How-To: Wireguard VPN on the Raspberry Pi 4

Do you want a wicked fast VPN back to to your home network that seamlessly roams between cellular/LTE and Wifi? Look no further than Wireguard. This blog post will show you how to install and configure Wireguard on a Raspberry Pi 4 and an endpoint such as your phone. I use this mainly in conjunction with my Pi-hole setup (see blog post here) to block ads/malware/trackers on all of my devices 24×7 no matter what network they are connected to or where in the world I am. It’s also great for streaming media services that are region locked when you are traveling outside of your ‘home’ region. 

To orient yourself to my network configuration, my internal network is 10.13.2.0/24. My DNS servers are 10.13.2.200 and 10.13.2.201. The private address space I’m using for Wireguard is 10.10.0.0/24. You will need to configure your border router/modem to allow UDP traffic in on the port number you select. In my case I’m using port 45454. 

Wireguard recently hit the 1.0 status, but still has not yet (as of this writing) made it into the Raspberry Pi OS (Buster) distribution. Configuration is a little tedious as you will see, but nothing too overwhelming. It’s definitely faster than OpenVPN, and seamlessly roams between network transitions.

These instructions were written using a fresh install of the 2020-05-27 build of Raspberry Pi OS based on Debian Buster. If you use a different build you may need to fiddle a bit with kernel headers and other packages to get Wireguard installed. Eventually Wireguard will likely come baked into Raspberry Pi OS. You can use this link to download the 2020-05-27 Raspberry Pi OS software package.  

If you want a fresh Raspberry Pi installation and want to follow my procedure for setting up a fresh Raspberry Pi 4b, follow steps 1-7 in my guide here.

1. First let’s update all the packages on your Raspberry Pi and reboot. 

2. Install Wireguard and QRencode from the repository.

3. This step will enable IP forwarding on the Raspberry Pi, then we need to reboot. After the reboot we need to make sure IP forwarding is enabled, and the sysctl command should return a value of ‘1’.

4. Let’s set a little security before moving on.

NOTE: There are at least two ways we can create the somewhat tedious server and peer configuration files. I will show you two methods, one is “manual” and the other uses a free web tool, which is much faster and easier. If you want to use the web tool, skip down to that major section heading below. If you want to do this manually, continue on with the next steps.

5. Now we need to generate public and private keys for the server and client(s). After the last command, list the directory contents and ensure that you have four (4) files.

6. View the keys (will be needed later in the process).

7. Now we need to make a configuration file. This part can get a little tricky, so pay attention. Wireguard needs it’s own private IP address space which can’t overlap with your home IP address space. So, unless your home IP space is 10.10.0.0/24 then don’t change the ‘address’ or ‘AllowedIPs’ in the configuration below. What you do need to change is ListenPort (anything above 1024), PrivateKey (from ‘cat server_publickey‘), Publickey (from cat peer1_publickey). 

You also need one [Peer] section PER unique client that will be using the VPN. So if you have a laptop, phone and tablet, create three peer sections. To create more peer keys, use the following commands:

8. Make a wg0.conf file with the following command, and use the contents below. Make sure each Peer has a unique IP address for ‘AllowedIPs‘. 

nano /etc/wireguard/wg0.conf

9. Now each client will need it’s own configuration file as well. So if you have three clients, three files are needed. Let’s make the first client file. Modify the DNS, PrivateKey, PublicKey, and Endpoint information to suit your network. Make sure the ‘Address’ matches what you configured in the [Peer] section above for each client.

nano /etc/wireguard/peer1.conf

10. Now we can display a QR code that you can scan with the camera on your phone or tablet to import the Wireguard configuration. Repeat this process for each peer file. If you need to configure a device without a camera, like your laptop, just download/copy/paste the peer.config file and import it to the Wireguard client.

Wireguard Web Configuration Generator

As I mentioned above, there is a free Wireguard web configuration generator tool. I have no connection with this tool, and I can’t vouch for it. However, I’ve seen the author claim the tool runs fully on the client side and no information at all is transferred off the client. The author claims you can even grab a full HTML copy of the site and run it on an air-gapped system without issue. If you don’t trust the tool, you can use the manual configuration steps as I’ve described above. 

  1. Go to the WireGuard Configuration Generator site. Fill in the details that match your desired configuration. Remember that the CIDR block is a private IP space that your network is currently NOT using. I suggest filling in all optional fields, and also check the box for pre-shared keys. Don’t change the post-up or post-down rules unless you know what you are doing. Click on the Generate Config button. 

2. Copy and paste the Server configuration section into /etc/wireguard/wg0.conf. 

3. For Wireguard clients that have a camera, open the Wireguard app and add a new connection using a QR code. Scan the client QR code, and viola! Your Wireguard client is now configured. If your Wireguard client has a section for DNS servers (such as iOS), you will need to manually enter those. 

Note: Every Wireguard client needs a unique QR code. Do NOT re-use QR codes across multiple clients or you will run into problems. If you know you will need more clients down the road, I’d go ahead and generate them all now and then download the ZIP file (keeping it in a safe and secure location) so you can add clients later. 

Final Configuration

Note: Do these steps regardless of how you created the configuration files. 

1. Now that we have most of the configuration done, let’s wrap up the security and bring up the Wireguard server. 

2. You can now go to one of your Wireguard clients and enable the VPN. Assuming you have poked the proper holes into your firewall and port forwarded to your Raspberry Pi, it will now bring up the VPN. From your client you can do test pings to your internal network and the internet to confirm proper routing. 

Note: If you install the Wireguard client on your cell phone, I’d suggest enabling the ‘on demand activation’ for Cellular. This will automatically toggle the VPN on when you drop WiFi and connect to the cell network. You can also set on-demand for WiFi, but that can cause problems with hotspots that have a captive portal so I keep that setting off. 

Print Friendly, PDF & Email

Related Posts

Subscribe
Notify of
7 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Michael Tan
June 23, 2020 5:32 pm

Thank you for another excellent post.

Just why didn’t you use PIVPN for this? It seems to be so much easier.

Kenneth Lavrsen
June 25, 2020 3:26 am

It seems all the important instructions are missing. Each step has the blabla but the essential commands you have to type are missing

David H
July 4, 2020 10:48 am
Reply to  Derek Seaman

is the plugin still having an issue? i can’t see commands below any steps, ie step 1 for updating packages or step 2 for installing wireguard.