Wireguard Setup on Raspberry Pi 4

Readme.txt

This installation guide assumes using Windows. It is mainly for me to document the process so that I can do it again when I break something!

Phase 1: Get a working copy of an up to date Rasbian on the Pi:

(Follow guide for basic Raspbian here: https://gist.github.com/CausticD/06e74f178e0772a1717a5d9a232d2bd9#file-basicraspbian-txt)
  
Phase 2: Install Wireguard

Links:
  https://www.wireguard.com/install/
  https://github.com/kabl/raspberry-wireguard
  https://monsterjam.org/blog/blog.pl/20181204144314
  https://github.com/adrianmihalko/raspberrypiwireguard

1) sudo apt-get install raspberrypi-kernel-headers libmnl-dev libelf-dev build-essential pkg-config git qrencode
2) sudo reboot now
3) git clone https://git.zx2c4.com/WireGuard
4) cd WireGuard/
5) cd src/
6) make
7) sudo make install

Phase 3: Generate keys and config files

This part requires the scripts posted alongside this gist. To transfer them to the PI, try WinSCP (https://winscp.net/eng/download.php), putting them in a folder in your home directory called wgkeys and make sure to set the permissions for the shell files. Crucially, you MUST manually edit the two 'template' files:

-) Replace <PORT> with a port number, e.g. 51234
-) Replace <DDNS> with a domain name, e.g. myvpn.myddns.org
-) Check that eth0 is correct for you

The scripts will auto replace the ones called <server-privatekey> etc.

1) Run 'genkeys.sh'
2) Run 'genconfigs.sh'
3) Install WireGuard app on client (e.g. on iOS: https://apps.apple.com/us/app/wireguard/id1441195209)
4) Run 'showclientqr.sh' and use QR code to transfer settings
5) Run 'up.sh'
6) Check it is working using 'sudo wg'

clean.sh

rm server_privatekey
rm server_publickey
rm client_privatekey
rm client_publickey

rm wg0.conf
rm client.conf
rm clientqr.png

client_config_template

[Interface]
PrivateKey = <client-privatekey>
Address = 10.100.100.2/32
DNS = 192.168.1.2

[Peer]
PublicKey = <server-publickey>
Endpoint = <DDNS>:<PORT>
AllowedIPs = 10.100.100.1/32, 192.168.1.0/24

down.sh

sudo wg-quick down /home/pi/wgkeys/wg0.conf

genconfigs.sh

var_server_private=$(cat server_privatekey)
var_server_public=$(cat server_publickey)
var_client_private=$(cat client_privatekey)
var_client_public=$(cat client_publickey)

SERVERFILE=wg0.conf
cp server_config_template "$SERVERFILE"

sed -i "s|<server-privatekey>|$var_server_private|g" "$SERVERFILE"
sed -i "s|<server-publickey>|$var_server_public|g" "$SERVERFILE"
sed -i "s|<client-privatekey>|$var_client_private|g" "$SERVERFILE"
sed -i "s|<client-publickey>|$var_client_public|g" "$SERVERFILE"

CLIENTFILE=client.conf
cp client_config_template "$CLIENTFILE"

sed -i "s|<server-privatekey>|$var_server_private|g" "$CLIENTFILE"
sed -i "s|<server-publickey>|$var_server_public|g" "$CLIENTFILE"
sed -i "s|<client-privatekey>|$var_client_private|g" "$CLIENTFILE"
sed -i "s|<client-publickey>|$var_client_public|g" "$CLIENTFILE"

qrencode -t PNG -o clientqr.png < "$CLIENTFILE"

genkeys.sh

#!/bin/bash

FILE=server_privatekey
if [ ! -f "$FILE" ]; then
	echo "Generating public and private keys."
    wg genkey | tee "$FILE" | wg pubkey > server_publickey
	wg genkey | tee client_privatekey | wg pubkey > client_publickey
else
	echo "Key creation skipped. Private key exists. Delete $FILE to force recreation of all server and client keys."
fi

server_config_template

[Interface]
Address = 10.100.100.1/24
DNS = 192.168.1.2
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = <PORT>
PrivateKey = <server-privatekey>

[Peer]
PublicKey = <client-publickey>
AllowedIPs = 10.100.100.2/32

showclientqr.sh

qrencode -t ansiutf8 < client.conf

up.sh

sudo wg-quick up /home/pi/wgkeys/wg0.conf