Wireguard
Yesterday I configured an old Raspberry Pi 4B (2019q2) with 4GB of memory.
$ raspinfo | head -n 15
System Information
------------------
Raspberry Pi 4 Model B Rev 1.2
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
Raspberry Pi reference 2025-05-13
Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, 5dabc7dc940059dfbc46af5d97b60a1e812523dd, stage2
Linux nat02 6.12.34+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.12.34-1+rpt1~bookworm (2025-06-26) aarch64 GNU/Linux
Revision : c03112
Serial : 10000000daf48c29
...
The plan is to install it on e remote location with internet. I will use it as a offsite backup location.
Install wireguard
Create private and public key
Do this on the server and the client:
root@vpn01:/etc/wireguard# ( umask 0077 && wg genkey | tee privatekey | wg pubkey > publickey )
Create server config: /etc/wireguard/wg0.conf:
[Interface]
Address = 192.168.29.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = U*****************************************U=
[Peer]
PublicKey = z*****************************************Y=
AllowedIPs = 192.168.29.8/32
# [Peer]
# PublicKey = OTHER_CLIENT_PUBLIC_KEY
# AllowedIPs = ...
Create client config: /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = o*****************************************o=
Address = 192.168.29.8/32
DNS = 192.168.23.100 192.168.23.101
[Peer]
PublicKey = 9*****************************************4=
AllowedIPs = 0.0.0.0/0
Endpoint = 86.83.251.246:51820
# Endpoint = 192.168.24.101:51820
PersistentKeepalive = 20
Ensure wireguard is active. On both the server and the client:
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl enable wg-quick@wg0
Check wireguard on the client:
cees@nas02:~$ sudo wg show
interface: wg0
public key: z*****************************************Y=
private key: (hidden)
listening port: 35470
fwmark: 0xca6c
peer: 9*****************************************4=
endpoint: 86.83.251.246:51820
allowed ips: 0.0.0.0/0
latest handshake: 40 seconds ago
transfer: 8.25 MiB received, 895.26 KiB sent
persistent keepalive: every 20 seconds
cees@nas02:~$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:b2:73:b9 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.37/24 brd 192.168.23.255 scope global dynamic noprefixroute eth0
valid_lft 83318sec preferred_lft 83318sec
inet6 fe80::6c6:f835:3d0d:db01/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether dc:a6:32:b2:73:ba brd ff:ff:ff:ff:ff:ff
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.29.8/32 scope global wg0
valid_lft forever preferred_lft forever
After a start, the client automatically connects to my external IP address and connects to the VPN server.
The client can connect to the vpn01 server in my homelab.
In reverse, by using vpn01 as proxy, I can connect to nas02.
By using vpn01 as proxy, connections in both directions are possible.
cees@laptop01:~$ ssh -J vpn01.griend.dev nas02.griend.dev
Last login: Sat Sep 6 16:28:16 2025 from 192.168.29.1
Wi-Fi is currently blocked by rfkill.
Use raspi-config to set the country before use.