Derrived from :
https://drexl.me/guides/wireguard-pihole-vpn-setup.html
https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/
PART 1: SETUP WIREGUARD
Most of this is done in root/super user...
sudo su
-For Raspberry Pi
-
apt-get install raspberrypi-kernel-headers libmnl-dev libelf-dev build-essential git
-
git clone https://git.zx2c4.com/WireGuard
-
cd WireGuard/
-
cd src/
-
make
-
make install
-For Debian/Ubuntu
apt install wireguard
Wireguard will start installing.
sudo reboot
PART 2: GENERATE KEYS FOR SERVER AND CLIENT
After rebooting, Verify that IP Forwarding is turned on -- output should be 1.
sudo sysctl net.ipv4.ip_forward
If its not on - sudo sysctl net.ipv4.ip_forward=1
sudo su
cd /etc/wireguard
umask 077
wg genkey | tee client1_privatekey | wg pubkey > client1_publickey
wg genkey | tee server_privatekey | wg pubkey > server_publickey
ls
-- Look for the key files to verify 4 keys were generated
cat server_publickey
cat server_privatekey
cat client1_publickey
cat client1_privatekey
Put these in a text file to use in the next 2 parts)
PART 3: CONFIGURE WIREGUARD SERVER
While still root
nano /etc/wireguard/wg0.conf
This is a default wg0.conf file. Be sure to change:
Address
: to a subnet not in useListenPort
: to a port open to the server through your routerDNS
: to your PiHole, Google (8.8.8.8, 8.4.4.8), or Cloudflare (1.1.1.1, 1.0.0.1)PostUp/Down
: change eth0 to your ethernet or wlan connection as neededAllowedIPs
: in the Peer section to the pihole if you want to have that be your DNS
[Interface]
Address = 10.0.0.1/24
ListenPort = xxxxx
DNS = 192.168.1.xx
PrivateKey = xxxServer_PrivateKeyxxx
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = xxxClient1_PublicKeyxxx
AllowedIPs = 10.0.0.2/32, 192.168.1.x/32
Exit and save the changes
PART 4: CONFIGURE WIREGUARD CLIENT
nano /etc/wireguard/client1.conf
Copy and paste the following and make changes as needed (see notes in Part 3):
[Interface]
Address = 10.0.0.2/32
DNS = 192.168.1.X
PrivateKey = xxxclient1_privatekeyxxx
[Peer]
PublicKey = xxxserver_publickeyxxx
Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
AllowedIPs = 0.0.0.0/0
PART 5: EXPORT THE CLIENT CONFIGURATION TO YOUR PHONE USING QR CODE
apt install qrencode
qrencode -t ansiutf8 < /etc/wireguard/client1.conf
Scan with Wireguard app of choice
PART 6: FINALIZE INSTALLATION
After your client profile has been imported to your phone run the following commands to finish up the installation on the Pi
systemctl enable wg-quick@wg0
chown -R root:root /etc/wireguard/
chmod -R og-rwx /etc/wireguard/*
The first command enables Wireguard to the autostart on boot and the last two commands secures the contents of '/etc/wireguard' as it contains your private and public keys + vpn configuration files.
PART 7: PiHole SETTINGS
Finally, go to your pi-hole's admin console 'Settings > DNS' and tick mark the following then save:
Listen on all interfaces (Allows only queries from devices that are at most one hop away (local devices)
That's it, you're done!
Part 8: CHECK IF ITS WORKING...
You can start wireguard using the following command:
sudo wg-quick up wg0
Just replace 'up' with 'down' on the same command to stop the service.
Now REBOOT your Pi and type in sudo wg show
in the terminal to see the status of your wg instance.