How to Set Up WireGuard on a Raspberry Pi

Hi Van,

This is the clearest WG installation I’ve seen and I’ve done it wrong SEVERAL times. :wink:

I need 2 more clients. Can you tell me how to add those? I hope it is as simple as the first one.

Also, another question; if I get the green checkmark on my client (Windows 10 for me), does that mean the tunnel to my server is opened and everything is working correctly?

Thanks,

Bob

1 Like

I’ll stop after this one, I promise.

When my client connects, I get the green checkmark by the tunnel name and in the Status indicator which shows active, but a new entry pops up that shows a port number I did not assign. Where is that coming from and is it correctly operating?

Thanks,

Do you have a screenshot?

First time posting a picture, let’s see if this works.

I circled the upper listening port which pops up after connection. This does not match the port I have chosen as can be seen below. Under transfer, data is sent but nothing comes back.

Thanks, the picture helps a lot.

So this screenshot is from your WireGuard client. The listen port is the port your client is listening on. In general, and this is true of all server-client relationships, the client will “listen” (communicate) on a random port while the server listens on the assigned, fixed port. All of this is to say, there’s nothing to worry about with seeing that upper port number being different than the one you specified.

Now, unfortunately, this screenshot also answers one of your other questions: the green checkbox in WireGuard does not confirm that your connection is working. It merely means that the WireGuard interface is active (i.e. your client on Windows is trying to use that interface). The confirmation to know that WireGuard is working comes from receiving data, which unfortunately it looks like you are not.

The “Allowed IPs” in your peer settings look off to me, which means I think your client config is wrong. They should really look more like the WireGuard client config here:
AllowedIPs = 0.0.0.0/0, ::/0

-TorqueWrench

OK, thanks for that explaination. I’ll fix the Allowed IPs but I believe what I show is the default that appears when you uncheck the client’s “Block untunneled traffic (kill-switch)” option.

I also discovered that WG is not running on the server and I’m working on that.

root@raspberrypi:/etc/wireguard# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device “wg0”

Here is the output from route -n:

root@raspberrypi:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 202 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0

I believe I’m supposed to see my WG local subnet in there which is 192.168.99.0/24 and I need to find the correct statement to add that local subnet to the routing table, I think. :wink:

So, I’ve got several things to fix

1 Like

TorqueWrench,

As I’m trying to figure out why my WG is not running, I found another instruction that lists the following steps to establish the WG local route. Are these not needed with your instructions?

Command-line Interface

A new interface can be added via ip-link(8) , which should automatically handle module loading:

# ip link add dev wg0 type wireguard

An IP address and peer can be assigned with ifconfig(8) or ip-address(8)

# ip address add dev wg0 192.168.2.1/24

Or, if there are only two peers total, something like this might be more desirable:

# ip address add dev wg0 192.168.2.1 peer 192.168.2.2

The interface can be configured with keys and peer endpoints with the included wg(8) utility:

# wg setconf wg0 myconfig.conf

or

# wg set wg0 listen-port 51820 private-key /path/to/private-key peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint 209.202.254.14:8172

Finally, the interface can then be activated with ifconfig(8) or ip-link(8) :

# ip link set up dev wg0

Correct. Those are not needed with my instructions. wg-quick combined with the requisite PostUp argument in the server config makes the necessary arrangements. Note that since we’re using nat + masquerade in PostUp, that you will need to enable IP forwarding on your server.

You also configured port forwarding on your router, correct?

An additional quick test here to figure out where the problem lies is to try and connect from your internal network (i.e while the client is on the same local network as the WG server) vs. connecting from an external network (i.e. wireless hotspot). If you can connect from the internal network, but not the external network, then the problem lies in your router port forwarding setup (or possibly is due to (lack of) hairpinning). If you can’t even connect from the internal network, then you know the problem is in your WG config (or, less likely, your network).

In general, my advice is to keep the initial set up as simple as possible at first, following the directions verbatim. Once you get everything working, then you can get fancy with more advanced stuff.

-TorqueWrench

Thanks again! Yes, IP forwarding is on and I get a confirmation. I’ll go through all the steps again to see why WG is not running. I also don’t see where my local WG subnet (192.168.99.x) goes in.

One last thing, I need 3 client/peers. How do I add two more clients?

Take care

Yes, port forwarding is on in the router. Forgot to answer your question.

I’m assuming there is no magic to your Address = 10.253.3.1/24 and I can just insert my 192.168.99.1/24, right?

There is some magic in the sense that whatever address/subnet you use, it must not actually exist already on your network. The addresses/subnets you specify in your WireGuard server/client config are the addresses/subnets of the WireGuard tunnel itself. Therefore, you do not want them to match an IP address/network that’s already in use on your local network. Other than that, yes, the actual subnet is arbitrary.

TorqueWrench,

I’m going back to square one since I can’t get WG running. In one of your initial paragraphs, you say: “In a process known as port forwarding, when our WireGuard client sends a request to engineerworkshop.com on port 51900, the router takes that request and forwards it on to the Raspberry Pi, connected to the router on eth0 with IP address 10.0.20.149 also on port 51900.” However, in your answer previously to my observation that my client had a different listening port than my server, I thought you were saying they would be different. What am I missing?

Thanks,

Following your instructions verbatim, I’ve rebooted the server and tried “wg-quick up wg0”. Here what I get:

root@raspberrypi:/home/pi# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device “wg0”

Here is my wg0.conf (with keys blurred):

[Interface]
Address = 192.168.99.1/24
SaveConfig = true
PrivateKey = KJGrw3VZviKI…KW2ZIKEakk=
ListenPort = 51073

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = ckhPpZ…pVCw=
AllowedIPs = 192.168.99.2/32

I’m just trying to get some indication that I can get WG server running before I move on to a client test.

@greg ran into that same problem. Try checking out his posts beginning here:

And how he was able to fix these “RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported” errors
:

Well, using the header correction thread got WG running and establishing the correct routing table for me. I can’t imagine why a brand new Raspian install and update required an additional header correction but now I can move forward. This is my one and only foray into a Linux based OS and I’m really not impressed with how many gyrations I’ve had to go through to accomplish the simplest task but maybe this note can help others that get stuck in a similar rabbit hole.
Now I need to see if my client can connect with WG server and see its LAN.
Thanks for the help TorqueWrench!

Yeah, I agree that it’s odd. I didn’t run into any such problem when I first wrote the guide, but you’re now the second person that has reported this, so I need to look into it.

I remember having similar feelings when I first started with Linux a few years ago. I, too, started with a Raspberry Pi and remember thinking to myself as I typed, sudo apt-get update and sudo apt-get dist-upgrade, “Man, how am I ever going to remember all this stuff when it takes so many commands just to make a simple update?”.

The best advice I have is to not get discouraged. It takes time and competence comes with practice and experience. That’s the whole point of the homelab and the Raspberry Pi.

Above all else remember: Knowing all the answers isn’t nearly as important as being able to find them.

Keep us updated on how your WG connection efforts go and then we’ll talk about adding multiple clients to the server! :smile:

-TorqueWrench

1 Like

I am not yet able to install a version of Ubuntu properly myself yet. I really want to learn it in my efforts to transition from Windows to Linux. Sometimes, Windows acts quirky. And yes, @TorqueWrench is the Man behind this fantastic guide. I am a reader of his blog.

1 Like

Does anyone know how to fix an issue where you’re unable to access Wireguard from WAN? I am not behind a double-nat nor cgnat (Confirmed by the fact that other services such as SSH are accessible from WAN) but even then I am 100% unable to connect to my Wireguard server when outside the LAN, it connects while connected to my home network just fine. Port forwarding is setup in my gateway and the ports are all correct for my setup.

Hi @Ryaniskira,

Great (and relevant) troubleshooting steps by checking internally against the LAN and from connecting to other services outside via the WAN. For those other services (SSH), I assume you are using the same dynamic DNS to connect?

Your description still suggests the problem is on the router/port forwarding side, assuming you’re using the same dynamic DNS to find your WAN IP address. Mind sharing a sanitized version of your port forwarding set up and WireGuard config?

-TorqueWrench