Skip to main content
  1. Posts/

Building-a-simple-VPN-with-WireGuard-with-a-Raspbe

457 words·3 mins

Building-a-simple-VPN-with-WireGuard-with-a-Raspbe #

Building a simple VPN with WireGuard with a Raspberry Pi as Server // Andreas Happe #

Created: January 30, 2020 9:07 AM Tags: Projects, Tech URL: https://snikt.net/blog/2020/01/29/building-a-simple-vpn-with-wireguard-with-a-raspberry-pi-as-server/ Now that wireguard will be part of the upcoming Linux 5.6 Kernel it’s time to see how to best integrate it with my Raspberry Pi based LTE-Router/Access Point Setup.

What is my scenario? #

This will be the VPN server (called edgewalker in this post)

  • An Android Phone that should use the VPN for all communication when connected
  • An Linux Laptop that should use the VPN only accessing network services that are exposed to the VPN Each device connected to the VPN should be able to connect to all other devices, e.g., my phone should be able to connect to a webserver running on the laptop as long as both are part of the VPN network. Would I have read the manual I would have done the right steps: Untitled On the Raspberry Pi I am using Raspbian Buster, this distribution already included the wireguard package, I installed it with: Untitled On the Android Phone, I used the Google App Store to install the WireGuard VPN Application.

Creating a configuration file for the VPN Server (Raspberry Pi) #

Configuration was quite easy, I just created the following file at /etc/wireguard/wg0.conf: Untitled Some notes:

  • Please fill in the values from the created key files
  • I am creating a VPN network that uses 10.200.200.0/24 for its internal IP range
  • my server uses wwan0 as external network interface in the PostUp/PostDown-Commands, please adapt that to use your network-facing interface (might be eth0) It’s easy to bring the VPN network up with the following command: Untitled One small thing: I am using dnsmasq as DNS server and have bound it to the network interface br0. In dnsmasq you do this by adding a new config line to /etc/dnsmasq.conf with the network interface, e.g.: Untitled In addition I’ve added some iptable rules to allow traffic to the listening UDP port (51280): Untitled Now that everything works, we can utilize systemd to automatically start the VPN tunnel: Untitled Mostly the Laptop setup consists of creating a matching configuration file in /etc/wireguard/wg0.conf on the Laptop: Untitled Some notes:
  • edgewalker should be the public IP-address or public hostname of the VPN server
  • By setting AllowedIPs to 10.200.200.0/24 we are only using the VPN for accessing the internal VPN network. We prepare the following file (let’s call it mobile.conf) on the server through ssh: Untitled In contrast to the laptop setup we are forcing the mobile device to use our VPN server as DNS server (that’s the DNS setting) as well as using the newly VPN tunnel for all traffic (by using 0.0.0.0/0 as wildcard for AllowedIPs).