the same problem now exists when installing on Stretch. However, Dietpi can install WireGuard in its "experimental Buster image". I looked at issue #2458 WireGuard: Prevent accidental "sid" repo installs and the software installation script to obtain the information that follows.

pi@raspberrypi:~ $ sudo apt update && sudo apt upgrade -y ... 31 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 81.0 MB of archives. After this operation, 5,875 kB of additional disk space will be used. ... pi@raspberrypi:~ $ sudo apt-get install raspberrypi-kernel-headers Reading package lists... Done ... Setting up raspberrypi-kernel-headers (1.20190517-1) ... pi@raspberrypi:~ $ sudo apt install dirmngr This may not be necessary in Buster. No harm will occur if the command is given and dirmngr was already installed. ... pi@raspberrypi:~ $ echo 'deb https://deb.debian.org/debian/ sid main' | sudo tee --append /etc/apt/sources.list.d/wireguard.list deb https://deb.debian.org/debian/ sid main pi@raspberrypi:~ $ echo -e 'Package: *\nPin: release n=sid\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=sid\nPin-Priority: 99' | sudo tee /etc/apt/preferences.d/wireguard Package: * Pin: release n=sid Pin-Priority: -1 Package: wireguard wireguard-dkms wireguard-tools Pin: release n=sid Pin-Priority: 99 pi@raspberrypi:~ $ wget https://dietpi.com/downloads/binaries/rpi/debian-archive-keyring.deb --2019-07-04 18:17:30-- https://dietpi.com/downloads/binaries/rpi/debian-archive-keyring.deb Resolving dietpi.com (dietpi.com)... 2606:4700:30::681b:b3c7, 2606:4700:30::681b:b2c7, 104.27.179.199, ... Connecting to dietpi.com (dietpi.com)|2606:4700:30::681b:b3c7|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 57392 (56K) [application/x-debian-package] Saving to: ‘debian-archive-keyring.deb’ debian-archive-keyring.deb 100%[========================================================================================>] 56.05K 275KB/s in 0.2s 2019-07-04 18:17:31 (275 KB/s) - ‘debian-archive-keyring.deb’ saved [57392/57392] pi@raspberrypi:~ $ sudo dpkg -i debian-archive-keyring.deb Selecting previously unselected package debian-archive-keyring. (Reading database ... 68154 files and directories currently installed.) Preparing to unpack debian-archive-keyring.deb ... Unpacking debian-archive-keyring (2018.1) ... Setting up debian-archive-keyring (2018.1) ... pi@raspberrypi:~ $ sudo rm debian-archive-keyring.deb pi@raspberrypi:~ $ sudo apt update Hit:1 http://archive.raspberrypi.org/debian stretch InRelease Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Get:3 https://cdn-aws.deb.debian.org/debian sid InRelease [149 kB] Get:4 https://cdn-aws.deb.debian.org/debian sid/main armhf Packages [8,077 kB] Get:5 https://cdn-aws.deb.debian.org/debian sid/main Translation-en [6,268 kB] Fetched 14.5 MB in 17s (849 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. pi@raspberrypi:~ $ sudo apt list --upgradable Listing... Done This is a check to ensure that nothing from the unstable repository, called sid, will be use to upgrade an already installed package. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done ... The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. ... DKMS: install completed. Setting up wireguard (0.0.20190702-1) ...

Now that the installation is complete jump to section entitled Configuring WireGuard.

Installing WireGuard on a Raspberry Pi 1, 2 (less than v1.2), or Zero (W) toc

WireGuard needs to be compiled from sources on older Raspberry Pi's. Again Adrian Mihalko provides detailed instructions.

In a future update of this post, I will check if these instructions remain valid or if adjustments such those described in the previous section are needed.

Configuring WireGuard toc

This list might look daunting; it is actually rather easy to configure a WireGuard server and to add clients or peers.

Enable IP Forwarding

If access to another LAN resource, such as an IP camera or a Web server, is needed then IP forwarding has to be enabled on the computer hosting the WireGuard server.

pi@raspberrypi:~ $ cd /etc pi@raspberrypi:/etc $ ls -l sysctl* -rw-r--r-- 1 root root 2683 Apr 8 06:56 sysctl.conf sysctl.d: total 8 -rw-r--r-- 1 root root 51 Nov 26 2018 98-rpi.conf lrwxrwxrwx 1 root root 14 Apr 8 07:51 99-sysctl.conf -> ../sysctl.conf -rw-r--r-- 1 root root 639 May 17 2018 README.sysctl

Note how /etc/sysctl.d/99-sysctl.conf is a symbolic link to /etc/sysctl.conf. It will suffice to edit the later to enable IP packet forwarding.

pi@raspberrypi:/etc $ sudo nano sysctl.conf

Change

... # Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1 ...

to

# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1

as instructed in the configuration.file. A reboot will be necessary for the change to take effect.

pi@raspberrypi:~ $ sudo reboot Connection to raspberrypi.local closed by remote host. Connection to raspberrypi.local closed. ... michel@hp:~$ ssh pi@raspberrypi.local ... ... pi@raspberrypi:~ $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1

Install the Adrian Mihalko User Management Script

One could follow Adrian Mihalko's guide to manually configure WireGuard, but I found his User Management Script very useful as I use Android tablets as clients on a regular basis. So what follows is mostly a copy and paste operation from the github with just a few hints that might be useful for some.

pi@raspberrypi:~ $ sudo apt-get install git qrencode -y ... 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 5,069 kB of archives. After this operation, 26.8 MB of additional disk space will be used. ... Setting up git (1:2.11.0-3+deb9u4) ... Setting up qrencode (3.4.4-1) ... pi@raspberrypi:~ $ git clone https://github.com/adrianmihalko/wg_config.git Cloning into 'wg_config'... remote: Enumerating objects: 50, done. remote: Total 50 (delta 0), reused 0 (delta 0), pack-reused 50 Unpacking objects: 100% (50/50), done.

Generate the Private and Public Server Keys

pi@raspberrypi:~ $ cd wg_config pi@raspberrypi:~/wg_config $ wg genkey | tee server_private.key | wg pubkey > server_public.key If you get a segmentation error here, then the Raspberry Pi was probably too old. It will be necessary to compile WireGuard. pi@raspberrypi:~/wg_config $ cat server_public.key 5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= pi@raspberrypi:~/wg_config $ cat server_private.key aA+iKGr4y/j604LtNT+MQJ76Pvz5Q5E+qQBLW40wXnY= These two keys are needed for the next step. Copy them into a text editor on the desktop to easily copy them later.

Create and edit the server definition file

pi@raspberrypi:~/wg_config $ cp wg.def.sample wg.def pi@raspberrypi:~/wg_config $ nano wg.def
_INTERFACE=wg0 _VPN_NET=192.168.99.0/24 _SERVER_PORT=51820 _SERVER_LISTEN=wg.example.com:$_SERVER_PORT _SERVER_PUBLIC_KEY=5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= _SERVER_PRIVATE_KEY=aA+iKGr4y/j604LtNT+MQJ76Pvz5Q5E+qQBLW40wXnY=

If subnet 192.168.99.xxx is used on the local area network, then the value of _VPN_NET will need to be changed. The _SERVER_PORT is the UDP port that will have to be forwarded to the WireGuard sever by the LAN router or gateway. This can be (perhaps should be) changed. Change wg.example.com in _SERVER_LISTEN to your dynamic domain name (I have a post about that Creating a dynamic domain name). In my (fictitious) case, that entry is:

_SERVER_LISTEN=modomo.twilightparadox.com:$_SERVER_PORT

Do not put the protocol prefix such as https://, just the domain name. The public IP address assigned to me by my ISP changes so rarely that I could get away with an IP address for testing purposes .

_SERVER_LISTEN=172.158.45.159:$_SERVER_PORT

Again, this is a fictitious value; sorry if it is your public IP.

Edit the Client Configuration Template

pi@raspberrypi:~/wg_config $ nano client.conf.tpl
[Interface] Address = $_VPN_IP PrivateKey = $_PRIVATE_KEY [Peer] PublicKey = $_SERVER_PUBLIC_KEY AllowedIPs = 192.168.99.1/32, 192.168.1.0/24 Endpoint = $_SERVER_LISTEN

The value $_PRIVATE_KEY in the field PrivateKey will be changed to the client private key when a user (i.e. client) is generated. The first IP address in AllowedIPs is the IP address of the host of the WireGuard server being set up. The VPN network was set up as _VPN_NET=192.168.99.0/24 in the wg.def file. So the server will be the first valid address, 192.168.99.1, in that subnet. The second IP address, 192.168.1.0/24, is actually a range: 192.168.1.0, 192.168.1.1 and on up to 192.168.1.255. It will be possible to reach all those addresses on the WireGuard server network from the client once the VPN tunnel is established. Change the second allowed IP to correspond to the real subnet used on your home local area network. It could be 192.168.1.xxx as suggested above, 192.168.0.xxx is often used, but some LANs use other private IPv4 addresses such as 10.0.3.xxx.

Edit the Server Configuration Template

It is assumed that the name of the network interface used by the host of the WireGuard server is eth0. In my case that is not correct, the Raspberry Pi is connected by Wi-Fi to the LAN, so it was necessary to edit the sever configuration template.

pi@raspberrypi:~/wg_config $ nano server.conf.tpl
[Interface] Address = $_SERVER_IP ListenPort = $_SERVER_PORT PrivateKey = $_SERVER_PRIVATE_KEY PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

Create an empty WireGuard server configuration file

pi@raspberrypi:~/wg_config $ cd .. pi@raspberrypi:~ $ sudo touch /etc/wireguard/wg0.conf

This is only done once. The user management script will update this file each time it is used to add or delete a user.

Enable automatic start of the wg0 interface at boot time

pi@raspberrypi:~ $ sudo systemctl enable wg-quick@wg0 Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.

This too is only done once, normally.

Start and stop the WireGuard interface manually

pi@raspberrypi:~ $ sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip link set mtu 1420 up dev wg0 pi@raspberrypi:~ $ sudo wg-quick down wg0 [#] ip link delete dev wg0 [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERAD

Check on the status of the server

pi@raspberrypi:~ $ sudo systemctl status wg-quick@wg0 ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2019-03-05 16:50:49 ADT; 20min ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 Process: 378 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 378 (code=exited, status=0/SUCCESS) Jul 03 16:48:58 domo systemd[1]: Starting WireGuard via wg-quick(8) for wg0... Jul 03 16:50:46 domo wg-quick[378]: [#] ip link add wg0 type wireguard Jul 03 16:50:46 domo wg-quick[378]: [#] wg setconf wg0 /dev/fd/63 Jul 03 16:50:47 domo wg-quick[378]: [#] ip address add 192.168.99.1/24 dev wg0 Jul 03 16:50:47 domo wg-quick[378]: [#] ip link set mtu 1420 up dev wg0 Jul 03 16:50:49 domo systemd[1]: Started WireGuard via wg-quick(8) for wg0. pi@raspberrypi:~ $ sudo wg interface: wg0 listening port: 54130

There will be more information available when peers/clients have been setup. And even more information will be displayed when a client or peer has created a tunnel (i.e. opened a VPN).

Manage Android Users toc

I have an old Nexus 7 Android tablet that I often bring when I am outside the house. Here is the procedure used to configure the WireGuard server to accept a connection from a WireGuard client application to be installed on the tablet.

pi@raspberrypi:~ $ cd wg_config pi@raspberrypi:~/wg_config $ sudo ./user.sh -a nexus7
█████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █ ▄▄▄█  ▄ ██▀  █▄█▀▀▄▄██▄ █▀█  ▄ █▄ ▀██ ▄▄▄▄▄ ████
████ █   █ █  ▀▄▀█ ██ █▄▀▀▀▄▀▄  ▄▀▄ █ █▄▀▄▄█▀ ▀▄▀█ █   █ ████
████ █▄▄▄█ █▀▄▀█ ▀▀▀▄▄▀▄▀▄ ▀ ▄▄▄ ▄▄  ▄▄▀█▀▀█▀▀ ███ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀ █▄▀▄█ ▀▄▀ ▀▄▀ █▄█ █ █ █ █▄█ ▀ █▄█▄█▄▄▄▄▄▄▄████
████ ▄█▀ ▄▄▀▀▀   ▄ ▄█▀ ▄▀▄ ▀ ▄  ▄█▄  ▄▀██  ▀█▄ █ ▀█▄▀  ▄ ████
█████▀▀▄█ ▄ ▄ █▀▀▄▄▀  ▀██▄▄▄▀▄█▀█ ▄▄▀ █▀   ▀▄▀ ▀▄ ██▀▄█▀ ████
████▄▄▄▀▀▀▄▀█▀▄██▄▀█ ▀█ ▀█▀█ ▀█▀█▀ ▀ █▀▄█▄█▄██ ▀██▀█ █▀▄▀████
████▄▄▀▄▀ ▄█▀▄ █▄▄ ▀ ▀█ █  ▀ ▀█▄ ██▄ ▀ █▄▄▀█▄▀▄▄ ▄▀▀  █▄ ████
█████▄▄▄▄█▄ ▄▀▄▄▄▀▀▀▀█ █▀ ▄▄ ▄▄▀▄██ ██ █ ▀ █▀▀█ ▄▀█  █▀▀▀████
████▀▀▀   ▄▄  ▄▄███▄█ ▀█▄▄ █ ▄█▀██ ▀▄▀ ▄█▄ ▄ ▀ ██▀█▄▀▄█▀▄████
█████▀▄▄█ ▄▄▀██▀█▄ ▄ ▀█  █ ██▀▀▄ ▀▀▀ █ ▄▀▄▄▀██▀▀▀▄▀█▀▀▀▄ ████
████▀▀▀██ ▄█▄█ █▄▀█▄ ▀  █ ▀ ▄▀█▄ ▄▄▀▀▄▀▄▄▀████▀▄ ▀ ▀▄▀▄▄█████
██████▄▄ ▄▄▄  █▄▀▄ ▄█▄▀▄▀▄▄▀ ▄▄▄ ▄▄  ▄▀█▀ ▄▄ ▄▄▄ ▄▄▄  ▀▄▀████
█████▀█▀ █▄█ ▄███▄ ▀ ▄▄█ ▀▄  █▄█ ▀█▄▀ ▀█▄ ▄ ▄ ██ █▄█ █ █ ████
█████▄▀  ▄▄ ▄█▀▄█▄▀▄▄█▄ ▄▀▄█▄▄▄▄▄█ ▀ ▀▀▄▀ ▄█▄█ ▀▄▄   ▄▀▀ ████
████▄ ▄▀▄▄▄▀█▀▀██▄ ▄▀▄█▀  █▀▀█ █▄▀▀▄ ▄█▄ █▀▀▀▄  █▀▄  ▀▄▄▄████
████▀██ ▄▄▄▄█▄▀██▀▀▀▀▀ ▄▀ █ ▀ ▄███▀▄▄████▀▀ ██▄ ▄ ▀▄▄▄▀██████
████▄█▀ ▀▀▄█▀█▀▄▀██▄█▀ ▀█▄▀▀▀█  ███▀▄█ ▄█▄  ▄▄▀▀▄ █▀██▄█▄████
█████▀ █▄ ▄ ██▀██▄ ▄▄█▀▀▄▀▀▄█▀  ██▄▀ ▀▄▄█▄▄▀▀▀▀   ██ ▀▀█ ████
████ ▄▄▀█▀▄ █▀▄  ▀█▀ ▀ █▀▀▀▄▀ █▄█ ▀▀█ ▄▄▀█▄ █  ▀██▄█▀ █ ▄████
████▄▀▄▄▀█▄▀▄▄▄▀ ▄ ▄█▄▀█▀▄▄  ▄▄█▀█▄▄▄█▄▀▀ ▄█▀ ▀▀▄ ███ ▀ █████
████▄ ▀▄▄▄▄ ▀ ██ █▄▀ ███ ▄█▀ ██▀█  ▄▀ ▀▀█ ▄███  █▄█▀ ▄▀█ ████
███████▄██▄█▀ ▀▄▄  ▄ █▄ ██▀█ ▄▄▄ ▀█▀ ▀██▀▄▀▀▀██▄ ▄▄▄  ▀ ▀████
████ ▄▄▄▄▄ █▀▀█  ▀  █▄██▀▀▄▄ █▄█ ▀██▀▀█▀▀▄ ██▄▄▄ █▄█  ▄ █████
████ █   █ █▄  ██▄ ▀▀▀ █▄ ▄▄▄▄▄ ▄██ ▀▄███ ▀ ▀██▄ ▄▄  ▄▀▀▄████
████ █▄▄▄█ █▀█▀ ▀▀▀▄█ ▄▀ ▀▄█▄▀▄ ▀█ ▄█▀█▄█▄   ▀▄▀██▀██▄█  ████
████▄▄▄▄▄▄▄█▄▄▄▄▄▄▄▄▄█▄█▄█▄██▄█▄▄█▄█▄█▄█▄▄███▄▄█▄▄▄▄▄▄█▄█████
█████████████████████████████████████████████████████████████

Don't worry about the QR code, it can be brought up later. In the meantime, here is the content of the user directory just created.

pi@raspberrypi:~/wg_config $ ls -l users/nexus7 total 24 -rw-r--r-- 1 root root 216 Jul 5 17:49 client.all.conf -rw-r--r-- 1 root root 216 Jul 5 17:49 client.conf -rw-r--r-- 1 root root 913 Jul 5 17:49 nexus7.all.png -rw-r--r-- 1 root root 913 Jul 5 17:49 nexus7.png -rw-r--r-- 1 root root 45 Jul 5 17:49 privatekey -rw-r--r-- 1 root root 45 Jul 5 17:49 publickey

As with the WireGuard server, the client has two keys, private and public. Two client configuration files are created. One or both of these will be used to configure the Android client. It will be easy to do using the two png images which are QR codes containing the information about each of the client configuration files. Here is the content of the client configuration file and the updated server configuration file.

pi@raspberrypi:~/wg_config $ cat users/nexus7/client.conf [Interface] Address = 192.168.99.2/24 PrivateKey = gH5xInhP2NZw0t8hVgJPhTRDUh3Bir7FEynRcW8IHlg= [Peer] PublicKey = 5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= AllowedIPs = 192.168.99.1/32, 192.168.1.0/24 Endpoint = wg.example.com:51820 pi@raspberrypi:~/wg_config $ cat users/nexus7/client.all.conf [Interface] Address = 192.168.99.2/24 PrivateKey = gH5xInhP2NZw0t8hVgJPhTRDUh3Bir7FEynRcW8IHlg= [Peer] PublicKey = 5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= AllowedIPs = 0.0.0.0/0 Endpoint = wg.example.com:51820 pi@raspberrypi:~/wg_config $ sudo cat /etc/wireguard/wg0.conf [Interface] Address = 192.168.99.1/24 ListenPort = 51820 PrivateKey = aA+iKGr4y/j604LtNT+MQJ76Pvz5Q5E+qQBLW40wXnY= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE [Peer] PublicKey = BEnqBZ6rWcDO6lKhb6oXM7aRvE7fuIWCZw1PxgyMMyE= AllowedIPs = 192.168.99.2/32

The two client configuration files are identical except for the AllowdIPs field. Display the user information again. This time the two configuration files and the two QR codes will be displayed, but it will be necessary to scroll back to see them.

pi@raspberrypi:~/wg_config $ sudo ./user.sh -v nexus7

Now it is time to install the WireGuard Application from Google Play on the Android device. Launch the application.

start screen

Click on the blue button as told.

start screen

Click on the Create from QR code. Aim the tablet camera towards the QR code displayed on the desktop monitor. Once the information is acquired, the following dialog appears.

start screen

I named the tunnel "Rpi3-split" and then pressed on the CREATE TUNNEL button. I repeated the steps to add the second tunnel, named "RPi-all", from the second QR code.

start screen

The above screen the result shows the appearance of the Android WireGuard application once the two tunnels were created. When selecting a tunnel, the "public" information is displayed on the right panel.

start screen

Connecting to the WireGuard server at home is very easily done. Just slide the wanted tunnel's button to the right and that is it. I should point out that the program gives very little feedback. The little key icon signifying the VPN is active will be shown even if the settings are wrong or if the WireGuard server is not online. The only "symptom" that something is wrong will be that it will be impossible to reach any device on the 192.168.1.xxx subnet!