tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Guide: Install Wireguard On Raspberry latest releases

Sat Jun 13, 2020 2:01 pm

The official procedure for having the latest versions of wireguard on our raspberries starting from p0 up to pi4 is as follows:

Code: Select all

1) sudo su

2) apt install raspberrypi-kernel-headers libelf-dev libmnl-dev build-essential git

3) git clone https://git.zx2c4.com/wireguard-linux-compat

4) git clone https://git.zx2c4.com/wireguard-tools

Compile and install the module

5) make -C wireguard-linux-compat/src -j$(nproc)

6) sudo make -C wireguard-linux-compat/src install

Compile and install the wg(8) tool

7) make -C wireguard-tools/src -j$(nproc)

8) sudo make -C wireguard-tools/src install

Once WireGuard is done installing we're gonna enable IP Forwarding then reboot the Pi:

Code: Select all

9) sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

10 sudo reboot
After rebooting, verify that IP Forwarding was enabled before proceeding to the next part. To do that enter the following, your output will be 1:

Code: Select all

sysctl net.ipv4.ip_forward 
GENERATE PRIVATE AND PUBLIC KEYS FOR SERVER AND CLIENT

Code: Select all

sudo su

cd /etc/wireguard

umask 077

wg genkey | tee peer1_privatekey | wg pubkey > peer1_publickey

wg genkey | tee server_privatekey | wg pubkey > server_publickey

ls  

# ↑ Verify the keys got generated

peer1_privatekey peer1_publickey server_privatekey server_publickey
You can view your keys using the cat command like so:

cat server_publickey

cat server_privatekey

cat peer1_publickey

cat peer1_privatekey
CONFIGURE WIREGUARD SERVER

Make a wg0.conf file in ‘/etc/wireguard/’ :

11) sudo nano /etc/wireguard/wg0.conf

Copy and paste the following template and make changes as needed.
Make sure to enter the right key in the right line.

Code: Select all

[Interface]
Address = 10.9.0.1/24
ListenPort = xxxxx  
DNS = 192.168.x.xx 
PrivateKey = server_privatekey 

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#Peer-1
PublicKey = peer1_publickey
AllowedIPs = 10.9.0.2/32 
#PersistentkeepAlive = 60 
CONFIGURE WIREGUARD CLIENT

Make a peer1.conf file in ‘/etc/wireguard/’ :

12) sudo nano /etc/wireguard/peer1.conf

Copy and paste the following template and make changes as needed.

Code: Select all

[Interface]
Address = 10.9.0.2/32
DNS = 192.168.x.x 
PrivateKey = peer1_privatekey 

[Peer]
PublicKey = server_publickey 
Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
AllowedIPs = 0.0.0.0/0, ::/0
#PersistentkeepAlive = 60 
Lines you need to modify:

DNS: what you want

PrivateKey: Enter the key you get from 'cat peer1_privatekey'

PublicKey: Enter the key you get from 'cat server_publickey'

Endpoint: Your-Public-IP or DDNS:The-Port-You-Forwarded

AllowedIPs: 0.0.0.0/0, ::/0 (allows all traffic to route through wg aka full tunnel)

(OR)

AllowedIPs: 192.168.1.0/24 (allows split tunnel with LAN access and DNS only, your router's subnet)

EXPORT THE CLIENT CONFIGURATION TO YOUR PHONE USING QR CODE

Code: Select all

13) sudo apt install qrencode

14) sudo qrencode -t ansiutf8 < /etc/wireguard/peer1.conf
A QR code will be generated, you will need to scan this code and import it to the WireGuard app on your phone. Install the app and do that now.

FINALISE INSTALLATION

After your client profile has been imported to your phone run the following commands to finish up the installation on the Pi:

Code: Select all

15) sudo systemctl enable wg-quick@wg0

16) sudo chown -R root:root /etc/wireguard/

17) sudo chmod -R og-rwx /etc/wireguard/*
I hope I have been of help to many of you soon Ti@er

tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Jun 13, 2020 5:19 pm

I also transcribe here the implementation of the presharekey in wireguard since it foresees it, it would be the introduction of a second safety factor.

The PresharedKey in practice prevents the possibility of a tomorrow of a post-quantum vpn break in deciphering the vpn connection saved over time.

We can generate a presharekey for each generated peer (user).
But we can also use a presharekey for all peers.

To generate the presharedkey we use command

Code: Select all

wg genpsk > presharedkey 
Instead of the presharedkey entry we can give any name if you want

Do this in / etc / wireguard with sudo nano command / etc / wireguard / presharekey

We take the newly created presharedkey and we put it both inside the various peers created and in the wg0.conf file

the wording will look like this: where the value of the presharekey is taken from the created file.

Code: Select all

 PresharedKey = XXXXxxxxxXXjyuQfYAcy3Ofu7KX5 / K + iXyM3L7Cc = 
this will allow to encrypt the vpn wireguard signal with an additional key that in a tomorrow in which quantum computers will dominate it will not be able to decrypt old saves of connections made thanks to the fact that each session is encrypted with a different key generated by the presharekey itself

see you

Learning2PI
Posts: 1
Joined: Wed Jul 08, 2020 11:28 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Jul 08, 2020 11:32 pm

Thanks fo much for this! This may be a dumb question, but how do I turn it “on”?

I followed the steps, but used addresses and keys from a Mullvad wireguard configuration. As far as I can tell it configured fine. When I used the QR code to import to my phone, it shows me connected to the Mullvad server I configured. My Pi doesn’t though.

tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Thu Jul 09, 2020 5:00 pm

give some more information, post configuration, I did not understand what Mullvad is. something is wrong for sure. but without qrcode does it work?

HvdW
Posts: 163
Joined: Tue Jun 17, 2014 12:41 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Thu Jul 09, 2020 5:21 pm

Hi,
Great tutorial.

For the easy-going people I'd suggest to go PiVPN, a one click reliable install.
Who knows knows
Who doesn't doesn't

tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Fri Jul 10, 2020 5:52 pm

yes true with pivpn install wireguard, but as the title says I put my guide allows you to have the latest wireguard versions, which with pivpn you do not get immediately sometimes you have old releases of 30 days always reliable, but with a click I always keep updated wireguard

Compile and install the module

make -C wireguard-linux-compat/src -j$(nproc)

sudo make -C wireguard-linux-compat/src install

Compile and install the wg(8) tool

make -C wireguard-tools/src -j$(nproc)

sudo make -C wireguard-tools/src install

sudo reboot

thatchunkylad198966
Posts: 381
Joined: Thu Jul 04, 2019 10:21 am
Location: UK, Birmingham

Re: Guide: Install Wireguard On Raspberry latest releases

Fri Jul 10, 2020 7:00 pm

... Or you can use PiVPN which configures Wireguard for you on *any* Pi.
One man's trash is another man's treasure! :) Pi's I have; Pi Zero, Pi Zero W, Pi 2 x2, Pi 3 x2, Pi 4 4GB x2.

tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Fri Jul 10, 2020 9:20 pm

already written by another user. the only difference is that you will not have the latest wireguard versions, my guids allow that. here's how it goes. sometimes puvpn stays with releases older than 30 days

ejolson
Posts: 5963
Joined: Tue Mar 18, 2014 11:47 am

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Jul 11, 2020 12:11 am

tigernero wrote:
Sat Jun 13, 2020 2:01 pm
The official procedure for having the latest versions of wireguard on our raspberries starting from p0 up to pi4
Have you managed to make this work when the 64-bit kernel is enabled in config.txt with the option arm_64bit?

https://www.raspberrypi.org/documentati ... xt/boot.md

tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Jul 11, 2020 10:04 am

If you are referring to 32-bit Rasdpbian piOS but with 64-bit kernel and obviously 32-bit userland no, I have never tried if I put a 32-bit I want everything in 32-bit.

If you are referring instead to raspbian pios 64 bit with kernel then 64 bit and 64 bit userland yes and it works

ejolson
Posts: 5963
Joined: Tue Mar 18, 2014 11:47 am

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Jul 11, 2020 6:32 pm

tigernero wrote:
Sat Jul 11, 2020 10:04 am
If you are referring to 32-bit Rasdpbian piOS but with 64-bit kernel and obviously 32-bit userland no, I have never tried if I put a 32-bit I want everything in 32-bit.

If you are referring instead to raspbian pios 64 bit with kernel then 64 bit and 64 bit userland yes and it works
That's good to know. There are good reasons to run a 32-bit user land on a 64-bit kernel, the main one being that the kernel itself has an easier time keeping track of and allocating memory. As of last week, the kernel headers for the 64-bit kernel that is a part of the standard 32-bit Raspberry Pi OS are missing, or at least I can't find them. That is why I asked.

It's also possible that having the headers would be anyway useless, as the 32-bit system compiler may be unable to build 64-bit kernel modules. I wonder if the WireGuard module compiled on the 64-bit beta test would load into the 64-bit kernel used for the 32-bit distribution.

tigernero
Posts: 196
Joined: Fri Dec 30, 2016 5:51 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Jul 11, 2020 7:58 pm

personally if you don't need to allocate more than 3GB of RAM in a single operation, I recommend Raspbian Pios 32 bit, otherwise use raspbian pios 64 bit although in beta and put wireguard in it.

User avatar
BenoitSvB
Posts: 23
Joined: Sun Sep 29, 2013 8:57 am

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Jul 22, 2020 7:28 am

Thank you for a nice guide. For me it proved to be an easy and practical way to implement a vpn. Now I use it I have 2 additional questions:
1. Is there a service to notify wireguard users of a new stable release.
2. Can you expand your guide with instructions for updating an installed instance?

davide_ent
Posts: 1
Joined: Wed Aug 19, 2020 1:04 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Aug 19, 2020 1:21 pm

Good morning,
I' ve installed wireguard on a PI3 b+ as descibed in your post (as server).
But I' ve an issue: I can etablish a VPN tunnel only if the client is on local network and if the Endpoint (in client config) has an private IP 192.16.x.x.
In any case if the endpoint is an DNS or a pubblic IP (eg. 82.99.x.x) the handshake does not happen.
Port fowarding work fine because I've tried to open the port 22 on PI server and forwarding it on router I'm able to etablish an SSH connection also if I'm out of lan.
I' ve tried a lots of differnts ports (51820,443,9111...) and they work fine with port forwarding to PI but only if used by other services.
Seem that some rule drop any packet to Wireguard server if they come from out of lan.
What may be the issue? I am not familiar with IPTABLES...
Thanks and best regards

thexphiles
Posts: 8
Joined: Mon Aug 24, 2020 1:34 am

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Aug 26, 2020 2:42 am

Thank you for this guide. Unfortunately, I get an error right after step 6.

Code: Select all

root@raspberrypi:/home/pi# make -C wireguard-linux-compat/src install
make: Entering directory '/home/pi/wireguard-linux-compat/src'
  INSTALL /home/pi/wireguard-linux-compat/src/wireguard.ko
  DEPMOD  5.4.51+
Warning: modules_install: missing 'System.map' file. Skipping depmod.
depmod -b "/" -a 5.4.51+
make: Leaving directory '/home/pi/wireguard-linux-compat/src'
It's a Pi Zero. Any idea what I'm doing wrong?

User avatar
BenoitSvB
Posts: 23
Joined: Sun Sep 29, 2013 8:57 am

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Aug 26, 2020 10:35 am

@texphiles:
Warning: modules_install: missing 'System.map' file. Skipping depmod.
As far as I know it is a Warning only, not a Fatal Error. I got the same message but just continued to follow the Guide till the end. Everything works fine here.

@davide_ent:

Can you post your server and client config?

User avatar
BenoitSvB
Posts: 23
Joined: Sun Sep 29, 2013 8:57 am

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Aug 26, 2020 10:40 am

thexphiles wrote:
Wed Aug 26, 2020 2:42 am
It's a Pi Zero. Any idea what I'm doing wrong?
I guess you meant a Pi Zero W? Without network connectivity there seems no point in making you Pi a Wireguard server (or client)...

thexphiles
Posts: 8
Joined: Mon Aug 24, 2020 1:34 am

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Aug 26, 2020 3:37 pm

Nope, I meant Pi Zero. I have an Ethernet adapter attached. I have a Pi Zero W I can try to see if it works any differently, but I didn't need wifi for this project so it's hard-wired.

User avatar
BenoitSvB
Posts: 23
Joined: Sun Sep 29, 2013 8:57 am

Re: Guide: Install Wireguard On Raspberry latest releases

Wed Aug 26, 2020 3:59 pm

:) I see, your Pi Zero is connected with an USB Ethernet connector?
Anyhow, I hope that when you follow the guide after the Systemmap warning, that eventually your VPN will work. Good luck!

thexphiles
Posts: 8
Joined: Mon Aug 24, 2020 1:34 am

Re: Guide: Install Wireguard On Raspberry latest releases

Thu Aug 27, 2020 4:05 pm

You know, it looks like it worked, after all. I guess I imagined there'd be more feedback that the install went correctly. That'll teach me not to post questions without checking first.

So thanks so much for that guide, it's a life-saver.

Onto a different question, since this is my first time setting up Wireguard. I have a Pi 4 running Wireguard in server mode and it generated config and key files for a bunch of peers. I know they work since I used the WG client on my phone to scan a QR code from one of those peers and it works as expected. I want this Pi Zero to be another peer like that and I can't seem to make it work right. I've copied a set of peer.conf, private and public keys from the Pi 4 server to /etc/wireguard on the Pi Zero, renamed peer.conf to wg0.conf and rebooted. wg show wg0 on the Pi Zero shows data being sent and not received and the same command on the Pi 4 shows no handshake.

Just to be clear, I can't use a QR code since my client is command-line only (Pi Zero) so that's why I manually copied the files.

I've clearly done something wrong with the keys and conf files, but can't figure out what. Any ideas or posts that'll reveal what I'm missing?

Thanks.

thexphiles
Posts: 8
Joined: Mon Aug 24, 2020 1:34 am

Re: Guide: Install Wireguard On Raspberry latest releases

Thu Aug 27, 2020 7:16 pm

Figure it out. Related to DNS on my internal network. Thanks.

synapsis
Posts: 3
Joined: Thu Sep 10, 2020 1:16 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Thu Sep 10, 2020 1:26 pm

Registered on forum just to make this post: I did some testing using wireguard client built from source as described in this guide and I was disappointed to find that it doesn't utilise the full network bandwidth (maximum I could get was 85% of bw), kernel module version 1.0.20200729-5-gdace9d0. Then I removed the kernel module and installed one provided by wireguard-dkms from raspbian testing repo (version 1.0.20200712), ran speedtest again to find that my bandwidth is fully utilized now, went from 8,5MB/s to 11.5MB/s. Go figure. :?

ejolson
Posts: 5963
Joined: Tue Mar 18, 2014 11:47 am

Re: Guide: Install Wireguard On Raspberry latest releases

Thu Sep 10, 2020 4:30 pm

synapsis wrote:
Thu Sep 10, 2020 1:26 pm
Registered on forum just to make this post
Thanks for the heads up. I wonder if some magic compiler options are used for the package build.

synapsis
Posts: 3
Joined: Thu Sep 10, 2020 1:16 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Sep 12, 2020 7:42 am

ejolson wrote:
Thu Sep 10, 2020 4:30 pm
Thanks for the heads up. I wonder if some magic compiler options are used for the package build.
You're most likely right, one thing I noticed when looking at htop while running speed check was that with packaged kernel module the load is shared almost equally against all CPU cores with no core reaching 100% (I have pi 3b+), while with the self-compiled one the CPU usage for core 0 peaks to 100% while the other cores are around 30%. Probably there are some compiler options to use multiple threads or something like that.

fjleon
Posts: 23
Joined: Sun Jun 17, 2018 8:40 pm

Re: Guide: Install Wireguard On Raspberry latest releases

Sat Sep 19, 2020 5:20 pm

nice guide, couple of suggestions:

you need to actually start the service: systemctl start wg-quick@wg0
forward whatever UDP port you selected to the raspberry IP address on your home router nat/port forwarding section

the wireguard app on the phone is notoriously bad and won't tell you if you have connected successfully or not

Return to “Networking and servers”