Skip to content

Instantly share code, notes, and snippets.

@jrossmanjr
Created May 13, 2019 03:52
Show Gist options
  • Save jrossmanjr/2fbbc1ed9d4931590caab8e5f7b64835 to your computer and use it in GitHub Desktop.
Save jrossmanjr/2fbbc1ed9d4931590caab8e5f7b64835 to your computer and use it in GitHub Desktop.
Wireguard Install - Full Tunnel with PiHole

#Wireguard Setup Directions

Derrived from :

https://drexl.me/guides/wireguard-pihole-vpn-setup.html

https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/


PART 1: SETUP WIREGUARD

Most of this is done in root/super user...

sudo su

-For Raspberry Pi

  • apt-get install raspberrypi-kernel-headers libmnl-dev libelf-dev build-essential git

  • git clone https://git.zx2c4.com/WireGuard

  • cd WireGuard/

  • cd src/

  • make

  • make install

-For Debian/Ubuntu

  • apt install wireguard

Wireguard will start installing.

sudo reboot


PART 2: GENERATE KEYS FOR SERVER AND CLIENT

After rebooting, Verify that IP Forwarding is turned on -- output should be 1. sudo sysctl net.ipv4.ip_forward

If its not on - sudo sysctl net.ipv4.ip_forward=1

sudo su

cd /etc/wireguard

umask 077

wg genkey | tee client1_privatekey | wg pubkey > client1_publickey

wg genkey | tee server_privatekey | wg pubkey > server_publickey

ls -- Look for the key files to verify 4 keys were generated

cat server_publickey

cat server_privatekey

cat client1_publickey

cat client1_privatekey

Put these in a text file to use in the next 2 parts)


PART 3: CONFIGURE WIREGUARD SERVER

While still root

nano /etc/wireguard/wg0.conf

This is a default wg0.conf file. Be sure to change:

  • Address: to a subnet not in use
  • ListenPort: to a port open to the server through your router
  • DNS: to your PiHole, Google (8.8.8.8, 8.4.4.8), or Cloudflare (1.1.1.1, 1.0.0.1)
  • PostUp/Down: change eth0 to your ethernet or wlan connection as needed
  • AllowedIPs: in the Peer section to the pihole if you want to have that be your DNS
[Interface]
Address = 10.0.0.1/24
ListenPort = xxxxx
DNS = 192.168.1.xx 
PrivateKey = xxxServer_PrivateKeyxxx
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = xxxClient1_PublicKeyxxx
AllowedIPs = 10.0.0.2/32, 192.168.1.x/32

Exit and save the changes


PART 4: CONFIGURE WIREGUARD CLIENT

nano /etc/wireguard/client1.conf

Copy and paste the following and make changes as needed (see notes in Part 3):

[Interface]
Address = 10.0.0.2/32
DNS = 192.168.1.X 
PrivateKey = xxxclient1_privatekeyxxx
[Peer]
PublicKey = xxxserver_publickeyxxx
Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
AllowedIPs = 0.0.0.0/0 

PART 5: EXPORT THE CLIENT CONFIGURATION TO YOUR PHONE USING QR CODE

apt install qrencode

qrencode -t ansiutf8 < /etc/wireguard/client1.conf

Scan with Wireguard app of choice


PART 6: FINALIZE INSTALLATION

After your client profile has been imported to your phone run the following commands to finish up the installation on the Pi

systemctl enable wg-quick@wg0

chown -R root:root /etc/wireguard/

chmod -R og-rwx /etc/wireguard/*

The first command enables Wireguard to the autostart on boot and the last two commands secures the contents of '/etc/wireguard' as it contains your private and public keys + vpn configuration files.


PART 7: PiHole SETTINGS

Finally, go to your pi-hole's admin console 'Settings > DNS' and tick mark the following then save:

Listen on all interfaces (Allows only queries from devices that are at most one hop away (local devices)

That's it, you're done!


Part 8: CHECK IF ITS WORKING...

You can start wireguard using the following command:

sudo wg-quick up wg0

Just replace 'up' with 'down' on the same command to stop the service.

Now REBOOT your Pi and type in sudo wg show in the terminal to see the status of your wg instance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment