PiVPN using WireGuard setup

Step 1: Install Raspberry Pi OS Lite

To get started, download the Raspberry Pi Imager from the Raspberry Pi website. This tool makes it easy to write the operating system image to your micro SD card.

Once you have the Raspberry Pi Imager installed, follow these steps:

1. Launch the Raspberry Pi Imager.
2. Select “Raspberry Pi OS (other)” and choose “Raspberry Pi OS Lite (32-bit)”.
3. Select your micro SD card as the storage device.
4. Click on the settings icon (the gear) and configure the following options:
   • Set a hostname (e.g., “pivpn”).
   • Enable SSH and set a username and password.
   • Do not configure Wi-Fi, as we’ll be using a wired Ethernet connection.
   • Set your location and keyboard layout as desired.
5. Click “Save” and then “Write” to begin the installation process.

Once the Raspberry Pi OS Lite is written to the micro SD card, you’re ready to move on to the next step.

Step 2: Boot the Raspberry Pi and Log In

Insert the micro SD card into your Raspberry Pi and connect the Ethernet cable, power supply, and (optionally) a keyboard and monitor.

Power on the Raspberry Pi and wait for it to boot up. If you have a keyboard and monitor connected, you’ll be able to see the boot process and the IP address assigned to your Raspberry Pi by your local network’s DHCP server.

If you don’t have a keyboard and monitor, you can find the IP address by checking your router’s DHCP client list or by pinging the hostname you set earlier (e.g., “ping pivpn.local”).

Once you have the IP address, you can connect to the Raspberry Pi using an SSH client, such as PuTTY on Windows or the built-in Terminal on macOS and Linux. Log in using the username and password you set during the Raspberry Pi Imager configuration.

Step 3: Update the Raspberry Pi

Before we install PiVPN, it’s a good idea to update the Raspberry Pi’s software packages to ensure we have the latest security patches and bug fixes. Run the following commands in the SSH session:

sudo apt update
sudo apt upgrade -y

This will update the package lists and install any available updates on your Raspberry Pi.

Step 4: Install PiVPN

Now, let’s install the PiVPN software, which will transform your Raspberry Pi into a WireGuard VPN server. Run the following command to start the installation process:

curl -L https://install.pivpn.io | bash

The PiVPN installer will guide you through the setup process. Here’s what you can expect:

1. Network Settings: The installer will ask if you want to use your current network settings as a static IP address. Choose “No” to manually configure the IP address.
2. Static IP Address: Enter a static IP address for your Raspberry Pi that is outside the range of your DHCP server (e.g., 192.168.1.30).
3. VPN Protocol: Choose “WireGuard” as the VPN protocol, as it offers better performance and battery life compared to OpenVPN.
4. WireGuard Port: Accept the default WireGuard port (51820) or choose a different one if needed.
5. DNS Provider: Select your preferred DNS provider, such as Cloudflare (1.1.1.1).
6. Client Connection Method: Choose whether your clients will connect using a public IP address or a DNS entry.
7. Unattended Upgrades: Enable automatic security updates to keep your VPN server up-to-date.

Once the installation is complete, the Raspberry Pi will reboot, and you’ll be ready to add VPN clients.</

Step 5: Add VPN Users

To allow devices to connect to your VPN server, you’ll need to create client profiles. Run the following command to add a new client:

pivpn -a

The script will prompt you to enter a name for the client (e.g., “laptop”, “phone”, “tablet”). Repeat this process for each device you want to connect to the VPN.

Step 6: Firewall Changes

To allow incoming VPN connections, you’ll need to configure your firewall to forward traffic on the WireGuard port (51820 by default) to your Raspberry Pi’s IP address.

The specific steps will depend on your router or firewall device, but the general process is as follows:

1. Log in to your router or firewall’s administration interface.
2. Navigate to the port forwarding or firewall rules section.
3. Create a new rule that forwards UDP traffic on port 51820 to the IP address of your Raspberry Pi.
4. Save the changes and apply the new firewall rule.

If you’re unsure how to configure the port forwarding on your specific device, consult the manufacturer’s documentation or search for “[your device] port forwarding” online.

Step 7: Connect Devices

Now that you’ve set up the VPN server and added client profiles, it’s time to connect your devices. We’ll demonstrate the process for both a mobile device (Android) and a Windows computer.

Connecting a Mobile Device

On your mobile device, download the official WireGuard app from the Google Play Store (Android) or the App Store (iOS).

1. Open the WireGuard app and tap the “Add tunnel” button.
2. Select “Scan from QR code” and grant the app permission to access your camera.
3. Scan the QR code displayed on your Raspberry Pi’s terminal after running the “pivpn -qr” command.
4. Name the tunnel (e.g., “Home VPN”) and tap “Save”.
5. Turn on the VPN connection and enjoy secure access to your home network.

Connecting a Windows Computer

On your Windows computer, download and install the official WireGuard client from the WireGuard website.

1. Open the WireGuard app and click the “Import tunnel(s) from file” button.
2. Use WinSCP or another SFTP client to connect to your Raspberry Pi and navigate to the “/home/pi/configs” directory.
3. Download the client configuration file (e.g., “client1.conf”) to your local computer.
4. In the WireGuard app, click “Import tunnel(s) from file” and select the downloaded configuration file.
5. Click the “Activate” button to establish the VPN connection.

Once connected, you can access your home network resources and browse the internet through your Raspberry Pi’s IP address, providing an additional layer of security and privacy.

Step 8: Backups

To ensure the safety of your VPN server configuration, it’s essential to create regular backups. This will allow you to quickly restore your setup in case of hardware failure or other issues.

To create a backup, run the following command on your Raspberry Pi:

pivpn bk

This will create a backup file in the “/home/pi/pivpn/backup” directory, which you can then download using an SFTP client like WinSCP. Store the backup file in a safe location, such as an external hard drive or a cloud storage service.

Conclusion

Congratulations! You’ve successfully set up your own VPN server using PiVPN and WireGuard on a Raspberry Pi. By taking control of your VPN infrastructure, you’ve gained enhanced privacy, security, and accessibility to your home network, all while enjoying the cost-effectiveness and customization benefits of a self-hosted solution.

Remember, the PiVPN project is an open-source initiative, and you can contribute to its development or seek support from the community if you encounter any issues. Happy VPNing!