by In this project, we will show you how to set up a WireGuard VPN on the Raspberry Pi.
WireGuard is a new VPN protocol that has recently been gaining a lot of popularity.
There are a couple of advantages to using the WireGuard VPN on your Raspberry Pi over OpenVPN.
WireGuard is much faster at making connections than OpenVPN, it can complete a connection within a tenth of a second.
The codebase for WireGuard is also drastically smaller then OpenVPN’s. This allows the software to be more secure thanks to the smaller attack surface and bugs being able to be dealt with easier.
For comparison sake, WireGuard only uses 4,000 lines of code compared to the 70,000+ lines of code that OpenVPN uses.
The only notable disadvantage of WireGuard is that it does store the connecting user’s IP addresses. It does this to improve the connection speed.
By the end of this tutorial, you will have a WireGuard powered VPN running on your Raspberry Pi.
Equipment List
Below is the list of equipment that we used to set up WireGuard on our Raspberry Pi.
Recommended
- Raspberry Pi ( Amazon )
- Micro SD Card ( Amazon )
- Ethernet Cable ( Amazon ) or Wi-Fi ( Amazon )
- Power Supply ( Amazon )
Optional
This project on setting up a WireGuard VPN was tested on a Raspberry Pi 4 running the latest available version of Raspberry Pi OS Lite.
Video
This video will walk you through the steps of installing the WireGuard VPN to your Raspberry Pi.
We will also show an example of adding a WireGuard tunnel to a device using the generated QR code.
If you run into any issues, be sure to check out the written version of our guide below
Adblock removing the video? Subscribe to premium for no-ads.
Preparing your Raspberry Pi to install the WireGuard VPN
In this section, we will do some initial preparatory work to make sure our Raspberry Pi is ready to install the WireGuard VPN software.
1. The first thing we need to do is ensure our Raspberry Pi is using the latest available packages.
We can do that by running the following two commands.
sudo apt update
sudo apt full-upgrade2. We need to install the only package that we require to run the install scripts we need.
While this package should be available on most distributions of the Raspbian operating system, we will make sure by running the command below.
sudo apt install curl -yInstalling WireGuard on the Raspberry Pi
Within this section, we are going to make use of the PiVPN script to install WireGuard.
PiVPN makes the process of installing WireGuard on our Raspberry Pi a straightforward process. The script sets up the best defaults for our device.
Starting the PiVPN Install Script
1. Let us start the installation process by running the following command.
curl -L https://install.pivpn.io | bashThis command will use curl to download the PiVPN setup script from their website and then pipe it straight to bash.
You can verify this script’s contents by going directly to the install PiVPN domain in your web browser.
Installing WireGuard to your Raspberry Pi
1. The first screen you will be greeted with will let you know what this script is about to do.
To start the WireGuard installation process, press the ENTER key.
2. The first thing that we will be configuring through this script is a static IP address.
This screen explains why your Raspberry Pi should have a static IP address when operating as a WireGuard VPN server.
To proceed, press the ENTER key to proceed.
3. You will be asked if you are already using DHCP reservation.
Using DHCP reservation allows you to make your router assign an IP address to your Raspberry Pi.
In this guide, we are going to assume you haven’t used DHCP reservation and will move on to set a static IP address on the Pi itself.
Select the <No> option and press the ENTER key to continue.
4. To set a static IP address for the WireGuard software. The installation script will want to use your default settings.
If the default IP address and gateway are correct to you, then you can safely select the <Yes> option.
Continue with this WireGuard set up guide by pressing the ENTER key.
5. You will be warned that you can potentially run into IP conflicts when using this method.
The way around that is to use DHCP reservation. However, most routers should be smart enough to stop this from being a problem.
Press the ENTER key to continue.
6. This screen will tell you that you need to specify a local user to store the WireGuard configuration files.
Continue to the next screen by pressing the ENTER key.
7. You can now select from a list of available users.
Use the ARROW keys to highlight the user then the SPACEBAR to select it.
Once you are happy with the user you have selected, press the ENTER key.
8. Finally, we can select the VPN software we want to install.
As we want to install WireGuard to our Raspberry Pi, you can press the ENTER key to continue.
The reason for this is that default by the PiVPN script selects WireGuard.
9. This screen will allow you to change the port the WireGuard uses on your Raspberry Pi.
It is recommended to keep this the same unless you have a particular reason to change the port.
Press the ENTER key to confirm the specified port.
10. This screen just confirms the port that you set your Raspberry Pi WireGuard VPN to use.
Please note to be able to access your WireGuard VPN from outside of your home network, you will need to port forward the port mentioned here. The type of this port is UDP.
Confirm that the port is still correct, then press the ENTER key to proceed.
11. We can now specify the DNS provider that we want to use for our VPN clients.
For our tutorial, we chose to use the Cloudflare one as it is relatively speedy, and they purge their logs every 24 hours.
Use the ARROW keys to navigate through this menu. Once you have found the DNS provider you want to use, press the SPACEBAR key.
If you are happy with your selection, press the ENTER key to confirm it.
12. You can specify two different ways you want to access your WireGuard VPN.
Using your public IP address is the easiest option. However, this should only be used if you have a static IP address.
The other option is to use a domain name. You can set up this option by following our dynamic DNS guide.
For this guide, we will be sticking with using our public IP address.
Once you have the option you want to be selected, press the ENTER key to proceed.
13. The PiVPN script will now generate the server key that WireGuard requires.
All you need to do here is press the ENTER key again.
14. This screen will give you a quick rundown about unattended-upgrades and why you should enable them.
Go to the next step by pressing the ENTER key.
15. You can now enable the unattended-upgrades by selecting the <Yes> option.
We highly recommend that you enable these to ensure your Raspberry Pi will download security fixes regulary.
Not enabling this will potentially leave your WireGuard VPN vulnerable to attack.
Once you have the option you want to be selected, press the ENTER key to confirm it.
16. You have now successfully installed the WireGuard VPN software to your Raspberry Pi.
This screen will let you know that you still need to create profiles for the users, which we will cover in the next section.
Press the ENTER key to continue to the last two steps.
17. You will be asked whether you want to restart your Raspberry Pi before continuing.
We recommend that you choose the <Yes> option.
Once you have selected to reboot, press the ENTER key twice to restart.
Creating your First WireGuard Profile on your Raspberry Pi
Now that we have successfully installed the WireGuard software to our Raspberry Pi, we can create a profile for it.
To be able to create this profile, we will be making use of the PiVPN script again.
1. To begin creating a new profile for WireGuard, we need to run the following command.
sudo pivpn add2. All you need to do is type in a name for the profile that you are creating.
For example, we will be calling our profile “PiMyLifeUp“.
Once you have created a profile, it will be stored within the directory specified in the output.
If you followed the previous steps and used the pi user, you will be able to find the config file within the /home/pi/configs directory.
You can use the config file within here to set up your WireGuard clients. However, there is another method which we will go into in the next section.
Generating a QR Code for your WireGuard Profile
In this section, we will show you how to generate a QR code for the WireGuard profile we generated on our Raspberry Pi.
You will be able to scan this QR code using your device. This saves you from having to copy the config file from your device.
Luckily for us, the PiVPN software comes with a QR code generator that we can use.
1. To generate a QR code for your profile, you will need to start by running the following command.
Make sure you replace “PROFILENAME” with the name you set in the previous section. In our case, this will be “PiMyLifeUp“.
pivpn -qr PROFILENAME
2. You can then scan this QR code using your iOS or Android devices.
You can find the WireGuard app on both the Google Play Store and the Apple App Store.
When scanning the QR code, you will be asked to enter a name for the profile.
At this point, you should now have successfully got a WireGuard VPN running on the Raspberry Pi.
If you have run into any issues or have any feedback, please feel free to leave a comment below.
Great and easy instructions on setting up WireGuard server can you provide the same kind of instructions on how to setup a Pi as a client of that server?
Does WireGuard mask my IP address from the outside world?
Hi Glenn,
No, it does not, you would need to run it on a separate device that isn’t attached to your existing network to give yourself a different IP Address.
Kind regards,
Emmet
If you change internet providers, as I did a few days ago, you can run the bash again and it will see that you already have WireGuard and give you options on how you want to proceed. Easy peasy.
Thank you soooooooooo much!! I love your articles <3333333
This works great with WG installed from the play store on an Android phone and scanning the QR code.
How do I set it up on a Laptop / Desktop running Win 10 or Macbook?
Before QR code there will a text like:
Done! xxx.conf successfully created!
::: xx.conf was copied to /home/user/configs for easy transfer.
::: Please use this profile only on one device and create additional
you can open the xxx.conf, there will be the setting to input in wireguard
I followed each and every step in this tutorial. but when i start the wiregaurd vpn in app, there is no internet connection. i tried 3 different phones including iphone & android. I ran this also, sudo sysctl -w net.ipv4.ip_forward=1 but did not work. when i ran this pivpn -d the “self check” part says “OK” for everything. everything seemed to be installed correctly as mentioned in this tutorial but there is no internet on my phone if wiregaurd vpn is turned on (which i made from QR scan code of my profile).
Any ideas?
thank you in advance
Are you connected via WiFi? If so that doesn’t work, only when you are using carrier data then it works. Someone explained to me why but I forget the reason. Hope that helps.
Try setting up a port forwarding on your router with the port you used to set up Wireguard. Then it will work.
If you are having issues getting a working connection, try:
pivpn -d
This will basically run a diagnostic and try to fix it for you.
Great! after 2 hours of searching I found this answer. Worked perfect for me!
Wow! That was the solution to my problem too!
Thank you so much.
I have setup multiple Pi’s following this tutorial and it works fine when IPv4 forwarding is enabled. (sudo sysctl -w net.ipv4.ip_forward=1)
Great instruction, thanks for sharing.
Thank you, you are a life saver!
Does not result in a functioning connection.
Anyone know how to resolve?
Hi Ron,
As someone suggested below, can you try running the following command.
Let me know if this resolves your issue.
Cheers,
Emmet
My car doesn’t start, do you know whats wrong with it?
Is port forwarding enabled on your router? I assume you have a router and the PI is connected to that router using NAT. If that is the case you have to forward incoming UDP port (51820) on your router to the IP address and port number from your PI.
This worked great, except I needed to set the MTU to a lower number (1412 worked). Apparently this allows for different header sizes in the packet. To change this, enter sudo nano /etc/wireguard/wg0.conf on the server, and fine the line with MTU. Also make the change in the wireguard android application on the client.
I followed this instruction but didn’t get a working connection while using pihole as my dns (detected during the installation proces). I had to run one more command after everything was setup:
sudo sysctl -w net.ipv4.ip_forward=1
otherwise I could not connect to the outside world and just my pi