md
Installing WireGuard on Raspbian Stretch and Buster
Last Revision: July 24. Original Version: July 4, 2019

So far I have installed WireGuard "servers" on a few single-board computers including the Raspberry Pi 1 Model B, the Raspberry Pi 3 Model B, the Orange Pi Zero and an Orange Pi PC-2. I have also installed WireGuard "clients" on a couple of Android tablets and on an old Toshiba Portable computer running Linux Mint 19. After a few false starts, I must admit that installation is not difficult especially as there is good information available on the Web. In this post I will give details about installing WireGuard on any Raspberry Pi 2 (version 1.2) and above running either Raspbian Stretch or the newly released Raspbian Buster.

In the original version of this post, I overstated problems with the installation instructions kindly provided by Adrian Mihalko on GitHub. I hope to have made honourable amends in this revised version of the post by showing that the instructions do work in Raspbian Stretch. It is also shown that WireGuard can be installed with the apt wrapper if an additional step is taken. I have also found a German language post which updates the instructions for Buster. Finally, the Dietpi script which works in both Stretch and Buster is described as before.

Table of Contents

  1. Prequisites to Installing WireGuard on a Raspberry Pi 2 v1.2 or above
  2. Installing WireGuard on Raspbian Stretch
  3. Installing WireGuard on Raspbian Buster
  4. The Dietpi Script to Install WireGuard on Raspbian Stretch or Buster
  5. Configuring WireGuard
  6. Managing Android Users
  7. Installing WireGuard on a Raspberry Pi 1, 2 (less than v1.2), or Zero (W)

Prequisites to Installing WireGuard on a Raspberry Pi 2 v1.2 or above toc

I will describe how to install the WireGuard virtual network server on a Raspberry Pi 3 model B running Raspbian Stretch Lite and Raspbian Buster Lite.

Raspbian Stretch Lite
  Minimal image based on Debian Stretch
  Version:        April 2019
  Release date:   2019-04-08
  Kernel version: 4.14

Raspbian Buster Lite
  Minimal image based on Debian Buster
  Version:        June 2019
  Release date:   2019-06-20
  Kernel version: 4.19

Unless you have a new Raspberry Pi 4, I don't think there is a pressing need to use the newly available Raspbian Buster and it might be a good idea to wait before switching to the new release. Raspbian Buster is available from the Raspberry Pi Foundation Raspbian downloads page. Since Stretch is not the latest release of Raspbian, it is no longer available from that page. Nevertheless it can be downloaded.

Full versions of Raspbian Stretch or Buster are also available if that is the preferred OS. Even if the GUI version is installed, it will be necessary to open a terminal to install WireGuard.

Before attempting to install WireGuard, the system needs to be updated and the Linux kernel headers must be installed.

pi@raspberrypi:~ $ sudo apt update && sudo apt upgrade -y ... 31 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 81.0 MB of archives. After this operation, 5,875 kB of additional disk space will be used. Number of packages upgraded and the additional disk space used will depend on the last time the system was upgraded ... pi@raspberrypi:~ $ sudo apt-get install raspberrypi-kernel-headers Reading package lists... Done ... The following NEW packages will be installed: raspberrypi-kernel-headers 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 16.7 MB of archives. After this operation, 109 MB of additional disk space will be used. ... Setting up raspberrypi-kernel-headers (1.20190517-1) ...

That is it for the prerequisites in Raspbian Buster. In Stretch the dirmngr utility that performs network operations when managing and downloading certificates when accessing Debian repositories needs to be installed.

pi@raspberrypi:~ $ sudo apt install dirmngr ... 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 547 kB of archives. After this operation, 963 kB of additional disk space will be used. ... Processing triggers for man-db (2.7.6.1-2) ... Setting up dirmngr (2.1.18-8~deb9u4) ...

This is an older version compared to version 2.2.12 present in Buster by default, but that does not seem to matter.

Installing WireGuard in Raspbian Stretch toc

Let's continue following the very clear instructions provided by Adrian Mihalko on GitHub.

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 Executing: /tmp/apt-key-gpghome.6DgSR8OVyN/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 gpg: key 8B48AD6246925553: 30 signatures not checked due to missing keys gpg: key 8B48AD6246925553: public key "Debian Archive Automatic Signing Key (7.0/wheezy) " imported gpg: Total number processed: 1 gpg: imported: 1 pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150 pi@raspberrypi:~ $ sudo apt-get update ... Fetched 14.6 MB in 2min 0s (121 kB/s) Reading package lists... Done W: GPG error: http://deb.debian.org/debian unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 W: The repository 'http://deb.debian.org/debian unstable InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. pi@raspberrypi:~ $ sudo apt-get install wireguard Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: dkms wireguard-dkms wireguard-tools Suggested packages: python3-apport menu The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. Do you want to continue? [Y/n] y WARNING: The following packages cannot be authenticated! wireguard-dkms wireguard-tools wireguard Install these packages without verification? [y/N] y Building for 4.19.57+ and 4.19.57-v7+ Building initial module for 4.19.57+ Done.

Note the two warnings about the unsigned unstable repository. That is why it is necessary to confirm twice to proceed when installing WireGuard. If the -y option had been specified, the installation would have failed as shown below.

pi@raspberrypi:~ $ sudo apt-get install wireguard -y ... 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! wireguard-dkms wireguard-tools wireguard E: There were unauthenticated packages and -y was used without --allow-unauthenticated

According to the error message, the following would have worked, but I did not test that.

pi@raspberrypi:~ $ sudo apt-get install wireguard -y --allow-unauthenticated

It is important to create the limit-unstable file in the /etc/apt/preferences.d. That file was created in the command starting with printf 'Package:. If that is not done, then an apt-get upgrade will replace many, many packages from the stable Stretch repository with unstable versions from the unstable respository with perhaps dire consequences. This can be checked by running apt-get update just before creating the limit-unstable file.

While not a fanatic about it, I prefer to use the apt wrapper instead of the lower level apt-get utility directly. See Difference Between apt and apt-get Explained about this. This is one way to proceed after installing the prerequisites.

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 Executing: /tmp/apt-key-gpghome.6DgSR8OVyN/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 gpg: key 8B48AD6246925553: 30 signatures not checked due to missing keys gpg: key 8B48AD6246925553: public key "Debian Archive Automatic Signing Key (7.0/wheezy) " imported gpg: Total number processed: 1 gpg: imported: 1 pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150

At this point, apt update and apt install will not work as can be seen.

pi@raspberrypi:~ $ sudo apt update Get:1 http://deb.debian.org/debian unstable InRelease [149 kB] Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Hit:3 http://archive.raspberrypi.org/debian stretch InRelease Err:1 http://deb.debian.org/debian unstable InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 Reading package lists... Done W: GPG error: http://deb.debian.org/debian unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 E: The repository 'http://deb.debian.org/debian unstable InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. Oops; there is an error! Try to install WireGuard anyway pi@raspberrypi:~ $ sudo apt install wireguard Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package wireguard

Before updating the list of packages and installing WireGuard, it will be necessary to add the missing public keys listed when apt update was run.

pi@raspberrypi:~ $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 Executing: /tmp/apt-key-gpghome.fuhvFVlBef/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 gpg: key DC30D7C23CBBABEE: 4 signatures not checked due to missing keys gpg: key DC30D7C23CBBABEE: public key "Debian Archive Automatic Signing Key (10/buster) " imported gpg: key E0B11894F66AEC98: 13 signatures not checked due to missing keys gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic Signing Key (9/stretch) " imported gpg: Total number processed: 2 gpg: imported: 2 pi@raspberrypi:~ $ sudo apt update Hit:1 http://archive.raspberrypi.org/debian stretch InRelease Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Get:3 http://deb.debian.org/debian unstable InRelease [149 kB] Get:4 http://deb.debian.org/debian unstable/main armhf Packages [8,138 kB] Get:5 http://deb.debian.org/debian unstable/main Translation-en [6,291 kB] Fetched 14.4 MB in 20s (689 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: dkms wireguard-dkms wireguard-tools Suggested packages: python3-apport menu The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. ... DKMS: install completed. Setting up wireguard (0.0.20190702-1) ... pi@raspberrypi:~ $

Of course after adding the missing public keys, apt-get could be used instead of apt.

Now that the installation of WireGuard in Stretch is complete jump to section entitled Configuring WireGuard. You may be interested in another way of installing WireGuard in Stretch.

Installing WireGuard in Raspbian Buster toc

Wireguard can be installed in Buster in a manner similar to the steps take in Stretch as described by Adrian Mihalko. The key is different but otherwise things are actually simpler.

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC Executing: /tmp/apt-key-gpghome.buGYeUegil/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC gpg: key E0B11894F66AEC98: 13 signatures not checked due to missing keys gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic Signing Key (9/stretch) " imported gpg: Total number processed: 1 gpg: imported: 1 pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150 pi@raspberrypi:~ $ sudo apt update Hit:1 http://deb.debian.org/debian unstable InRelease Hit:2 http://archive.raspberrypi.org/debian buster InRelease Hit:3 http://raspbian.raspberrypi.org/raspbian buster InRelease Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done DKMS: install completed. Setting up wireguard-tools (0.0.20190702-1) ... Setting up wireguard (0.0.20190702-1) ... Processing triggers for man-db (2.8.5-2) ...

I wish I understood all this stuff about public keys, key rings and secure repositories well enough to have figured out the correct key myself; but that is not the case. Credit goes to Michael Bachmann, see his blog: Raspberry Pi with WireGuard as VPN server (original title: Raspberry Pi mit WireGuard als VPN Server)

The Dietpi Script to Install WireGuard on Raspbian Stretch or Buster toc

As discussed in the original version of this post, the Dietpi crew created a script to install WireGuard. It is found in their "experimental Buster image" for the Raspberry Pi but it also works in Stretch. I looked at issue #2458 WireGuard: Prevent accidental "sid" repo installs and the software installation script to obtain the information that follows. As before, the prerequisites as discussed in the first section above need to be installed.

pi@raspberrypi:~ $ echo 'deb https://deb.debian.org/debian/ sid main' | sudo tee --append /etc/apt/sources.list.d/wireguard.list deb https://deb.debian.org/debian/ sid main pi@raspberrypi:~ $ echo -e 'Package: *\nPin: release n=sid\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=sid\nPin-Priority: 99' | sudo tee /etc/apt/preferences.d/wireguard Package: * Pin: release n=sid Pin-Priority: -1 Package: wireguard wireguard-dkms wireguard-tools Pin: release n=sid Pin-Priority: 99 pi@raspberrypi:~ $ wget https://dietpi.com/downloads/binaries/rpi/debian-archive-keyring.deb --2019-07-04 18:17:30-- https://dietpi.com/downloads/binaries/rpi/debian-archive-keyring.deb Resolving dietpi.com (dietpi.com)... 2606:4700:30::681b:b3c7, 2606:4700:30::681b:b2c7, 104.27.179.199, ... Connecting to dietpi.com (dietpi.com)|2606:4700:30::681b:b3c7|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 57392 (56K) [application/x-debian-package] Saving to: ‘debian-archive-keyring.deb’ debian-archive-keyring.deb 100%[========================================================================================>] 56.05K 275KB/s in 0.2s 2019-07-23 18:33:18 (284 KB/s) - ‘debian-archive-keyring.deb’ saved [57392/57392] pi@raspberrypi:~ $ sudo dpkg -i debian-archive-keyring.deb Selecting previously unselected package debian-archive-keyring. (Reading database ... 68154 files and directories currently installed.) Preparing to unpack debian-archive-keyring.deb ... Unpacking debian-archive-keyring (2018.1) ... Setting up debian-archive-keyring (2018.1) ... pi@raspberrypi:~ $ sudo rm debian-archive-keyring.deb pi@raspberrypi:~ $ sudo apt update Hit:1 http://archive.raspberrypi.org/debian stretch InRelease Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Get:3 https://cdn-aws.deb.debian.org/debian sid InRelease [149 kB] Get:4 https://cdn-aws.deb.debian.org/debian sid/main armhf Packages [8,138 kB] Get:5 https://cdn-aws.deb.debian.org/debian sid/main Translation-en [6,293 kB] Fetched 14.6 MB in 20s (724 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. pi@raspberrypi:~ $ sudo apt list --upgradable Listing... Done This is a check to ensure that nothing from the unstable repository, called sid, will be use to upgrade an already installed package. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done ... The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. ... DKMS: install completed. Setting up wireguard (0.0.20190702-1) ...

Now that the installation is complete it is possible to go on to configuring WireGuard.

Configuring WireGuard toc

This list might look daunting; it is actually rather easy to configure a WireGuard server and to add clients or peers.

Enable IP Forwarding

If access to another LAN resource, such as an IP camera or a Web server, is needed then IP forwarding has to be enabled on the computer hosting the WireGuard server.

pi@raspberrypi:~ $ cd /etc pi@raspberrypi:/etc $ ls -l sysctl* -rw-r--r-- 1 root root 2683 Apr 8 06:56 sysctl.conf sysctl.d: total 8 -rw-r--r-- 1 root root 51 Nov 26 2018 98-rpi.conf lrwxrwxrwx 1 root root 14 Apr 8 07:51 99-sysctl.conf -> ../sysctl.conf -rw-r--r-- 1 root root 639 May 17 2018 README.sysctl

Note how /etc/sysctl.d/99-sysctl.conf is a symbolic link to /etc/sysctl.conf. It will suffice to edit the later to enable IP packet forwarding.

pi@raspberrypi:/etc $ sudo nano sysctl.conf

Change

... # Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1 ...

to

# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1

as instructed in the configuration.file. A reboot will be necessary for the change to take effect.

pi@raspberrypi:~ $ sudo reboot Connection to raspberrypi.local closed by remote host. Connection to raspberrypi.local closed. ... michel@hp:~$ ssh pi@raspberrypi.local ... ... pi@raspberrypi:~ $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1

Install the Adrian Mihalko User Management Script

One could follow Adrian Mihalko's guide to manually configure WireGuard, but I found his User Management Script very useful as I use Android tablets as clients on a regular basis. So what follows is mostly a copy and paste operation from the GitHub with just a few hints that might be useful for some.

pi@raspberrypi:~ $ sudo apt-get install git qrencode -y ... 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 5,069 kB of archives. After this operation, 26.8 MB of additional disk space will be used. ... Setting up git (1:2.11.0-3+deb9u4) ... Setting up qrencode (3.4.4-1) ... pi@raspberrypi:~ $ git clone https://github.com/adrianmihalko/wg_config.git Cloning into 'wg_config'... remote: Enumerating objects: 50, done. remote: Total 50 (delta 0), reused 0 (delta 0), pack-reused 50 Unpacking objects: 100% (50/50), done.

Generate the Private and Public Server Keys

pi@raspberrypi:~ $ cd wg_config pi@raspberrypi:~/wg_config $ wg genkey | tee server_private.key | wg pubkey > server_public.key If you get a segmentation error here, then the Raspberry Pi was probably too old. It will be necessary to compile WireGuard. pi@raspberrypi:~/wg_config $ cat server_public.key 5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= pi@raspberrypi:~/wg_config $ cat server_private.key aA+iKGr4y/j604LtNT+MQJ76Pvz5Q5E+qQBLW40wXnY= These two keys are needed for the next step. Copy them into a text editor on the desktop to easily copy them later.

Create and edit the server definition file

pi@raspberrypi:~/wg_config $ cp wg.def.sample wg.def pi@raspberrypi:~/wg_config $ nano wg.def
_INTERFACE=wg0 _VPN_NET=192.168.99.0/24 _SERVER_PORT=51820 _SERVER_LISTEN=wg.example.com:$_SERVER_PORT _SERVER_PUBLIC_KEY=5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= _SERVER_PRIVATE_KEY=aA+iKGr4y/j604LtNT+MQJ76Pvz5Q5E+qQBLW40wXnY=

If subnet 192.168.99.xxx is used on the local area network, then the value of _VPN_NET will need to be changed. The _SERVER_PORT is the UDP port that will have to be forwarded to the WireGuard sever by the LAN router or gateway. This can be (perhaps should be) changed. Change wg.example.com in _SERVER_LISTEN to your dynamic domain name (I have a post about that Creating a dynamic domain name). In my (fictitious) case, that entry is:

_SERVER_LISTEN=modomo.twilightparadox.com:$_SERVER_PORT

Do not put the protocol prefix such as https://, just the domain name. The public IP address assigned to me by my ISP changes so rarely that I could get away with an IP address for testing purposes .

_SERVER_LISTEN=172.158.45.159:$_SERVER_PORT

Again, this is a fictitious value; sorry if it is your public IP.

Edit the Client Configuration Template

pi@raspberrypi:~/wg_config $ nano client.conf.tpl
[Interface] Address = $_VPN_IP PrivateKey = $_PRIVATE_KEY [Peer] PublicKey = $_SERVER_PUBLIC_KEY AllowedIPs = 192.168.99.1/32, 192.168.1.0/24 Endpoint = $_SERVER_LISTEN

The value $_PRIVATE_KEY in the field PrivateKey will be changed to the client private key when a user (i.e. client) is generated. The first IP address in AllowedIPs is the IP address of the host of the WireGuard server being set up. The VPN network was set up as _VPN_NET=192.168.99.0/24 in the wg.def file. So the server will be the first valid address, 192.168.99.1, in that subnet. The second IP address, 192.168.1.0/24, is actually a range: 192.168.1.0, 192.168.1.1 and on up to 192.168.1.255. It will be possible to reach all those addresses on the WireGuard server network from the client once the VPN tunnel is established. Change the second allowed IP to correspond to the real subnet used on your home local area network. It could be 192.168.1.xxx as suggested above, 192.168.0.xxx is often used, but some LANs use other private IPv4 addresses such as 10.0.3.xxx.

Edit the Server Configuration Template

It is assumed that the name of the network interface used by the host of the WireGuard server is eth0. In my case that is not correct, the Raspberry Pi is connected by Wi-Fi to the LAN, so it was necessary to edit the sever configuration template.

pi@raspberrypi:~/wg_config $ nano server.conf.tpl
[Interface] Address = $_SERVER_IP ListenPort = $_SERVER_PORT PrivateKey = $_SERVER_PRIVATE_KEY PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

The eth0 interface is replaced by wlan0 in the PostUp and PostDown lines that define changes to the server iptables when activating or deactivating the VPN.

Create an empty WireGuard server configuration file

pi@raspberrypi:~/wg_config $ cd .. pi@raspberrypi:~ $ sudo touch /etc/wireguard/wg0.conf

This is done once only. The user management script will update this file each time it is used to add or delete a user.

Enable automatic start of the wg0 interface at boot time

pi@raspberrypi:~ $ sudo systemctl enable wg-quick@wg0 Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.

This too is only done once, normally.

Start and stop the WireGuard interface manually

pi@raspberrypi:~ $ sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip link set mtu 1420 up dev wg0 pi@raspberrypi:~ $ sudo wg-quick down wg0 [#] ip link delete dev wg0 [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERAD

Check on the status of the server

pi@raspberrypi:~ $ sudo systemctl status wg-quick@wg0 ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2019-03-05 16:50:49 ADT; 20min ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 Process: 378 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 378 (code=exited, status=0/SUCCESS) Jul 03 16:48:58 domo systemd[1]: Starting WireGuard via wg-quick(8) for wg0... Jul 03 16:50:46 domo wg-quick[378]: [#] ip link add wg0 type wireguard Jul 03 16:50:46 domo wg-quick[378]: [#] wg setconf wg0 /dev/fd/63 Jul 03 16:50:47 domo wg-quick[378]: [#] ip address add 192.168.99.1/24 dev wg0 Jul 03 16:50:47 domo wg-quick[378]: [#] ip link set mtu 1420 up dev wg0 Jul 03 16:50:49 domo systemd[1]: Started WireGuard via wg-quick(8) for wg0. pi@raspberrypi:~ $ sudo wg interface: wg0 listening port: 54130

There will be more information available when peers/clients have been setup. And even more information will be displayed when a client or peer has created a tunnel (i.e. opened a VPN).

Managing Android Users toc

I have an old Nexus 7 Android tablet that I often bring when I am outside the house. Here is the procedure used to configure the WireGuard server to accept a connection from a WireGuard client application to be installed on the tablet.

pi@raspberrypi:~ $ cd wg_config pi@raspberrypi:~/wg_config $ sudo ./user.sh -a nexus7
█████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █ ▄▄▄█  ▄ ██▀  █▄█▀▀▄▄██▄ █▀█  ▄ █▄ ▀██ ▄▄▄▄▄ ████
████ █   █ █  ▀▄▀█ ██ █▄▀▀▀▄▀▄  ▄▀▄ █ █▄▀▄▄█▀ ▀▄▀█ █   █ ████
████ █▄▄▄█ █▀▄▀█ ▀▀▀▄▄▀▄▀▄ ▀ ▄▄▄ ▄▄  ▄▄▀█▀▀█▀▀ ███ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀ █▄▀▄█ ▀▄▀ ▀▄▀ █▄█ █ █ █ █▄█ ▀ █▄█▄█▄▄▄▄▄▄▄████
████ ▄█▀ ▄▄▀▀▀   ▄ ▄█▀ ▄▀▄ ▀ ▄  ▄█▄  ▄▀██  ▀█▄ █ ▀█▄▀  ▄ ████
█████▀▀▄█ ▄ ▄ █▀▀▄▄▀  ▀██▄▄▄▀▄█▀█ ▄▄▀ █▀   ▀▄▀ ▀▄ ██▀▄█▀ ████
████▄▄▄▀▀▀▄▀█▀▄██▄▀█ ▀█ ▀█▀█ ▀█▀█▀ ▀ █▀▄█▄█▄██ ▀██▀█ █▀▄▀████
████▄▄▀▄▀ ▄█▀▄ █▄▄ ▀ ▀█ █  ▀ ▀█▄ ██▄ ▀ █▄▄▀█▄▀▄▄ ▄▀▀  █▄ ████
█████▄▄▄▄█▄ ▄▀▄▄▄▀▀▀▀█ █▀ ▄▄ ▄▄▀▄██ ██ █ ▀ █▀▀█ ▄▀█  █▀▀▀████
████▀▀▀   ▄▄  ▄▄███▄█ ▀█▄▄ █ ▄█▀██ ▀▄▀ ▄█▄ ▄ ▀ ██▀█▄▀▄█▀▄████
█████▀▄▄█ ▄▄▀██▀█▄ ▄ ▀█  █ ██▀▀▄ ▀▀▀ █ ▄▀▄▄▀██▀▀▀▄▀█▀▀▀▄ ████
████▀▀▀██ ▄█▄█ █▄▀█▄ ▀  █ ▀ ▄▀█▄ ▄▄▀▀▄▀▄▄▀████▀▄ ▀ ▀▄▀▄▄█████
██████▄▄ ▄▄▄  █▄▀▄ ▄█▄▀▄▀▄▄▀ ▄▄▄ ▄▄  ▄▀█▀ ▄▄ ▄▄▄ ▄▄▄  ▀▄▀████
█████▀█▀ █▄█ ▄███▄ ▀ ▄▄█ ▀▄  █▄█ ▀█▄▀ ▀█▄ ▄ ▄ ██ █▄█ █ █ ████
█████▄▀  ▄▄ ▄█▀▄█▄▀▄▄█▄ ▄▀▄█▄▄▄▄▄█ ▀ ▀▀▄▀ ▄█▄█ ▀▄▄   ▄▀▀ ████
████▄ ▄▀▄▄▄▀█▀▀██▄ ▄▀▄█▀  █▀▀█ █▄▀▀▄ ▄█▄ █▀▀▀▄  █▀▄  ▀▄▄▄████
████▀██ ▄▄▄▄█▄▀██▀▀▀▀▀ ▄▀ █ ▀ ▄███▀▄▄████▀▀ ██▄ ▄ ▀▄▄▄▀██████
████▄█▀ ▀▀▄█▀█▀▄▀██▄█▀ ▀█▄▀▀▀█  ███▀▄█ ▄█▄  ▄▄▀▀▄ █▀██▄█▄████
█████▀ █▄ ▄ ██▀██▄ ▄▄█▀▀▄▀▀▄█▀  ██▄▀ ▀▄▄█▄▄▀▀▀▀   ██ ▀▀█ ████
████ ▄▄▀█▀▄ █▀▄  ▀█▀ ▀ █▀▀▀▄▀ █▄█ ▀▀█ ▄▄▀█▄ █  ▀██▄█▀ █ ▄████
████▄▀▄▄▀█▄▀▄▄▄▀ ▄ ▄█▄▀█▀▄▄  ▄▄█▀█▄▄▄█▄▀▀ ▄█▀ ▀▀▄ ███ ▀ █████
████▄ ▀▄▄▄▄ ▀ ██ █▄▀ ███ ▄█▀ ██▀█  ▄▀ ▀▀█ ▄███  █▄█▀ ▄▀█ ████
███████▄██▄█▀ ▀▄▄  ▄ █▄ ██▀█ ▄▄▄ ▀█▀ ▀██▀▄▀▀▀██▄ ▄▄▄  ▀ ▀████
████ ▄▄▄▄▄ █▀▀█  ▀  █▄██▀▀▄▄ █▄█ ▀██▀▀█▀▀▄ ██▄▄▄ █▄█  ▄ █████
████ █   █ █▄  ██▄ ▀▀▀ █▄ ▄▄▄▄▄ ▄██ ▀▄███ ▀ ▀██▄ ▄▄  ▄▀▀▄████
████ █▄▄▄█ █▀█▀ ▀▀▀▄█ ▄▀ ▀▄█▄▀▄ ▀█ ▄█▀█▄█▄   ▀▄▀██▀██▄█  ████
████▄▄▄▄▄▄▄█▄▄▄▄▄▄▄▄▄█▄█▄█▄██▄█▄▄█▄█▄█▄█▄▄███▄▄█▄▄▄▄▄▄█▄█████
█████████████████████████████████████████████████████████████

Don't worry about the QR code, it can be brought up later. In the meantime, here is the content of the user directory just created.

pi@raspberrypi:~/wg_config $ ls -l users/nexus7 total 24 -rw-r--r-- 1 root root 216 Jul 5 17:49 client.all.conf -rw-r--r-- 1 root root 216 Jul 5 17:49 client.conf -rw-r--r-- 1 root root 913 Jul 5 17:49 nexus7.all.png -rw-r--r-- 1 root root 913 Jul 5 17:49 nexus7.png -rw-r--r-- 1 root root 45 Jul 5 17:49 privatekey -rw-r--r-- 1 root root 45 Jul 5 17:49 publickey

As with the WireGuard server, the client has two keys, private and public. Two client configuration files are created. One or both of these will be used to configure the Android client. It will be easy to do using the two png images which are QR codes containing the information about each of the client configuration files. Here is the content of the client configuration file and the updated server configuration file.

pi@raspberrypi:~/wg_config $ cat users/nexus7/client.conf [Interface] Address = 192.168.99.2/24 PrivateKey = gH5xInhP2NZw0t8hVgJPhTRDUh3Bir7FEynRcW8IHlg= [Peer] PublicKey = 5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= AllowedIPs = 192.168.99.1/32, 192.168.1.0/24 Endpoint = wg.example.com:51820 pi@raspberrypi:~/wg_config $ cat users/nexus7/client.all.conf [Interface] Address = 192.168.99.2/24 PrivateKey = gH5xInhP2NZw0t8hVgJPhTRDUh3Bir7FEynRcW8IHlg= [Peer] PublicKey = 5lFoBBjeLcJWC9xqS/Kj9HVwd0tRUBX/EQWW2ZglbDs= AllowedIPs = 0.0.0.0/0 Endpoint = wg.example.com:51820 pi@raspberrypi:~/wg_config $ sudo cat /etc/wireguard/wg0.conf [Interface] Address = 192.168.99.1/24 ListenPort = 51820 PrivateKey = aA+iKGr4y/j604LtNT+MQJ76Pvz5Q5E+qQBLW40wXnY= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE [Peer] PublicKey = BEnqBZ6rWcDO6lKhb6oXM7aRvE7fuIWCZw1PxgyMMyE= AllowedIPs = 192.168.99.2/32

The two client configuration files are identical except for the AllowdIPs field. Display the user information again. This time the two configuration files and the two QR codes will be displayed, but it will be necessary to scroll back to see them.

pi@raspberrypi:~/wg_config $ sudo ./user.sh -v nexus7

Now it is time to install the WireGuard Application from Google Play on the Android device. Launch the application.

start screen

Click on the blue button as told.

start screen

Click on the Create from QR code. Aim the tablet camera towards the QR code displayed on the desktop monitor. Once the information is acquired, the following dialog appears.

start screen

I named the tunnel "Rpi3-split" and then pressed on the CREATE TUNNEL button. I repeated the steps to add the second tunnel, named "RPi-all", from the second QR code.

start screen

The above screen the result shows the appearance of the Android WireGuard application once the two tunnels were created. When selecting a tunnel, the "public" information is displayed on the right panel.

start screen

Connecting to the WireGuard server at home is very easily done. Just slide the wanted tunnel's button to the right and that is it. I should point out that the program gives very little feedback. The little key icon signifying the VPN is active will be shown even if the settings are wrong or if the WireGuard server is not online. The only "symptom" that something is wrong will be that it will be impossible to reach any device on the 192.168.1.xxx subnet!

I have not found a simple way to remove a server entry in the WireGuard app. What I do instead is to Export tunnels to zip file in the app menu (the three vertical dots ). Then I copy the zip file over to my desktop machine over a USB connection with the tablet. The content of the zip file can be edited removing any unwanted server. The modified zip file is copied back to the tablet. I then erase all application settings. In the older version of Android installed on my tablet, this is done in Settings, Storage an USB, Applications, WireGuard, Erase Data. When the WireGuard app is started, all tunnels will be gone and pressing on the blue + button will bring up the menu already shown before. Instead of choosing Create from QR Code choose Create from file or archive to import the tunnel definitions from the modified zip file.

Installing WireGuard on a Raspberry Pi 1, 2 (less than v1.2), or Zero (W) toc

WireGuard needs to be compiled from sources on older Raspberry Pi's. Again Adrian Mihalko provides detailed instructions. In a future posts, I will check if these instructions remain valid or if adjustments such those described in the previous section are needed.

I also plan to give details about installing WireGuard in Armbian and perhaps other operating systems.