md
Installing WireGuard on Raspbian Stretch and Buster
Last Revision: April 17 2020. Original Version: July 4, 2019

So far I have installed WireGuard "servers" on a few single-board computers including the Raspberry Pi 1 Model B, the Raspberry Pi 3 Model B running the Stretch and Buster versions Raspbian. I have also installed WireGuard "clients" on a couple of Android tablets, a recent low-end Android phone and on an old portable computer running Linux Mint 19. After a few false starts, I must admit that installation is not difficult especially as there is good information available on the Web. In this post I will give details about installing WireGuard on any Raspberry Pi 2 (version 1.2) and above running either Raspbian Stretch or newly released Raspbian Buster.

This post is obsolete. You should be reading the newer version Installing and Configuring WireGuard on Raspbian Buster, unless you insist on using Raspbian Stretch.
April 17, 2020
In the original version of this post, I overstated problems with the installation instructions kindly provided by Adrian Mihalko on GitHub. I hope to have made honourable amends in this revised version of the post by showing that the instructions do work in Raspbian Stretch. It is also shown that WireGuard can be installed with the apt wrapper if an additional step is taken. I have also found a German language post which updates the instructions for Buster. Finally, the Dietpi script which works in both Stretch and Buster is described as before.
July 24, 2019

Table of Contents

  1. Prerequisites to Installing WireGuard on a Raspberry Pi 2 v1.2 or above
  2. Installing WireGuard on Raspbian Stretch
  3. Installing WireGuard on Raspbian Buster
  4. The Dietpi Script to Install WireGuard on Raspbian Stretch or Buster
  5. Configuring WireGuard
  6. Installing WireGuard on Other Devices

Prequisites to Installing WireGuard on a Raspberry Pi 2 v1.2 or above toc

I will describe how to install the WireGuard virtual network server on a Raspberry Pi 3 model B running Raspbian Stretch Lite and Raspbian Buster Lite. These are the versions on which the software has been installed.

Raspbian Stretch Lite
  Minimal image based on Debian Stretch
  Version:        April 2019
  Release date:   2019-04-08
  Kernel version: 4.14

Raspbian Buster Lite
  Minimal image based on Debian Buster

  Version:        June 2019
  Release date:   2019-06-20
  Kernel version: 4.19

  Version:        February 2020
  Release date:   2020-02-13
  Kernel version: 4.19

Unless you have a new Raspberry Pi 4, I don't think there is a pressing need to use the newly available Raspbian Buster and it might be a good idea to wait before switching to the new release. The latest version of Raspbian is always available from the Raspberry Pi Foundation Raspbian downloads page. Since Stretch is not the latest release of Raspbian, it is no longer available from that page. Nevertheless it can be downloaded along with older versions of Buster.

Full versions of Raspbian Stretch or Buster are also available if that is the preferred OS. Even if the GUI version is installed, it will be necessary to open a terminal to install WireGuard.

If a newer version of Raspbian is used, then WireGuard may already be installed. Test as explained in the leading sidebar.

pi@raspberrypi:~$ which wg /usr/bin/wg pi@raspberrypi:~$ which wg-quick /usr/bin/wg-quick

If the two programs are found, WireGuard is installed and only needs to be configured. Otherwise the following steps must be performed beginning with a system update and the installation of the Linux kernel headers.

pi@raspberrypi:~ $ sudo apt update && sudo apt upgrade -y ... 31 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 81.0 MB of archives. After this operation, 5,875 kB of additional disk space will be used. Number of packages upgraded and the additional disk space used will depend on the last time the system was upgraded ... pi@raspberrypi:~ $ sudo apt-get install raspberrypi-kernel-headers Reading package lists... Done ... The following NEW packages will be installed: raspberrypi-kernel-headers 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 16.7 MB of archives. After this operation, 109 MB of additional disk space will be used. ... Setting up raspberrypi-kernel-headers (1.20190517-1) ...

This process is lengthy. Note that in the latest version (Feb. 2020) of Buster it is version 1.20200212-1 of the kernel headers that is installed and that it is considerably bigger package.

That is it for the prerequisites in Raspbian Buster. In Stretch the dirmngr utility that performs network operations when managing and downloading certificates when accessing Debian repositories needs to be installed.

pi@raspberrypi:~ $ sudo apt install dirmngr ... 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 547 kB of archives. After this operation, 963 kB of additional disk space will be used. ... Processing triggers for man-db (2.7.6.1-2) ... Setting up dirmngr (2.1.18-8~deb9u4) ...

This is an older version compared to version 2.2.12 present in Buster by default, but that does not seem to matter.

Installing WireGuard in Raspbian Stretch toc

Let's continue following the very clear instructions provided by Adrian Mihalko on GitHub.

Before trying the instructions that follow, I would try

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add - --2020-04-18 19:56:18-- https://ftp-master.debian.org/keys/archive-key-10.asc Resolving ftp-master.debian.org (ftp-master.debian.org)... 138.16.160.17 ... OK pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150 pi@raspberrypi:~ $ sudo apt update Get:1 http://deb.debian.org/debian unstable InRelease [146 kB] ... All packages are up to date. pi@raspberrypi:~ $ sudo apt install wireguard -y

These include the new instructions by Adrian Mihalko and Ryan Govostes (Feb 10, 2020) about fetching the repository key.

April 17, 2020

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 Executing: /tmp/apt-key-gpghome.6DgSR8OVyN/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 gpg: key 8B48AD6246925553: 30 signatures not checked due to missing keys gpg: key 8B48AD6246925553: public key "Debian Archive Automatic Signing Key (7.0/wheezy) " imported gpg: Total number processed: 1 gpg: imported: 1 pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150 pi@raspberrypi:~ $ sudo apt-get update ... Fetched 14.6 MB in 2min 0s (121 kB/s) Reading package lists... Done W: GPG error: http://deb.debian.org/debian unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 W: The repository 'http://deb.debian.org/debian unstable InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. pi@raspberrypi:~ $ sudo apt-get install wireguard Reading package lists... Done ... 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. Do you want to continue? [Y/n] y WARNING: The following packages cannot be authenticated! wireguard-dkms wireguard-tools wireguard Install these packages without verification? [y/N] y ... Setting up wireguard-dkms (0.0.20190702-1) ... Loading new wireguard-0.0.20190702 DKMS files... It is likely that 4.19.42-v7+ belongs to a chroot's host --> Building for 4.19.57+ and 4.19.57-v7+ Building initial module for 4.19.57+ Done.

Note the two warnings about the unsigned unstable repository. That is why it is necessary to confirm twice to proceed when installing WireGuard. If the -y option had been specified, the installation would have failed as shown below.

pi@raspberrypi:~ $ sudo apt-get install wireguard -y ... 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! wireguard-dkms wireguard-tools wireguard E: There were unauthenticated packages and -y was used without --allow-unauthenticated

According to the error message, the following would have worked, but I did not test that.

pi@raspberrypi:~ $ sudo apt-get install wireguard -y --allow-unauthenticated

It is important to create the limit-unstable file in the /etc/apt/preferences.d. That file was created in the command starting with printf 'Package:. If that is not done, then an apt-get upgrade will replace many, many packages from the stable Stretch repository with unstable versions from the unstable repository with perhaps dire consequences. This can be checked by running apt-get update just before creating the limit-unstable file.

While not a fanatic about it, I prefer to use the apt wrapper instead of the lower level apt-get utility directly. See Difference Between apt and apt-get Explained about this. This is one way to proceed after installing the prerequisites.

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 Executing: /tmp/apt-key-gpghome.6DgSR8OVyN/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 gpg: key 8B48AD6246925553: 30 signatures not checked due to missing keys gpg: key 8B48AD6246925553: public key "Debian Archive Automatic Signing Key (7.0/wheezy) " imported gpg: Total number processed: 1 gpg: imported: 1 pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150

At this point, apt update and apt install will not work as can be seen.

pi@raspberrypi:~ $ sudo apt update Get:1 http://deb.debian.org/debian unstable InRelease [149 kB] Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Hit:3 http://archive.raspberrypi.org/debian stretch InRelease Err:1 http://deb.debian.org/debian unstable InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 Reading package lists... Done W: GPG error: http://deb.debian.org/debian unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 E: The repository 'http://deb.debian.org/debian unstable InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. Oops; there is an error! Try to install WireGuard anyway pi@raspberrypi:~ $ sudo apt install wireguard Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package wireguard

Before updating the list of packages and installing WireGuard, it will be necessary to add the missing public keys listed when apt update was run.

pi@raspberrypi:~ $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 Executing: /tmp/apt-key-gpghome.fuhvFVlBef/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 gpg: key DC30D7C23CBBABEE: 4 signatures not checked due to missing keys gpg: key DC30D7C23CBBABEE: public key "Debian Archive Automatic Signing Key (10/buster) " imported gpg: key E0B11894F66AEC98: 13 signatures not checked due to missing keys gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic Signing Key (9/stretch) " imported gpg: Total number processed: 2 gpg: imported: 2 pi@raspberrypi:~ $ sudo apt update Hit:1 http://archive.raspberrypi.org/debian stretch InRelease Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Get:3 http://deb.debian.org/debian unstable InRelease [149 kB] Get:4 http://deb.debian.org/debian unstable/main armhf Packages [8,138 kB] Get:5 http://deb.debian.org/debian unstable/main Translation-en [6,291 kB] Fetched 14.4 MB in 20s (689 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: dkms wireguard-dkms wireguard-tools Suggested packages: python3-apport menu The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. ... DKMS: install completed. Setting up wireguard (0.0.20190702-1) ... pi@raspberrypi:~ $

Of course after adding the missing public keys, apt-get could be used instead of apt.

Now that the installation of WireGuard in Stretch is complete jump to configuring WireGuard.

Installing WireGuard in Raspbian Buster toc

Wireguard can be installed in Buster following the instructions from Adrian Mihalko with the updated archive key from Ryan Govostes (Feb 10, 2020).

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add - --2020-04-18 19:56:18-- https://ftp-master.debian.org/keys/archive-key-10.asc Resolving ftp-master.debian.org (ftp-master.debian.org)... 138.16.160.17 ... OK pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150 pi@raspberrypi:~ $ sudo apt update Get:1 http://deb.debian.org/debian unstable InRelease [146 kB] ... All packages are up to date. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done ... Setting up wireguard (1.0.20200319-1) ... Processing triggers for man-db (2.8.5-2) ... pi@raspberrypi:~ $ which wg checking /usr/bin/wg pi@raspberrypi:~ $ which wg-quick checking /usr/bin/wg-quick

Previously, the repository key was obtained in a different way. I do not know if the 04EE7237B7D453EC key from the Ubuntu keyserver is still valid.

pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list deb http://deb.debian.org/debian/ unstable main pi@raspberrypi:~ $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC Executing: /tmp/apt-key-gpghome.buGYeUegil/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC gpg: key E0B11894F66AEC98: 13 signatures not checked due to missing keys gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic Signing Key (9/stretch) " imported gpg: Total number processed: 1 gpg: imported: 1 pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable Package: * Pin: release a=unstable Pin-Priority: 150 ...

I wish I understood all this stuff about public keys, key rings and secure repositories well enough to have figured out the correct key myself; but that is not the case. Credit goes to Michael Bachmann, see his blog: Raspberry Pi with WireGuard as VPN server (original title: Raspberry Pi mit WireGuard als VPN Server)


The Dietpi Script to Install WireGuard on Raspbian Stretch or Buster toc

Unfortunately, this is out od date also. There is a Dietpi script to install WireGuard but it appears to be different and to use a different repository.

As discussed in the original version of this post, the Dietpi crew created a script to install WireGuard. It is found in their "experimental Buster image" for the Raspberry Pi but it also works in Stretch. I looked at issue #2458 WireGuard: Prevent accidental "sid" repo installs and the software installation script to obtain the information that follows. As before, the prerequisites as discussed in the first section above need to be installed.

pi@raspberrypi:~ $ echo 'deb https://deb.debian.org/debian/ sid main' | sudo tee --append /etc/apt/sources.list.d/wireguard.list deb https://deb.debian.org/debian/ sid main pi@raspberrypi:~ $ echo -e 'Package: *\nPin: release n=sid\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=sid\nPin-Priority: 99' | sudo tee /etc/apt/preferences.d/wireguard Package: * Pin: release n=sid Pin-Priority: -1 Package: wireguard wireguard-dkms wireguard-tools Pin: release n=sid Pin-Priority: 99 pi@raspberrypi:~ $ wget https://dietpi.com/downloads/binaries/rpi/debian-archive-keyring.deb --2019-07-04 18:17:30-- https://dietpi.com/downloads/binaries/rpi/debian-archive-keyring.deb Resolving dietpi.com (dietpi.com)... 2606:4700:30::681b:b3c7, 2606:4700:30::681b:b2c7, 104.27.179.199, ... Connecting to dietpi.com (dietpi.com)|2606:4700:30::681b:b3c7|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 57392 (56K) [application/x-debian-package] Saving to: ‘debian-archive-keyring.deb’ debian-archive-keyring.deb 100%[========================================================================================>] 56.05K 275KB/s in 0.2s 2019-07-23 18:33:18 (284 KB/s) - ‘debian-archive-keyring.deb’ saved [57392/57392] pi@raspberrypi:~ $ sudo dpkg -i debian-archive-keyring.deb Selecting previously unselected package debian-archive-keyring. (Reading database ... 68154 files and directories currently installed.) Preparing to unpack debian-archive-keyring.deb ... Unpacking debian-archive-keyring (2018.1) ... Setting up debian-archive-keyring (2018.1) ... pi@raspberrypi:~ $ sudo rm debian-archive-keyring.deb pi@raspberrypi:~ $ sudo apt update Hit:1 http://archive.raspberrypi.org/debian stretch InRelease Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease Get:3 https://cdn-aws.deb.debian.org/debian sid InRelease [149 kB] Get:4 https://cdn-aws.deb.debian.org/debian sid/main armhf Packages [8,138 kB] Get:5 https://cdn-aws.deb.debian.org/debian sid/main Translation-en [6,293 kB] Fetched 14.6 MB in 20s (724 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. pi@raspberrypi:~ $ sudo apt list --upgradable Listing... Done This is a check to ensure that nothing from the unstable repository, called sid, will be use to upgrade an already installed package. pi@raspberrypi:~ $ sudo apt install wireguard -y Reading package lists... Done ... The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 449 kB of archives. After this operation, 2,396 kB of additional disk space will be used. ... DKMS: install completed. Setting up wireguard (0.0.20190702-1) ... Processing triggers for man-db (2.8.5-2) ... pi@raspberrypi:~ $ which wg checking /usr/bin/wg pi@raspberrypi:~ $ which wg-quick checking /usr/bin/wg-quick

The installation is complete.

Configuring WireGuard toc

Once WireGuard is installed, it cannot yet be used. The local area network must be made accessible from the outside, WireGuard must be configured and clients or peers must be created to use the self hosted VPN. Details for all this can be found in section 3 and on of the newer version of this post: Installing and Configuring WireGuard on Raspbian Buster.

Installing WireGuard on Other Devices toc

On older Raspberry Pi models it is necessary to compile WireGuard from the source code. Again, I followed Adrian Mihalko detailed instructions to install the software correctly on a Raspberry Pi 1. I was surprised that the VPN performed adequately even when routing all Internet traffic through it in a coffee shop for better security. My bandwidth demands were usually relatively light. Nevertheless, I streamed YouTube videos simultaneously on a tablet and portable without noticeable degradation. Of course these were not 4K videos, but then I have no plans to view high-definition videos in coffee shops in the forseeable future.

Not long after installing WireGuard on the older Raspberry Pi, I did the same on an Orange Pi Zero with an older version of Armbian. It was necessary to compile the source code much in the same way as on the older Raspberry Pi, but there was a bit of a struggle to get the prerequisite packages in place. There is no point in pursuing this any further given that the latest version of Armbian Bionic includes WireGuard.

The fact that WireGuard is now part of the Linux kernel will only hasten its adoption by an ever-growing number of users. In my opinion, that is a good thing as I have found that using it to host a VPN is very reliable, useful and surprisingly seamless. I suspect that soon installation will no longer be a barrier even on Rasbian, and there will be no real argument against at least giving it a try.