How to Set Up WireGuard on a Raspberry Pi

The above diagram depicts how setting up the WireGuard VPN tunnel works with a Raspberry Pi. With WireGuard, a tunnel is created with a virtual network interface (wg0 in this case). These interfaces are created on both the client and on the RPi VPN server, enabling them to talk to each other.


This is a companion discussion topic for the original entry at https://engineerworkshop.com/2020/02/20/how-to-set-up-wireguard-on-a-raspberry-pi/

I’m wondering that the only possible way for one to access geo locked content is to rent a VPS hosting service & set up Wireguard on it?

Hi Van,

Glad to hear from you again. Haha, that’s a creative idea for getting around geo IP blocking. I would suggest a VPN, which might be cheaper, but the problem with most publicly available VPNs is that they are easily identified as such and so their whole IP blocks are blocked. :slight_smile:See what I did there? Pun!

So you’re right, this would make for a much more reliable, sure-fire way.

Hope all is well,
TorqueWrench

P.S. Sorry for the delayed response. Been working 12-hour command center night shifts for the past week!

1 Like

Yeah haha thanks man. That’s intense!

@TorqueWrench Hey, how you doing man. Stay safe. I like coming back to your blog every now and then to check out new posts.

1 Like

Hi Van,

Good to hear from you again. Thank you for your continued readership! Not sure if you use Feedly or not, but it’s the tool I use to keep track of new articles on the sites I follow. You might find it useful as well.

Things are going okay here. I got back from my command center, just in time for COVID-19 to really ramp up here in the US, so it’s been all hands on deck ever since. As a result, my usual full-length articles have fallen in priority, so I really appreciate you continuing to check back.

I am hoping to have a new post either later this weekend or by the start of next month at the latest.

How about you? Hope things are going well.

Stay safe,
TorqueWrench

1 Like

Hi there,

Thanks for such a wonderful tutorial! It made me go down the rabbit hole of your previous posts :smiley: .
Though surprisingly, these instructions didn’t work out for me in the beginning. I finally got it to work in the end but I don’t quite understand why it didn’t work earlier. I hope you can help me figure this out. Here is the full story:

I have a raspberry pi 4, which is connected to the router using ethernet and it also had been connected to wifi. Its wireguard config was:

andromeda:~ $ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.253.3.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 38574
PrivateKey = M****

[Peer]
PublicKey = y********
AllowedIPs = 10.253.3.2/32

Its routing table looked like this:

andromeda:~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    303    0        0 wlan0
10.253.3.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     303    0        0 wlan0

Now, on my client (laptop), the config was:

$ sudo cat /etc/wireguard/andromeda.conf
[Interface]
Address = 10.253.3.2/24
PrivateKey = 6****
DNS = 1.1.1.1

[Peer]
PublicKey = F****
Endpoint = <router_ip>:38574
AllowedIPs = 10.253.3.1/32

PersistentKeepalive = 25

After forwarding udp ports on the router and ufw of server, I started both wireguards:
Server

andromeda:~ $ sudo wg
interface: wg0
  public key: F****
  private key: (hidden)
  listening port: 38574

peer: y***
  endpoint: <router_ip>:37011
  allowed ips: 10.253.3.2/32
  transfer: 5.06 KiB received, 3.14 KiB sent

Client

$ sudo wg
interface: andromeda
  public key: y***
  private key: (hidden)
  listening port: 37011

peer: F***
  endpoint: <router_ip>:38574
  allowed ips: 10.253.3.1/32
  transfer: 0 B received, 2.75 KiB sent
  persistent keepalive: every 25 seconds

So, they seem to be connected. But even now, I cannot ping 10.253.3.1. It just gets stuck.

$ ping 10.253.3.1
PING 10.253.3.1 (10.253.3.1) 56(84) bytes of data.
^C
--- 10.253.3.1 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21285ms

After a lot of searching, I finally tried to just bring down my wlan0 interface and set eth0 as default interface:

andromeda:~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.253.3.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

And voila! after this I was able to ping from client.

I don’t quite understand why this was happening and do I always have to do this to make it work. Any help would be greatly appreciated. Also, it’d be nice if you can point to some resources to understand iptables, routing, split tunneling, interfaces etc.

Thanks a lot!

1 Like

I’m doing well thanks. Local stores are frozen in the lockdown—like a ghost town. Hope things will get better. I’ve bookmarked the Feedly link, appreciate it @TorqueWrench!