Install WireGuard on a Raspberry Pi 4
WireGuard is a communication protocol that implements virtual private network techniques to create secure point-to-point connections. A significant difference between others VPNs is the use of recent cryptographic technologies such as Curve25519, ChaCha20, Poly1305, SipHash…
Information and requirements
These elements are to be taken into consideration to follow this article:
- You have configured your Raspberry Pi 4 model B as described here.
- Throughout this post, we will access the server via
ras-001
which is related to his local IP address.
Update the system
yay -Syyuu --noconfirm
Install WireGuard tools and module
yay --sync linux-raspberrypi4-headers wireguard-tools wireguard-dkms
Generate server key pair
wg genkey | tee server.key | wg genkey > server.pub
Edit private key permission
It is recommended to only allow reading and writing access for the owner.
chmod 600 server.key
Create the config file
echo "[Interface]
PrivateKey = <server.key>
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820" | sudo tee -a /etc/wireguard/wg0.conf
You can also specify IPv6 address by adding a new Address
section.
Turn up the interface
sudo wg-quick up wg0
The server part is almost done. Let’s jump into the client configuration. The following steps are carried on my workstation, it’s an Arch Linux.
Install WireGuard tools
yay -S wireguard-tools
Generate client key pair
wg genkey | tee <username>.key | wg genkey > <username>.pub
chmod 600 <username>.key
Create the config file
In this example, paste:
- The content of
<username>.key
in thePrivateKey
section. - The content of the
public key
(underinterface: wg0
) by executingsudo wg
on the server in thePublickKey
section. - The IP address of
eth0
interface (of the server) in theEndpoint
section.
echo "[Interface]
PrivateKey = <username>.key
Address = 10.0.0.2/8
SaveConfig = true
DNS = 208.67.222.222
[Peer]
PublicKey = <public key>
Endpoint = 192.168.0.17:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 30" | sudo tee -a /etc/wireguard/wg0.conf
Turn up the interface
sudo wg-quick up wg0
Your client is now ready! Go back to the server to add our brand new peer.
Add the new peer
sudo wg set wg0 peer <username>.pub allowed-ips 10.0.0.2/32
You can also specify an IPv6 address.
Allow IP forwarding
IPv4
echo "net.ipv4.ip_forward = 1" | sudo tee --append /etc/sysctl.d/wg.conf
IPv6
echo "net.ipv6.conf.all.forwarding = 1" | sudo tee --append /etc/sysctl.d/wg.conf
Load settings from all system configuration files.
sudo sysctl --system
Enable WireGuard at boot
sudo systemctl enable wg-quick@wg0
Watch encrypted traffic
sudo tcpdump -n -X --interface=eth0 host www.kernel.org
Watch HTTP traffic going to tunnel
sudo tcpdump -n -v --interface=wg0 port 80