{"id":13761381,"url":"https://github.com/adrianmihalko/raspberrypiwireguard","last_synced_at":"2025-04-12T23:29:20.943Z","repository":{"id":72989109,"uuid":"105067792","full_name":"adrianmihalko/raspberrypiwireguard","owner":"adrianmihalko","description":"Install and configure WireGuard on Raspberry Pi (and others)","archived":false,"fork":false,"pushed_at":"2023-03-04T18:56:05.000Z","size":708,"stargazers_count":850,"open_issues_count":19,"forks_count":75,"subscribers_count":44,"default_branch":"master","last_synced_at":"2025-04-04T02:08:41.958Z","etag":null,"topics":["raspberry-pi","vpn","wireguard"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adrianmihalko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-09-27T20:47:39.000Z","updated_at":"2025-04-03T03:20:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"3d6c2141-b266-4562-827b-f75506b32f9b","html_url":"https://github.com/adrianmihalko/raspberrypiwireguard","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianmihalko%2Fraspberrypiwireguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianmihalko%2Fraspberrypiwireguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianmihalko%2Fraspberrypiwireguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianmihalko%2Fraspberrypiwireguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adrianmihalko","download_url":"https://codeload.github.com/adrianmihalko/raspberrypiwireguard/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248646812,"owners_count":21139077,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["raspberry-pi","vpn","wireguard"],"created_at":"2024-08-03T13:01:52.435Z","updated_at":"2025-04-12T23:29:20.922Z","avatar_url":"https://github.com/adrianmihalko.png","language":null,"funding_links":[],"categories":["Others","Programming/Comp Sci/SE Things"],"sub_categories":["Rasberry Pi VPN"],"readme":"\n\n\n\n\n![](https://lh5.googleusercontent.com/o7TqWF6oMhFjabUwG0Z4eu0zpQVcfdE_17pOfh_r-E5DUMlFOSd4M2UnPtyVfEgXrq5ZpolauPsH0c-eS04zOvmC1oGBXBfI2BZWQCWqArVlZscg-_pyg8scj8BEDNe2ZOgKW_75)\n\n\n## 1. Wireguard installation (Raspberry Pi 2 v1.2 and above)\n\n```console\npi@raspberrypi:~ $ sudo apt-get update\npi@raspberrypi:~ $ sudo apt-get upgrade \npi@raspberrypi:~ $ sudo apt-get install raspberrypi-kernel-headers\npi@raspberrypi:~ $ echo \"deb http://deb.debian.org/debian/ unstable main\" | sudo tee --append /etc/apt/sources.list.d/unstable.list\npi@raspberrypi:~ $ sudo apt-get install dirmngr \npi@raspberrypi:~ $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553\npi@raspberrypi:~ $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010\npi@raspberrypi:~ $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC\npi@raspberrypi:~ $ printf 'Package: *\\nPin: release a=unstable\\nPin-Priority: 150\\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable\npi@raspberrypi:~ $ sudo apt-get update\npi@raspberrypi:~ $ sudo apt-get install wireguard \npi@raspberrypi:~ $ sudo reboot\n```\nRaspberry Pi 1, Zero, ZeroW requires [manual compiling](https://github.com/adrianmihalko/raspberrypiwireguard/wiki/Install-WireGuard-on-Raspberry-Pi-1,-2-(not-v1.2),-Zero,-Zero-W).\n\n**Enable ipv4 forwarding then reboot to make changes active:**\n\n```console\npi@raspberrypi:~ $ sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf \npi@raspberrypi:~ $ sudo reboot\n```\n\nTo check if it has been enabled:\n\n```console\npi@raspberrypi:~ $ sysctl net.ipv4.ip_forward \nnet.ipv4.ip_forward = 1\n```\n\nIf you get `net.ipv4.ip_forward = 0`, please manually edit `sudo nano /etc/sysctl.conf` and add `net.ipv4.ip_forward = 1`.\n\n\n## 2. Configuring WireGuard\n\nWe cover two way of setting up Wireguard and clients:\n\n- manually: that's what we do in this document\n- semi automatic mode via WireGuard [User Management Script](https://github.com/adrianmihalko/raspberrypiwireguard/wiki/User-management-with-Wireguard-User-Management-script)\n\n\n## 3. Generate private and public keys for server and client1\n\n  \n```console\npi@raspberrypi:~ $ mkdir wgkeys\npi@raspberrypi:~ $ cd wgkeys  \npi@raspberrypi:~/wgkeys $ wg genkey \u003e server_private.key  \nWarning: writing to world accessible file.\nConsider setting the umask to 077 and trying again.\n\npi@raspberrypi:~/wgkeys $ wg pubkey \u003e server_public.key \u003c server_private.key\npi@raspberrypi:~/wgkeys $ wg genkey \u003e client1_private.key  \nWarning: writing to world accessible file.\nConsider setting the umask to 077 and trying again.\npi@raspberrypi:~/wgkeys $ wg pubkey \u003e client1_public.key \u003c client1_private.key\npi@raspberrypi:~/wgkeys $ ls\nclient1_private.key client1_public.key server_private.key server_public.key\n```\n\nUse `cat` command  to view content of the file. You need this in the next step.\n\n```console\npi@raspberrypi:~/wgkeys $ cat server_public.key \nAj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI=\n```\n## 4. Setup Wireguard interface on server\n\n```console\npi@raspberrypi:~/wgkeys $ sudo nano /etc/wireguard/wg0.conf    \n[Interface]\nAddress = 192.168.99.1/24\nListenPort = 51820\n\nPrivateKey = \u003cserver_private.key\u003e\n#replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\n\n[Peer]\n#Client1\nPublicKey = \u003cclient1_public.key\u003e\nAllowedIPs = 192.168.99.2/32\n```\n\n## 5. Start Wireguard\n\nStart Wireguard with `wg-quick` command.\n\n```console\npi@raspberrypi:~/wgkeys $ sudo wg-quick up wg0 \n[#] ip link add wg0 type wireguard\n[#] wg setconf wg0 /dev/fd/63\n[#] ip address add 192.168.99.1/24 dev wg0\n[#] ip link set mtu 1420 dev wg0\n[#] ip link set wg0 up\n```\n\nUse `sudo wg` command to check if it is working:\n\n```console\npi@raspberrypi:~/wgkeys $ sudo wg \ninterface: wg0\npublic key: Aj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI=\nprivate key: (hidden)\nlistening port: 51820\n\npeer: ht4+w8Tk28hFQCpXWnL4ftGAu/IwtMvD2yEZ+1hp7zA=\nallowed ips: 192.168.99.2/32\n```\n\nYou can launch automatically at startup:\n\n```console\npi@raspberrypi:~/wgkeys $ sudo systemctl enable wg-quick@wg0  \nCreated symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.\n```\n\n## 6. Setup clients\n\nYou will need to install wireguard on clients as well.  Wireguard does not have separate apps for server and client, just differences in the configuration file. \nOn Debian based distros (Ubuntu, Debian etc.) you just run `sudo apt-get install wireguard`.\n\nFor installing on other systems, please visit Wireguard [website](https://www.wireguard.com/install/). \n\nWe generated credentials for one user above.\n\nExample configuration on client:\n\n```console\nadrian@MacBook-Pro:/Volumes$ sudo mkdir /etc/wireguard/\nadrian@MacBook-Pro:/Volumes$ sudo nano /etc/wireguard/wg0.conf \n[Interface]\nAddress = 192.168.99.2/24\nPrivateKey = \u003cclient1_private.key\u003e\n\n[Peer]\nEndpoint = your.publicdns.com:51820\nPublicKey = \u003cserver_public.key\u003e\nAllowedIPs = 192.168.99.1/32, 192.168.1.0/24\n```\n\n**192.168.1.0/24** is my remote LAN subnet, if you add here your own network, you can access remote LAN devices from the client.\n\n```console\nadrian@MacBook-Pro:/Volumes$ sudo wg-quick up wg0 \nWarning: '/private/etc/wireguard/wg0.conf' is world accessible\n\n\n[#] wireguard-go utun\nINFO: (utun3) 2018/12/19 00:14:21 Starting wireguard-go version 0.0.20181018\n\n[+] Interface for wg0 is utun3\n[#] wg setconf utun3 /dev/fd/63\n[#] ifconfig utun3 inet 192.168.99.2/24 192.168.99.2 alias\n[#] ifconfig utun3 mtu 1416\n[#] ifconfig utun3 up\n[#] route -q -n add -inet 192.168.99.1/32 -interface utun3\n[+] Backgrounding route monitor\n```\n\nCheck if Wireguard is working:\n\n```console\nadrian@MacBook-Pro:/Volumes$ sudo wg\ninterface: utun3\npublic key: ht4+w8Tk28hFQCpXWnL4ftGAu/IwtMvD2yEZ+1hp7zA=\nprivate key: (hidden)\nlistening port: 53694\n\npeer: Aj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI=\nendpoint: your.publicdns.com:51820\nallowed ips: 192.168.99.1/32\n\nadrian@MacBook-Pro:/Volumes$ ping 192.168.99.1\n\nPING 192.168.99.1 (192.168.99.1): 56 data bytes\n64 bytes from 192.168.99.1: icmp_seq=0 ttl=64 time=13.447 ms\n^C\n--- 192.168.99.1 ping statistics ---\n\n3 packets transmitted, 3 packets received, 0.0% packet loss\nround-trip min/avg/max/stddev = 4.565/8.495/13.447/3.697 ms\n```\n\n**Mobile clients (iOS, Android)**\n\nGenerate key pairs:\n\n```console\npi@raspberrypi:~/wgkeys $ wg genkey \u003e client2_private.key\nWarning: writing to world accessible file.\nConsider setting the umask to 077 and trying again.\n\npi@raspberrypi:~/wgkeys $ wg pubkey \u003e client2_public.key \u003c client2_private.key\n```\n\nTo the bottom of your config add:\n\n```console\npi@raspberrypi:~/wgkeys $ sudo nano /etc/wireguard/wg0.conf\n[Peer]\n#Client2\nPublicKey = \u003cclient2_public.key\u003e\nAllowedIPs = 192.168.99.3/32\n\npi@raspberrypi:~/wgkeys $ sudo wg-quick down wg0\npi@raspberrypi:~/wgkeys $ sudo wg-quick up wg0\n```\n\n**iOS configuration**\n\nDownload and install official Wireguard app: Wireguard beta is available in the [App Store](https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1\u0026mt=8).\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"500\" src=\"https://raw.githubusercontent.com/adrianmihalko/raspberrypiwireguard/master/ios-config.jpg\"\u003e\n\u003c/p\u003e\n\n**Android configuration**\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"460\" src=\"https://raw.githubusercontent.com/adrianmihalko/raspberrypiwireguard/master/android-screen.jpg\"\u003e\n\u003c/p\u003e\n\n**Additional INFO:**\n\nIf you put **0.0.0.0/0** in AllowedIPs on clients, all traffic will be redirected trough this interface.\n\n**Q\u0026A:**\n\n**Q: No network problems if the lans are in the same dhcp range?**\n\nA: You can't have same dhcp range on both sides. There are workarounds, but it is not trivial to set up.\n\n**Q: Do you need port forward?**\n\nA: Yes, you need to forward one port, type: UDP. In example we used port 51820.\n\n**Q: Can you make a VM with Wireguard instead of a Raspberry Pi?**\n\nA: Of course you can, there is no restriction, the configuration is the same. Virtual machine, physical machine, doesn’t matter.\n\n**Resources:**\n\n**WireGuard website:**\nhttps://www.wireguard.com\n\n**WireGuard presentation**\nhttps://www.wireguard.com/talks/eindhoven2018-slides.pdf\n\n**Actual version of this guide is available at:**\nhttps://github.com/adrianmihalko/raspberrypiwireguard/\n  \n\n**TODO:**\n\n-   Port forwarding on router UDP 51820    \n-   Double WARN users for using the right key at the right place\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadrianmihalko%2Fraspberrypiwireguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadrianmihalko%2Fraspberrypiwireguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadrianmihalko%2Fraspberrypiwireguard/lists"}