Setting up WireGuard on your Raspberry PI
If you configured your home server and you managed to share files between your devices, you may want to have access to these files from outside of your personal network. The same goes for other services like the calendar and the contacts server you may have installed. Generally the way to open access to these services is by opening the ports that they listen on and redirect the requests to those ports to your Raspberry PI server. But security wise that’s the wrong move. You don’t have to open any ports to gain access to your home network services because we can solve all that using a VPN.
I won’t explain in detail what a VPN is but in very short terms, when you successfully connect to a VPN server, the VPN server allows your device to join a private and encrypted network created on the spot. The VPN server can define what services from the home network this device will be allowed to use. So again, the network the device joins when connecting to your VPN server is not your home network. It’s a new network defined for that occasion according to VPN server configuration.
There are many VPN servers that you can install on your Raspberry PI, but in this article we will use WireGuard. WireGuard stands out from the crowd because of its exclusive use of UDP messaging between the server and its clients. Because of the nature of UDP communication, the WireGuard service on your server cannot be detected from outside. No one will ever know that you have a VPN server installed on your Raspberry PI, which is great because no one can attack your server if they cannot detect an open port. And due to the nature of WireGuard connection, no one can connect to your open port if they don’t have an allowed key configured on the server. This all means that WireGuard is extremely secure and very tough to hack.
Configuring WireGuard on the server
First of all we need to install WireGuard. I will show the commands for Fedora Server but they are largely the same for Ubuntu Server or any other. Just make sure it’s a recent release because WireGuard is fairly new.
#sudo dnf install wireguard-toolsNext we need to create the VPN server configuration:
#sudo nano /etc/wireguard/wg0.confIn the editor, we have to setup a few things. Here is a typical listing on which we will dwell for now (available on github):
[Interface]
Address = 192.168.10.1/24
SaveConfig = true
ListenPort = 50000
PrivateKey = aaa=PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADEPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE[Peer]
PublicKey = bbb=
AllowedIPs = 192.168.10.2/32[Peer]
PublicKey = ccc=
AllowedIPs = 192.168.10.3/32
There are three sections: one Interface and two Peers. The Interface sets up the VPN server and the Peers set up devices that are allowed to connect to it. In the Interface section we configure the Raspberry PI’s IP Address in relation to the VPN server. So when a client connects to the Raspberry PI via WireGuard, the IP address that the Raspberry PI will have will be 192.168.10.1. The /24 part says that the network we create when devices connect to the Raspberry PI via WireGuard will have IPs in the range of 192.168.10.0 to 192.168.10.255, again with the server having 192.168.10.1.
Next, there is the server ListenPort. When a devices tries to connect to the WireGuard VPN server, it will have to do so on the port specified here. You can enter any port number and it should be as random as possible and usually over 10000. I chose 50000 in the example but make sure not to use that. It has to be a secret.
Next we set the server’s PrivateKey. This is a secret the server needs to know to encrypt the communication with the connected devices. To generate a key, we run this command in the terminal on the Raspberry PI:
#sudo wg genkey > /etc/wireguard/privatekeyThe result will be something like jFveSdhjsIPJSl2kOISJDK23sfdfa3=. This will be the server’s private WireGuard key and it will be automatically placed in /etc/wireguard/privatekey. Copy it from there in the PrivateKey item in the Interface section. We also need a public key for the server, generated like this:
#wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickeyThe above command will read the private key from the file generated before and create a new file with the generated public key.
Next the server has two more settings PostUp and PostDown which allow your devices to access the Internet when connected to the WireGuard VPN. If you don’t want that you can simply delete those lines. But if those lines are not present, the client may lose Internet conectivity while connected to the VPN.
That’s it for the server. Notice the Peer sections. They have each two settings: the client’s PublicKey and the client’s AllowedIP. The AllowedIP is the IP the device will get when connecting to the WireGuard server. It has to be in the server IP range, so in this example I gave the IPs 192.168.10.2 and 192.168.10.3. The /32 designator means the client sees only one IP in the network: it’s own. The clients also need to configure a private key and a public key, just like the server. We will see in a moment how. But the client’s public key will need to be specified here at the PublicKey setting for each Peer.
To finish setting up IP forwarding, the bit that allows Internet access through the VPN server for the connected devices, we run:
#sudo nano /usr/lib/sysctl.d/60-ip-forwarding.confAnd in the editor we paste:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1Save and exit the editor. Now we just need to start the server:
#sudo systemctl enable wg-quick@wg0
#sudo systemctl start wg-quick@wg0Note that to give access to your NFS shares, you need to add the new VPN interface to your exports file. If you followed this article, you need to change /etc/exports into this (also on github):
/mnt/storage/radu 192.168.68.0/24(rw,all_squash,no_subtree_check,anonuid=1000,anongid=1000) 192.168.10.0/24(rw,all_squash,no_subtree_check,anonuid=1000,anongid=1000)
mnt/storage/shared 192.168.68.0/24(rw,all_squash,no_subtree_check,anonuid=1000,anongid=1000) 192.168.10.0/24(rw,all_squash,no_subtree_check,anonuid=1000,anongid=1000)
/mnt/storage/media 192.168.68.0/24(rw,all_squash,no_subtree_check,anonuid=1000,anongid=1000) 192.168.10.0/24(rw,all_squash,no_subtree_check,anonuid=1000,anongid=1000)Configuring WireGuard on your phone
The usual client that needs access from the Internet into your home network is your phone. When you are outside of your home at work for example, you will need to connect to your home VPN to access your network services. To do that, install the WireGuard app on your phone. Start it up and click the blue plus icon to create a new connection. Select start from scratch.
There are two sections here too. First is Interface. The Name will be wg0. Next there is the Private Key input with a generate button on the right. Click it to generate your private and public key pair. The public key is the one you need to add in your server configuration file. In the Addresses input add the address configured on the server for this peer: 192.168.10.2/24. Note the /24. That’s it, we don’t need to fill in the Listen Port and the DNS input.
Next we tap on Add Peer. For the Public Key input we use the server’s public key, for the Endpoint we input the Raspberry PI’s public IP address and the WireGuard server listening port, for example: 72.85.104.22:50000. And for the Allowed IPs input we just write 192.168.0.0/16. Done.
Configuring the home router
All is good with one exception: your home router installed by your ISP needs to forward traffic from the UDP port 50000 to your Raspberry PI. This will be done via your router’s configuration application accessible in your web browser at your router’s address. Once that’s done, you can activate the VPN on your phone, disconnect the WiFi network and you will still be able to browse your network shares and sync your calendars and contacts for example. And since you are configuring the router, consider this article about securing your home network by enabling and using the guest WiFi network,
I hope this was a useful read. This powerful setup will grant your devices access to your home network, including all services configured on your Raspberry PI server. The explanations may be a bit terse so if you need any details when setting up your VPN, feel free to write in the comments. I will try to update the article to fill in the details I might have missed. See you next time!
