2020-08-01
md
Installing WireGuard on all Raspberry Pi Models (July 2020)
Installing and Configuring WireGuard on Raspberry Pi OS (January 2021)-> <-Installing and Configuring WireGuard on a Raspberry Pi

Previous posts on installing Wireguard on the Raspberry Pi dealt with Rapsberry Pi model 2 (version 1.2) and up. I did say that it was possible to install the virtual network server on the Raspberry Pi Zero and older models of the Raspberry Pi by compiling the source. However Daniel T. Wagner wrote yesterday with good news. The Raspbian testing repository contains WireGuard package which is compatible with the ARMv6, ARMv7 and ARMv8 architecture. Therefore that version is compatible with all Raspberry Pi models as far as I know.

This post is obsolete. You should be reading the newer version. See Installing and Configuring WireGuard on Raspberry Pi for all the posts on this subject.
January 6, 2021

This revised version of the post incorporates helpful comments and corrections received in a private email from Aravind Reddy earlier today. Many thanks to Daniel and Aravid for reaching out and sharing their knowledge.

This post was a quickly written addendum to Installing and Configuring WireGuard on Raspberry Pi OS (May 2020). Both these articles have been replaced by Installing and Configuring WireGuard on Raspberry Pi OS (August 2020) which, hopefully, contains the easiest way to install, configure and use WireGuard on all Raspberry Pi models running Raspbery Pi OS.


Table of Contents

  1. Prerequisites to Installing WireGuard on Raspberry Pi OS
  2. Installing WireGuard
  3. About the Raspbian Testing Repository

Prerequisites to Installing WireGuard on Raspberry Pi OS toc

I will describe how I installed the WireGuard virtual network server on a Raspberry Pi model B © 2011.9 running Raspberry Pi OS Lite. The latest "official supported operating system" released by the Raspberry Pi Foundation found on the Raspberry Pi OS (previously called Raspbian) download page,

Raspberry Pi OS (32-bit) Lite
  Minimal image based on Debian Buster
  Version:        May 2020
  Release date:   2020-05-27
  Kernel version: 4.19

was on the SD card. There are three versions of the OS, the Lite version is typically chosen if the Raspberry Pi is used as a server, while one of the "desktop" versions with a graphical user interface (GUI) should be obtained if the Pi is to be used as a full-fledged desktop computer with connected keyboard and monitor. Even if a GUI version is installed, it will be probably be necessary to open a terminal to install WireGuard.

I changed the hostname to oldpi with the raspi-config utility and then, as always before installing a major package, the system was updated and upgraded after confirming that the kernel version was indeed 4.19.

pi@oldpi:~ $ uname -a Linux oldpi 4.19.118+ #1311 Mon Apr 27 14:16:15 BST 2020 armv6l GNU/Linux pi@oldpi:~ $ sudo apt update && sudo apt upgrade -y

Now would be a good time to read War and Peace or binge watch Games of Throne. Don't worry, if you don't complete either task, you will manage to finish it in the next two steps, especially if using old single core SoC. Exactly which packages will be upgraded and the disk space freed or used will depend on how long it has been since the last upgrade was done. Interestingly, the raspberrypi-kernel was among those packages that were upgraded. As a consequence, the kernel was upgraded to version 5.4.51.

pi@oldpi:~ $ sudo reboot ... After opening a new session ... pi@oldpi:~ $ uname -a Linux oldpi 5.4.51+ #1327 Thu Jul 23 10:53:06 BST 2020 armv6l GNU/Linux

The next step is to install the only prerequisite, the kernel header files.

> pi@oldpi:~ $ sudo apt-get install raspberrypi-kernel-headers Reading package lists... Done ... The following NEW packages will be installed: raspberrypi-kernel-headers 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 26.2 MB of archives. After this operation, 171 MB of additional disk space will be used. ... Setting up raspberrypi-kernel-headers (1.20200723-1) ...

Note that the version of the headers will depend on the version of the operating system kernel, which may be later than what is shown above by the time this note is read.

That is it for the prerequisites.

Installing WireGuard toc

Because I thought that the WireGuard was not available in the Raspberry Pi OS repositories, I installed the package from the Debian repository and unfortunately that package is not compatible with the ARMv6 processor. In the past I resorted to compiling the source code for those Raspberry Pi models that use that architecture. But Daniel Wagner found that the WireGuard package available in the Raspbian Testing repository is compatible with the older architecture, so there is no need to go through the complicated and lengthy compilation process. Testing needs to be added to the list of repositories and it should be given a lower priority so that most installed packages are not upgraded (more on that at the end).

pi@oldpi:~ $ echo "deb http://archive.raspbian.org/raspbian testing main" | sudo tee --append /etc/apt/sources.list.d/testing.list deb http://archive.raspbian.org/raspbian testing main pi@oldpi:~ $ printf 'Package: *\nPin: release a=testing\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-testing Package: * Pin: release a=testing Pin-Priority: 150

Now the WireGuard package in the testing repository can be installed.

pi@oldpi:~ $ sudo apt update pi@oldpi:~ $ sudo apt install wireguard -y Reading package lists... Done ... The following NEW packages will be installed: dkms wireguard wireguard-dkms wireguard-tools 0 upgraded, 4 newly installed, 0 to remove and 10 not upgraded. Need to get 412 kB of archives. After this operation, 2,349 kB of additional disk space will be used. ... Loading new wireguard-1.0.20200712 DKMS files... It is likely that 4.19.118+ belongs to a chroot's host Building for 5.4.51+, 5.4.51-v7+, 5.4.51-v7l+ and 5.4.51-v8+ Building initial module for 5.4.51+ Done. Setting up wireguard (1.0.20200513-1) ... Processing triggers for man-db (2.8.5-2) ...

It is now possible to verify that the Wireguard utilities have been installed.

pi@oldpi:~ $ which wg wg-quick /usr/bin/wg /usr/bin/wg-quick

Before creating an empty interface configuration file and bringing up the interface, it may be necessary to reboot.

pi@oldpi:~ $ sudo reboot ... continuing after opening a new session ... pi@oldpi:~ $ sudo touch /etc/wireguard/wg0.conf pi@oldpi:~ $ sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip link set mtu 1420 up dev wg0

Verification shows that the WireGuard module was loaded and the network interface is created and that the server is up and waiting for incoming UDP packets on port 40213.

pi@oldpi:~ $ lsmod | grep wire wireguard 143360 0 ip6_udp_tunnel 16384 1 wireguard udp_tunnel 16384 1 wireguard ipv6 454656 29 wireguard pi@oldpi:~ $ ifconfig wg0 wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 pi@oldpi:~ $ sudo wg interface: wg0 listening port: 39247

However, it is rather pointless to bring up the interface because it will not do anything without proper configuration. Taking the interface down and stopping the server is just as easy, but note how the WireGuard module remains loaded.

pi@oldpi:~ $ sudo wg-quick down wg0 [#] ip link delete dev wg0 pi@oldpi:~ $ sudo wg pi@oldpi:~ $ ifconfig wg0 wg0: error fetching interface information: Device not found pi@oldpi:~ $ lsmod | grep wire wireguard 143360 0 ip6_udp_tunnel 16384 1 wireguard udp_tunnel 16384 1 wireguard ipv6 454656 27 wireguard pi@oldpi:~ $ sudo modprobe -r wireguard pi@oldpi:~ $ lsmod | grep wire pi@oldpi:~ $

At this point it will be necessary to configure Wireguard in order to do anything useful. There is no point in repeating the instructions here, just go back to the older post starting with section 3. Enabling Remote Access to the Local Network. Hopefully, everything will work.

About the Raspbian Testing Repository toc

Back in May, when I installed WireGuard on Raspberry Pi OS, I did not find the package in the main Buster repository even after upgrading to the 5.4 kernel (see Concluding Remarks). As shown above, the Testing repository, does contain a version of the package compatible with the ARMv6, ARMv7 and ARMv8 architectures which takes care of all Raspberry Pi models. Here is the list of repositories used after adding Testing.

pi@oldpi:~ $ apt-cache policy Package files: 100 /var/lib/dpkg/status release a=now 150 http://archive.raspbian.org/raspbian testing/main armhf Packages release o=Raspbian,a=testing,n=bullseye,l=Raspbian,c=main,b=armhf origin archive.raspbian.org 150 http://archive.raspberrypi.org/debian buster/main armhf Packages release o=Raspberry Pi Foundation,a=testing,n=buster,l=Raspberry Pi Foundation,c=main,b=armhf origin archive.raspberrypi.org 500 http://raspbian.raspberrypi.org/raspbian buster/rpi armhf Packages release o=Raspbian,a=stable,n=buster,l=Raspbian,c=rpi,b=armhf origin raspbian.raspberrypi.org 500 http://raspbian.raspberrypi.org/raspbian buster/non-free armhf Packages release o=Raspbian,a=stable,n=buster,l=Raspbian,c=non-free,b=armhf origin raspbian.raspberrypi.org 500 http://raspbian.raspberrypi.org/raspbian buster/contrib armhf Packages release o=Raspbian,a=stable,n=buster,l=Raspbian,c=contrib,b=armhf origin raspbian.raspberrypi.org 500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages release o=Raspbian,a=stable,n=buster,l=Raspbian,c=main,b=armhf origin raspbian.raspberrypi.org Pinned packages:

As can be seen, Testing is the external repository with the lowest. Nevertheless, it contains 10 upgrades for packages.

pi@oldpi:~ $ sudo apt list --upgradable Listing... Done bluez/testing 5.50-1.2 armhf [upgradable from: 5.50-1.2~deb10u1+rpt1] device-tree-compiler/testing 1.6.0-1 armhf [upgradable from: 1.4.7-3+rpt1] dphys-swapfile/testing 20100506-6 all [upgradable from: 20100506-5+rpt1] fake-hwclock/testing 0.12 all [upgradable from: 0.11+rpt1] libasound2-data/testing 1.2.2-2.3 all [upgradable from: 1.1.8-1+rpt1] libasound2/testing 1.2.2-2.3 armhf [upgradable from: 1.1.8-1+rpt1] libssl1.1/testing 1.1.1g-1 armhf [upgradable from: 1.1.1d-0+deb10u3+rpt1] openssl/testing 1.1.1g-1 armhf [upgradable from: 1.1.1d-0+deb10u3+rpt1] rpi.gpio-common/testing 0.7.0-0.1 armhf [upgradable from: 0.7.0-0.1~bpo10+1] wireless-regdb/testing 2020.04.29-2 all [upgradable from: 2018.05.09-0~rpt1]

I have not tested any of these upgrades or anything else to do with the new kernel really. Hopefully nothing major is broken. If you do not want these packages and others to be installed on the next apt upgrade command, lower the testing repository priority.

pi@oldpi:~ $ sudo nano /etc/apt/preferences.d/limit-testing
Package: * Pin: release a=testing Pin-Priority: 50

Any value less than 100 should work. After saving the file, apt reports that no packages will be upgraded.

pi@oldpi:~ $ sudo apt update Get:1 http://archive.raspberrypi.org/debian buster InRelease [32.6 kB] Get:2 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB] Hit:3 http://archive.raspbian.org/raspbian testing InRelease Get:4 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages [13.0 MB] Get:5 http://archive.raspberrypi.org/debian buster/main armhf Packages [330 kB] Fetched 13.4 MB in 46s (294 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date.

Perhaps a cautious approach would be warranted in some circumstances, meaning that it may be preferable to wait until WireGuard makes it to the stable release of the operating system. That should not take too long since the presence of WireGuard in the testing repository should mean that it will be incorporated into the next stable release of Raspberry Pi OS. At that point, if it's not include in the image file (as is currently the case with Armbian and Ubuntu), then it will be possible to install the WireGuard packages with a simple sudo apt install wireguard. However, experience shows that even stable releases of a new version of the operating system can break things, so if I were to add WireGuard again on any Raspberry Pi, I would just go ahead and follow Daniel T. Wagner's instructions; but on a fresh install of Raspberry Pi OS to a new SD card, after setting aside my original SD card as a safe back up.

Installing and Configuring WireGuard on Raspberry Pi OS (January 2021)-> <-Installing and Configuring WireGuard on a Raspberry Pi