So far I have installed WireGuard "servers" on a Raspberry Pi 1 Model B running Raspbian Stretch, on a Raspberry Pi 3 Model B running Raspbian Stretch and then later Raspbian Buster, on an Orange Pi Zero running Armbian Stretch, and on an Orange Pi PC-2 running a DietPi'd Armbian Stretch. I have installed WireGuard "clients" on a couple of Android tablets and on an old Toshiba Portable computer running Linux Mint 19. After a few false starts, I must admit that installation is not difficult especially as there is good information available on the Web.
When starting to write this blog yesterday, I realized that what had worked very well previously was no longer functioning. I thought the problem had to do with the latest version of Raspbian, Buster, which has been out just a few days. But unfortunately it was also a problem if using the stable Stretch. So I rushed this post because I found that the Dietpi people have a workaround. I hope to update this post fairly soon and to finish the first post on VPNs which I started a couple of months ago.
Table of Contents
- Installing WireGuard on a Raspberry Pi 2 v1.2 or above
- Installing WireGuard on a Raspberry Pi 1, 2 (less than v1.2), or Zero (W)
- Configuring WireGuard
- Manage Users
I have tested this installation on a Raspberry Pi 3 model B running Raspbian Stretch Lite and Raspbian Buster Lite.
Raspbian Stretch Lite Minimal image based on Debian Stretch Version: April 2019 Release date: 2019-04-08 Kernel version: 4.14 Raspbian Buster Lite Minimal image based on Debian Buster Version: June 2019 Release date: 2019-06-20 Kernel version: 4.19
Unless you have a new Raspberry Pi 4, I don't think there is a pressing need to use the newly available Raspian Buster and it might be a good idea to wait before switching to the new release. Raspbian Buster is available from the Raspberry Pi Foundation Raspbian dowloads page. Since Stretch is not the latest release of Raspbian, it is no longer available from that page. Nevertheless it can be downloaded.
- All Raspberry Pi Foundation fowloads: http://downloads.raspberrypi.org/
- All Raspbian Lite images: http://downloads.raspberrypi.org/raspbian_lite/images/
- Rasbian Stretch Lite 2019-04-09: http://downloads.raspberrypi.org/raspbian_lite/images/raspbian_lite-2019-04-09/2019-04-08-raspbian-stretch-lite.zip
Full versions of Raspbian Stretch or Buster are also available if that is the preferred OS. Even if the GUI version is installed, it will be necessary to open a terminal to install WireGuard.
In previous installations of WireGuard, I followed the very clear instructions provided by Adrian Mihalko on github. But, in the last couple of days I failed to install WireGuard on Buster following the instructions. Then, earlier today, I encountered the same problem now exists when installing on Stretch. However, Dietpi can install WireGuard in its "experimental Buster image". I looked at issue #2458 WireGuard: Prevent accidental "sid" repo installs and the software installation script to obtain the information that follows.
Now that the installation is complete jump to section entitled Configuring WireGuard.
WireGuard needs to be compiled from sources on older Raspberry Pi's. Again Adrian Mihalko provides detailed instructions.
In a future update of this post, I will check if these instructions remain valid or if adjustments such those described in the previous section are needed.
This list might look daunting; it is actually rather easy to configure a WireGuard server and to add clients or peers.
Enable IP Forwarding
If access to another LAN resource, such as an IP camera or a Web server, is needed then IP forwarding has to be enabled on the computer hosting the WireGuard server.
/etc/sysctl.d/99-sysctl.conf is a symbolic link
/etc/sysctl.conf. It will suffice to edit the later to enable
IP packet forwarding.
as instructed in the configuration.file. A reboot will be necessary for the change to take effect.
Install the Adrian Mihalko User Management Script
One could follow Adrian Mihalko's guide to manually configure WireGuard, but I found his User Management Script very useful as I use Android tablets as clients on a regular basis. So what follows is mostly a copy and paste operation from the github with just a few hints that might be useful for some.
Generate the Private and Public Server Keys
Create and edit the server definition file
192.168.99.xxx is used on the local area
network, then the value of
_VPN_NET will need to be changed.
_SERVER_PORT is the
UDP port that will
have to be forwarded to the WireGuard sever by the LAN router or gateway.
This can be (perhaps should be) changed. Change
_SERVER_LISTEN to your dynamic domain name (I have a
post about that Creating a dynamic domain name). In my (fictitious) case, that
Do not put the protocol prefix such as
https://, just the
domain name. The public IP address assigned to me by my ISP changes
so rarely that I could get away with an IP address for testing purposes .
Again, this is a fictitious value; sorry if it is your public IP.
Edit the Client Configuration Template
$_PRIVATE_KEY in the field
will be changed to the client private key when a user (i.e. client)
is generated. The first IP address in
AllowedIPs is the IP address of
the host of the WireGuard server being set up. The VPN network was set up
_VPN_NET=192.168.99.0/24 in the
So the server will be the first valid address,
in that subnet. The second IP address,
actually a range:
and on up to
192.168.1.255. It will be possible to reach all those
addresses on the WireGuard server network from the client once the VPN tunnel
is established. Change the second allowed IP to correspond to the
real subnet used on your home local area network. It could be
as suggested above,
192.168.0.xxx is often used, but some LANs
use other private IPv4 addresses such as
Edit the Server Configuration Template
It is assumed that the name of the network interface used by the
host of the WireGuard server is
eth0. In my case that
is not correct, the Raspberry Pi is connected by Wi-Fi to the LAN, so
it was necessary to edit the sever configuration template.
Create an empty WireGuard server configuration file
This is only done once. The user management script will update this file each time it is used to add or delete a user.
Enable automatic start of the wg0 interface at boot time
This too is only done once, normally.
Start and stop the WireGuard interface manually
Check on the status of the server
There will be more information available when peers/clients have been setup. And even more information will be displayed when a client or peer has created a tunnel (i.e. opened a VPN).
I have an old Nexus 7 Android tablet that I often bring when I am outside the house. Here is the procedure used to configure the WireGuard server to accept a connection from a WireGuard client application to be installed on the tablet.
█████████████████████████████████████████████████████████████ ████ ▄▄▄▄▄ █ ▄▄▄█ ▄ ██▀ █▄█▀▀▄▄██▄ █▀█ ▄ █▄ ▀██ ▄▄▄▄▄ ████ ████ █ █ █ ▀▄▀█ ██ █▄▀▀▀▄▀▄ ▄▀▄ █ █▄▀▄▄█▀ ▀▄▀█ █ █ ████ ████ █▄▄▄█ █▀▄▀█ ▀▀▀▄▄▀▄▀▄ ▀ ▄▄▄ ▄▄ ▄▄▀█▀▀█▀▀ ███ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█▄▀ █▄▀▄█ ▀▄▀ ▀▄▀ █▄█ █ █ █ █▄█ ▀ █▄█▄█▄▄▄▄▄▄▄████ ████ ▄█▀ ▄▄▀▀▀ ▄ ▄█▀ ▄▀▄ ▀ ▄ ▄█▄ ▄▀██ ▀█▄ █ ▀█▄▀ ▄ ████ █████▀▀▄█ ▄ ▄ █▀▀▄▄▀ ▀██▄▄▄▀▄█▀█ ▄▄▀ █▀ ▀▄▀ ▀▄ ██▀▄█▀ ████ ████▄▄▄▀▀▀▄▀█▀▄██▄▀█ ▀█ ▀█▀█ ▀█▀█▀ ▀ █▀▄█▄█▄██ ▀██▀█ █▀▄▀████ ████▄▄▀▄▀ ▄█▀▄ █▄▄ ▀ ▀█ █ ▀ ▀█▄ ██▄ ▀ █▄▄▀█▄▀▄▄ ▄▀▀ █▄ ████ █████▄▄▄▄█▄ ▄▀▄▄▄▀▀▀▀█ █▀ ▄▄ ▄▄▀▄██ ██ █ ▀ █▀▀█ ▄▀█ █▀▀▀████ ████▀▀▀ ▄▄ ▄▄███▄█ ▀█▄▄ █ ▄█▀██ ▀▄▀ ▄█▄ ▄ ▀ ██▀█▄▀▄█▀▄████ █████▀▄▄█ ▄▄▀██▀█▄ ▄ ▀█ █ ██▀▀▄ ▀▀▀ █ ▄▀▄▄▀██▀▀▀▄▀█▀▀▀▄ ████ ████▀▀▀██ ▄█▄█ █▄▀█▄ ▀ █ ▀ ▄▀█▄ ▄▄▀▀▄▀▄▄▀████▀▄ ▀ ▀▄▀▄▄█████ ██████▄▄ ▄▄▄ █▄▀▄ ▄█▄▀▄▀▄▄▀ ▄▄▄ ▄▄ ▄▀█▀ ▄▄ ▄▄▄ ▄▄▄ ▀▄▀████ █████▀█▀ █▄█ ▄███▄ ▀ ▄▄█ ▀▄ █▄█ ▀█▄▀ ▀█▄ ▄ ▄ ██ █▄█ █ █ ████ █████▄▀ ▄▄ ▄█▀▄█▄▀▄▄█▄ ▄▀▄█▄▄▄▄▄█ ▀ ▀▀▄▀ ▄█▄█ ▀▄▄ ▄▀▀ ████ ████▄ ▄▀▄▄▄▀█▀▀██▄ ▄▀▄█▀ █▀▀█ █▄▀▀▄ ▄█▄ █▀▀▀▄ █▀▄ ▀▄▄▄████ ████▀██ ▄▄▄▄█▄▀██▀▀▀▀▀ ▄▀ █ ▀ ▄███▀▄▄████▀▀ ██▄ ▄ ▀▄▄▄▀██████ ████▄█▀ ▀▀▄█▀█▀▄▀██▄█▀ ▀█▄▀▀▀█ ███▀▄█ ▄█▄ ▄▄▀▀▄ █▀██▄█▄████ █████▀ █▄ ▄ ██▀██▄ ▄▄█▀▀▄▀▀▄█▀ ██▄▀ ▀▄▄█▄▄▀▀▀▀ ██ ▀▀█ ████ ████ ▄▄▀█▀▄ █▀▄ ▀█▀ ▀ █▀▀▀▄▀ █▄█ ▀▀█ ▄▄▀█▄ █ ▀██▄█▀ █ ▄████ ████▄▀▄▄▀█▄▀▄▄▄▀ ▄ ▄█▄▀█▀▄▄ ▄▄█▀█▄▄▄█▄▀▀ ▄█▀ ▀▀▄ ███ ▀ █████ ████▄ ▀▄▄▄▄ ▀ ██ █▄▀ ███ ▄█▀ ██▀█ ▄▀ ▀▀█ ▄███ █▄█▀ ▄▀█ ████ ███████▄██▄█▀ ▀▄▄ ▄ █▄ ██▀█ ▄▄▄ ▀█▀ ▀██▀▄▀▀▀██▄ ▄▄▄ ▀ ▀████ ████ ▄▄▄▄▄ █▀▀█ ▀ █▄██▀▀▄▄ █▄█ ▀██▀▀█▀▀▄ ██▄▄▄ █▄█ ▄ █████ ████ █ █ █▄ ██▄ ▀▀▀ █▄ ▄▄▄▄▄ ▄██ ▀▄███ ▀ ▀██▄ ▄▄ ▄▀▀▄████ ████ █▄▄▄█ █▀█▀ ▀▀▀▄█ ▄▀ ▀▄█▄▀▄ ▀█ ▄█▀█▄█▄ ▀▄▀██▀██▄█ ████ ████▄▄▄▄▄▄▄█▄▄▄▄▄▄▄▄▄█▄█▄█▄██▄█▄▄█▄█▄█▄█▄▄███▄▄█▄▄▄▄▄▄█▄█████ █████████████████████████████████████████████████████████████
Don't worry about the QR code, it can be brought up later. In the meantime, here is the content of the user directory just created.
As with the WireGuard server, the client has two keys, private and public. Two client configuration files are created. One or both of these will be used to configure the Android client. It will be easy to do using the two png images which are QR codes containing the information about each of the client configuration files. Here is the content of the client configuration file and the updated server configuration file.
The two client configuration files are identical except for the
AllowdIPs field. Display the user information again. This time
the two configuration files and the two QR codes will be displayed, but it
will be necessary to scroll back to see them.
Now it is time to install the WireGuard Application from Google Play on the Android device. Launch the application.
Click on the blue button as told.
Click on the Create from QR code. Aim the tablet camera towards the QR code displayed on the desktop monitor. Once the information is acquired, the following dialog appears.
I named the tunnel "Rpi3-split" and then pressed on the CREATE TUNNEL button. I repeated the steps to add the second tunnel, named "RPi-all", from the second QR code.
The above screen the result shows the appearance of the Android WireGuard application once the two tunnels were created. When selecting a tunnel, the "public" information is displayed on the right panel.
Connecting to the WireGuard server at home is very easily done. Just
slide the wanted tunnel's button to the right and that is it. I should point
out that the program gives very little feedback. The little key icon
signifying the VPN is active will be shown even if the settings are wrong or
if the WireGuard server is not online. The only "symptom" that something is
wrong will be that it will be impossible to reach any device on the