Virtual Private Networks (VPNs) have become increasingly popular for securing communications and connecting networks over the internet. WireGuard is a modern and efficient open-source VPN protocol known for its simplicity, speed, and robust security features. In this guide, we’ll walk you through setting up a site-to-site VPN server using WireGuard on a Raspberry Pi, enabling two networks to communicate securely.
Prerequisites
Before we begin, make sure you have the following:
- Two Raspberry Pi devices — one will act as the VPN server, and the other as the client.
- A basic understanding of Linux commands and terminal usage.
Step 1: Update and Upgrade your Raspberry Pi
Open a terminal on both Raspberry Pi devices and run the following commands to ensure they are up to date:
sudo apt update
sudo apt upgradeStep 2: Install WireGuard on both Raspberry Pi devices
To install WireGuard, use the package manager on both Raspberry Pi devices:
sudo apt install wireguardStep 3: Generate Public and Private Keys
WireGuard uses public-key cryptography for secure communication. On both Raspberry Pi devices, generate the private and public keys by running the following command:
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickeyThese commands will create a private key and save it to /etc/wireguard/privatekey and generate the corresponding public key, saving it to /etc/wireguard/publickey.
Step 4: Configure the WireGuard Server
On the Raspberry Pi acting as the VPN server, create the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.confAdd the following content to the file, replacing `SERVER_PRIVATE_KEY` and `SERVER_PUBLIC_KEY` with the private and public keys generated in Step 3:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32, 192.168.1.0/24Explanation:
[Interface]: This section defines the server’s WireGuard interface settings.Address: Specifies the IP address and subnet for the server. Here, the server will have the IP address 10.0.0.1 within the 10.0.0.0/24 subnet.ListenPort: The port on which the server will listen for incoming VPN connections. This port should be accessible from the internet, so ensure you enable port forwarding on your home router (more on that later).PrivateKey: The server’s private key (from Step 3).[Peer]: This section defines the client’s settings, allowing the client Raspberry Pi to connect to the server.PublicKey: The client’s public key (from Step 3).AllowedIPs: The IP ranges that the client is allowed to access via the VPN. Here, it’s set to 10.0.0.2/32 (only the client IP) and 192.168.1.0/24 (the local subnet of the server).
Step 5: Configure the WireGuard Client
On the Raspberry Pi acting as the client, create the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.confAdd the following content to the file, replacing CLIENT_PRIVATE_KEY, CLIENT_PUBLIC_KEY, and SERVER_PUBLIC_IP with the private and public keys generated in Step 3 and the public IP address of the server Raspberry Pi, respectively:
[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 10.0.0.1/32, 192.168.2.0/24
Endpoint = SERVER_PUBLIC_IP:51820Explanation:
[Interface]: This section defines the client’s WireGuard interface settings.Address: Specifies the IP address and subnet for the client. Here, the client will have the IP address 10.0.0.2 within the 10.0.0.0/24 subnet.PrivateKey: The client’s private key (from Step 3).[Peer]: This section defines the server’s settings, allowing the client to connect to it.PublicKey: The server’s public key (from Step 3).AllowedIPs: The IP ranges that the client is allowed to access via the VPN. Here, it’s set to 10.0.0.1/32 (only the server IP) and 192.168.2.0/24 (the local subnet of the client).
Step 6: Enable IP Forwarding
IP forwarding must be enabled on the server to allow traffic between the VPN and the local network:
sudo nano /etc/sysctl.confUncomment the line `net.ipv4.ip_forward=1`, if it exists, or add it to the file. Save the file and apply the changes:
sudo sysctl -pStep 7: Enable Port Forwarding on the Home Router
For the site-to-site VPN to work, the Raspberry Pi acting as the server must have a public IP address. This means you need to ensure the server Raspberry Pi is accessible from the internet. If your home network uses a router, you’ll need to set up port forwarding.
Access your home router’s configuration page and navigate to the port forwarding section. Add a new port forwarding rule to forward traffic from the external port (e.g., 51820) to the internal IP address of the Raspberry Pi acting as the server (e.g., 10.0.0.1) on the same port.
Step 8: Start the WireGuard Interface
On both the server and client Raspberry Pi devices, start the WireGuard interface:
sudo wg-quick up wg0Step 9: Enable WireGuard on System Startup
To ensure WireGuard starts automatically on boot, enable the service:
sudo systemctl enable wg-quick@wg0Step 10: Test the VPN Connection
With both the server and client WireGuard interfaces up and running, you can verify the connection status on both devices using the following command:
sudo wg showThis command will display the current WireGuard connection details, and you should see that both the server and client are connected.
Conclusion
Congratulations! You’ve successfully set up a site-to-site VPN server using WireGuard on Raspberry Pi. This setup allows secure communication between two networks over the internet, and now local devices on both sides of the VPN can access each other. WireGuard’s efficiency, security, and simplicity make it an excellent choice for creating VPN connections between different devices and networks. Remember to adjust firewall rules and routing as necessary to ensure proper traffic flow and network security. Happy networking!
