Dirtbag's Blog

Wireguard VPN on Raspberry PI

[ link: wireguard | tags: linux vpn raspberrypi | updated: Fri, 17 Apr 2020 12:02:48 -0400 ]

So it seems that wireguard vpn is the cool new toy for doing VPNs. I finally got around to getting it to work on my raspberry pi and yes there are lots of examples of how to set it up, A lot of them seemed to have conflicting information and/or didnt tell you if it was a peer to peer setup of client setup to server or what. So read on for my setup which is a mobile phone (android) connecting to a raspberry pi server.

So the first thing is to get wireguard installed on the raspberry pi. You have to have kernel header sources installed. Theres lots of info on that, so I wont provide it here. You have to have ipv4 forwarding enabled as well. You have to have a few requirement packages installed, so just run the following commands:

sudo apt-get install libmnl-dev build-essential git qrencode
git clone https://git.zx2c4.com/WireGuard
cd WireGuard/
cd src/
sudo make install

Now that you have it installed, you need to set up the public and private keys for the server and for the mobile phone client. You can run the following commands:

$ wg genkey > raspberrypi_private.key
$ wg pubkey > raspberrypi_public.key < raspberrypi_private.key

$ wg genkey > android_mobile_private.key
$ wg pubkey > android_mobile_public.key < android_mobile_private.key

Now we will create a file on the raspberrypi server called /etc/wireguard/wg0.conf which contains the following:

Address =
ListenPort = 3500
PrivateKey = iG4blablablablablablablablablabla1GA=
PreUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

# Mobile phone
PublicKey = dkblablablablablablablablablablablablaGI=
AllowedIPs =

You should chmod 600 /etc/wireguard/wg0.conf
Also, you should set up iptables to allow udp port 3500 (or whatever port you choose in the config file above).
On my raspberry pi, the eth0 is the "inside" interface and eth1 is the "outside" interface that has a valid internet ip address assigned to it. You may need to modify these interface names to suit your setup. Note that you need to replace the PrivateKey and PublicKey entries with the appropriate keys that you genereated earlier. Just cat the files as they are plain text and you will see the keys. The ip addresses are only used for the VPN itself and you can use whatever RFC1918 addresses you like. In this example, the address will be assigned to the android phone when it contacts the server.

You can now start and stop the wireguard vpn with the following commands:

sudo wg-quick up wg0
sudo wg-quick down wg0

Or set up the service to permanently run with:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

The next step is VERY important.. Make sure your wireguard server has the following like uncommented in /etc/sysctl.conf


run sysctl -p if you had to add or uncomment that line.

the wg0 in the above commands corresponds to the filename that we setup in the /etc/wireguard directory, wg0.conf
Now create a file called mobilephone.conf somewhere on your raspberrypi and put the following into it:

PrivateKey = cTblablablablablablablablablablablablabla19=
Address =
DNS =,

Endpoint = xx.xx.xx.xx:3500
PublicKey = Fkblablablablablablablablablablablablablam9=
AllowedIPs =

Again, replace the PrivateKey and PublicKey entries with the appropriate keys that you genereated earlier. Also put in the outside ip address and port of the raspberry pi server as the endpoint (replace the xx.xx.xx.xx)
Run the following command to get a groovy cool QR code that we will use on the android phone to import the configuration.
qrencode -t ansiutf8 < mobilephone.conf

Now open up the play store on your mobile phone and search for wireguard vpn and install it. When you open it up, theres a '+' sign to add a new wireguard client config. Touch the "Create from QR code" option and then point the phone at the qrcode that you genereated on the raspberrypi. Give the connection a name and you should be done. Just toggle the selector to the right of the connection name to turn the vpn on or off.


Like this article? Buy me a beer!