Set Up VPN Server on Raspberry Pi
This article will demonstrate setting up a VPN server on Raspberry Pi devices.
Configure WireGuard VPN Package on Raspberry Pi OS
Generally, there are many different protocols and implementations for the VPN server, but this article chose WireGuard software as a prevailing contemporary option.
The software package is usually available on the default repositories, and you should be able to install it using the following command:
sudo apt install wireguard
Once you have the
wireguard package installed, several command-line tools will become available on your Raspberry Pi system for manipulating the WireGuard configuration and interfaces.
WireGuard usually adds a new virtual network interface to the system. WireGuard implements a CryptoKey Routing concept, denoted by associating public/private keys to each peer.
Namely, peers are just actors in the VPN tunnel, each identified by unique public keys. So, we need to generate these keys and include them in corresponding configuration files.
Since the configuration files and private keys should be considered sensitive information, we invoke the
umask 0700 command before generating the keys and storing them in the
Consequently, only the owners of these files can read/write the contents later.
umask 0700; wg genkey | sudo tee /etc/wireguard/private.key
The previous command will store the key in the
private.key file and print it to copy it easily.
Next, we will create a configuration file named
wg0.conf in the same
/etc/wireguard directory and include the following contents in it:
[Interface] PrivateKey = 2RzKFbGMx5g7fG0BrWCI7JIpGvcwGkqUaCoENYueJw4= Address = 10.10.10.1/24 ListenPort = 51820
Notice that this configuration file is for the Raspberry Pi peer, and you can rename the
wg0 part as you’d like.
You should copy replace the
PrivateKey value with the key generated with the previous command. Also, you can specify a port that will accept incoming connections and the peer’s address.
Now we can move on to the other peer (Peer A), which should connect to the Raspberry Pi. At this point, we assume that the other machine is Linux-based, and you have installed the WireGuard package on it accordingly.
The Peer A configuration will follow the same steps to reuse the command to generate the public key and execute it. Notice that keys can be generated on one machine, but since the private keys are meant to be secret, we are developing them on the corresponding peer machines.
Once the private key is generated, create a configuration file (e.g.
wg0.conf) in the
/etc/wireguard directory and insert the following lines:
[Interface] PrivateKey = 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw= Address = 10.10.10.2/32
Notice that the
PrivateKey value here is arbitrary, and you must replace it with the valid one. At the same time, the IP address might modify if you have specific network configuration needs.
After this, we have to generate public keys and store them in their configuration files. The public keys are derived from private keys and, in our case, will need to be generated on both devices.
Use the following command to generate one public key on Raspberry Pi and the second one on the other machine:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Now, let’s insert the peer section into the configuration file. The following lines need to be appended to the Raspberry Pi
[Peer] PublicKey = PRIVATE_KEY_OF_PEER_A AllowedIPs = 10.10.10.2/32
Note that the
AllowedIPs value is the same as the IP address specified in the
Address value of the Peer A configuration file.
PRIVATE_KEY_OF_PEER_A with the private key generated on Peer A. On the other hand, append the following lines to the
wg0.conf file on Peer A machine.
Make sure to replace the private key value with the corresponding one and the
Endpoint address with the address of the Raspberry Pi device. Mind that the following configuration will make the VPN connection one-sided, as only Peer A will access the Raspberry Pi network.
[Peer] PublicKey = PRIVATE_KEY_OF_RASPBERRY AllowedIPs = 0.0.0.0/0 Endpoint = 172.16.0.134:51820
Finally, you should start the corresponding service on the Raspberry Pi side using the command:
sudo systemctl enable email@example.com
While Peer A will use the following command each time it wants to create a tunnel interface and connect to it:
sudo wg-quick up wg0
You can remove the interface and terminate the existing connection from Peer A with the command:
sudo wg-quick down wg0
How to Route All
Peer A Traffic Through Raspberry Pi
At this point, Peer A won’t be able to access the internet, but only the Raspberry Pi network. We need to add additional parameters to the configuration files to make this happen.
Let’s start with the Peer A
wg0.conf file and append the following line in the
DNS = DNS_ADDRESS_USED_BY_RASPBERRY
This DNS address value is dependent on the network configuration, so you should retrieve the currently active one and update it if, for some reason, it’s changed in the future.
On the other hand, you should append these extra lines to the Raspberry Pi
PostUp = ufw route allow in on wg0 out on eth0 PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PreDown = ufw route delete allow in on wg0 out on eth0 PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Note that the
wg0 name will need to be changed in these lines if you create a different filename for configuration files.
Once you saved the
wg0.conf changes, open
/etc/sysctl.conf file and uncomment/modify lines:
net.ipv6.conf.all.forwarding is only required if you also include IPv6 addresses in config files. After this, you must run the following command for the changes to take effect:
sudo sysctl -p
Now, you should connect and forward all your internet traffic from Peer A through Raspberry Pi. Although, if you are running a firewall on the Raspberry Pi, make sure to set up corresponding rules for Peer A, or it won’t be able to access the network at all.
You can see our introduction to the
ufw firewall here.
Related Article - Raspberry Pi
- MySQL in Raspberry Pi
- Setup a Raspberry Pi File Server
- DNS Server on Raspberry Pi
- Dropbox on Raspberry Pi
- Plex Media Player on Raspberry Pi
- Chromium OS on Raspberry Pi