Goal: Setup the RASPBERRY PI 4 as VPN server. Clients can establish a secure VPN tunnel to the VPN server. Clients then have internet access through the VPN tunnel.

Setup:

  • Hardware: RASPBERRY PI 4 4G Model B (Cortex-A72)
  • OS: Raspbian Buster Lite (2019-07-10)

Install WireGuard

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install raspberrypi-kernel-headers
sudo apt-get install libmnl-dev libelf-dev build-essential pkg-config
sudo reboot

wget https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20190702.tar.xz
tar xf WireGuard-0.0.20190702.tar.xz
cd WireGuard-0.0.20190702/src
make
sudo make install
# Enable IP Forwarding
# /etc/sysctl.conf set: net.ipv4.ip_forward = 1
sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sudo reboot

# Validate config change. Expected result: net.ipv4.ip_forward = 1
sysctl net.ipv4.ip_forward

Generate private and public keys for server and client1

mkdir wgkeys
cd wgkeys

# Server Key-pair
wg genkey > server_private.key
wg pubkey > server_public.key < server_private.key

# Client1 Key-pair
wg genkey > client1_private.key
wg pubkey > client1_public.key < client1_private.key

VPN Server Configuration

sudo nano /etc/wireguard/wg0.conf

# Edit file content
[Interface]
Address = 10.200.200.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <server private key>

# note - substitute eth0 in the following lines to match the Internet-facing interface
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# client1
PublicKey = <Client public key>
AllowedIPs = 10.200.200.2/32
# Start
sudo wg-quick up wg0
# Validating
sudo wg

# Automatically start at startup
sudo systemctl enable wg-quick@wg0

VPN Client Configuration

For the most operation systems the installation of WireGuard is stright forward: https://www.wireguard.com/install/

sudo nano /etc/wireguard/wg0-client.conf

# File content
[Interface]
Address = 10.200.200.2/24
PrivateKey = <client private key>
# DNS = 10.200.200.1

[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <VPN server IP>:51820
# Connect to the VPN server
sudo wg-quick up wg0-client

Hint: Androids WireGuard app can import a wireguard configuration over QR code.

qrencode -t ASCIIi -r wg0-client.conf

Inspiration

Inspired by: