Install WireGuard on a Raspberry Pi 4

WireGuard is a communication protocol that implements virtual private network techniques to create secure point-to-point connections. A significant difference between others VPNs is the use of recent cryptographic technologies such as Curve25519, ChaCha20, Poly1305, SipHash…

Information and requirements

These elements are to be taken into consideration to follow this article:

Update the system

yay -Syyuu --noconfirm

Install WireGuard tools and module

yay --sync linux-raspberrypi4-headers wireguard-tools wireguard-dkms

Generate server key pair

wg genkey | tee server.key | wg genkey > server.pub

Edit private key permission

It is recommended to only allow reading and writing access for the owner.

chmod 600 server.key

Create the config file

echo "[Interface]
PrivateKey = <server.key>
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820" | sudo tee -a /etc/wireguard/wg0.conf

You can also specify IPv6 address by adding a new Address section.

Turn up the interface

sudo wg-quick up wg0

The server part is almost done. Let’s jump into the client configuration. The following steps are carried on my workstation, it’s an Arch Linux.

Install WireGuard tools

yay -S wireguard-tools

Generate client key pair

wg genkey | tee <username>.key | wg genkey > <username>.pub
chmod 600 <username>.key

Create the config file

In this example, paste:

echo "[Interface]
PrivateKey = <username>.key
Address = 10.0.0.2/8
SaveConfig = true
DNS = 208.67.222.222

[Peer]
PublicKey = <public key>
Endpoint = 192.168.0.17:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 30" | sudo tee -a /etc/wireguard/wg0.conf

Turn up the interface

sudo wg-quick up wg0

Your client is now ready! Go back to the server to add our brand new peer.

Add the new peer

sudo wg set wg0 peer <username>.pub allowed-ips 10.0.0.2/32

You can also specify an IPv6 address.

Allow IP forwarding

IPv4

echo "net.ipv4.ip_forward = 1" | sudo tee --append /etc/sysctl.d/wg.conf

IPv6

echo "net.ipv6.conf.all.forwarding = 1" | sudo tee --append /etc/sysctl.d/wg.conf

Load settings from all system configuration files.

sudo sysctl --system

Enable WireGuard at boot

sudo systemctl enable wg-quick@wg0

Watch encrypted traffic

sudo tcpdump -n -X --interface=eth0 host www.kernel.org

Watch HTTP traffic going to tunnel

sudo tcpdump -n -v --interface=wg0 port 80