
Building a Simple VPN with WireGuard with a Raspberry Pi as Server - kingsomething
https://snikt.net/blog/2020/01/29/building-a-simple-vpn-with-wireguard-with-a-raspberry-pi-as-server/
======
sjy
For anyone else wanting to set this up at home, I’d recommend installing the
vyatta-wireguard module [1] on an EdgeRouter X instead. It costs about the
same as a Raspberry Pi, and you get a reliable network appliance with four
gigabit ports and PoE, rather than a general purpose Linux box with graphics
and USB. I’ve found the WireGuard module to be fast enough to keep up with my
100/40 Mbps internet connection, and now when my Linux server goes down, the
network it’s connected to stays up.

[1]: [https://github.com/Lochnair/vyatta-
wireguard](https://github.com/Lochnair/vyatta-wireguard)

~~~
0xEFF
I upgraded from an ER-X to an ER-4 because the X can’t do full 1000 Mbit with
PPPoE fiber without hardware offload. With hardware offload turned on there’s
a bug in the hardware that causes some sites, most notably Netflix, to not
route at all.

The ER-4 has been great with the Cavium hardware. No hardware offload issues
like this.

Edit: The ER-X tops out around 500 Mbit with hardware offload turned off.

~~~
msh
Huh. I have a er-x with hardware offloading turned on. I have noticed no
issues with netflix.

I get about 900 megabit on my gigabit fiber.

~~~
quaa55
while i don’t use it it should be possible for ppoe with hw offloading, so i
don’t get it either. maybe that’s disabled on the slow one...

[https://help.ubnt.com/hc/en-
us/articles/115006567467-EdgeRou...](https://help.ubnt.com/hc/en-
us/articles/115006567467-EdgeRouter-Hardware-Offloading)

but i’d assume it should handle fast rates like this if hw offloading was on.

------
brentjanderson
Cool project - if you're looking to set up a secure VPN in a quick, no-
nonsense way, be sure to look at
[Algo]([https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)).
Does WireGuard (and IPSec if you want), only secure, sane defaults, and
nothing more. Hands down the easiest, most secure way to setup a modern VPN in
a few minutes. Far better than using some random anonymous VPN service running
out of some random person's closet that's.

~~~
nreece
+1 for Algo. I've been using it since last year on a VM (took under 5 minutes
to setup), for firewall access (SSH, RDP, DBs etc.) to work servers.

Works great for secure access from anywhere when working remotely or
travelling.

~~~
oddly
Also check out Streisand[0] if you're interested in this.

[0]
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
deoxykev
I've had good luck with Streisand.

The major advantage to using Streisand instead of Algo is that it comes with
lots of obfuscation goodies to help get around restrictive firewalls, like
shadowsocks.

Also, if you're on a restrictive firewall and you need to quickly assess what
ports are even open for egress, you can do `nmap --open allports.exposed` to
find them. Then use one of streissand's VPN options and connect.

------
doctoboggan
A question for people with experience in this area:

I've been considering setting up WireGuard so I can keep my mobile phone
always connected to my home network.

Will I experience degraded network performance (either latency or bandwidth)
if I have my mobile phone always connected to a VPN 24/7?

My phone is an iPhone 11 Pro and I would be running WireGuard on a Pi4

~~~
tyingq
Some bandwidth and latency downgrade seems certain. Google, Netflix, and
others invest a lot to cache content closer to your phone. A VPN circumvents
that approach. The experience, though, is individual enough, that nothing
other than trying it would tell if it it's "good enough" for you.

~~~
nucleardog
You don't have to route all your traffic through the VPN (though it's unclear
from the question whether or not that's the goal). If he only wants access to
resources on his home network, it's entirely feasible to set that up while
still routing other traffic out through the public internet via your
ISP/carrier.

~~~
doctoboggan
I should have mentioned above, but I want to use pihole as well so ideally I’d
route almost all my traffic through my home vpn.

~~~
ricketycricket
You can still just have a local pihole dns server with your web traffic going
out over your mobile isp.

------
tenant
I have beeen looking at setting up a vpn to be able to hook up my pc to the
office network. I don't know a whole lot about it but I ended up trying out
Softether for the job just this weekend. It's a free and opensource project
from the University of Tsukuba, Japan. It promises that it can achieve speeds
far higher than Openvpn. It was really just a click next, next type setup both
on client and server which was the reason I went for it over openvpn which
seemed more complicated and would require me to handle DNS stuff etc. I was
impressed that I was able to get it up and run a desktop application designed
for a local network with a minimal increase in lagginess. I'd value the
opinions of people more knowledgeable than I who may have tried it.

~~~
dfc
It looks like softether is just a management GUI / framework that handles a
bunch of different underlying VPN products/standards? The README says the
following are supported "SSL-VPN, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and
EtherIP by the single SoftEther VPN Server program." Looking at the
documentation for client setup it looks like you just setup an IPSEC client.

~~~
saltspork
I believe SoftEther has its own userspace implementation of all of these
protocols + NAT.

------
fnord77
Would a Pi4 be able to handle being both a VPN and a pihole, or should these
be two separate boxes?

~~~
willis936
I set my Pi4 up with wireguard+pihole recently. I think pihole does nothing
99.99% of the time, so I can’t speak to how performance is in worst case
scenarios, but wireguard seems fine. I get about 25 Mbps up/down
(speedtest.net with a single client, so assume it’s 25 Mbps aggregate. Not a
lot for hefty file transfers but comfy enough for VNC to multiple hosts. The
big win is in decreased latency. I don’t have good quantifications of this
beyond speedtest.net run from my work. 5 ms with no VPN. 82 ms using my
router’s OpenVPN. 24 ms using Pi4 wireguard. These were just single runs so
the strong law of small numbers may apply. I know iperf is more scientific,
but I wanted a quick, empirical full internet test. My home internet is 550
Mbps down / 36 Mbps up.

Full data (iPhone 11 client at work):

<VPN>: <down Mbps> / <up Mbps> / <RTT ms>

No VPN: 145 / 139 / 5

Router OpenVPN: 25 / 6 / 82

pi4 wireguard: 24 / 27 / 24

~~~
doctoboggan
Is your no vpn sample still on the same home network? Or are you comparing
your mobile data or another network to your home network (through vpn)

If the former is true, that seems like quite a significant penalty to pay for
using wg.

~~~
willis936
All three runs were on work wifi. There is some bottleneck in between my work
and apartment since my apartment connection is 550 / 36\. It isn’t a test of
raw wireguard performance, but rather a realistic best case scenario for full
internet tunneling on the go.

------
riston
I have been using
ZeroTier([https://www.zerotier.com/](https://www.zerotier.com/)) much simpler
solution to setup.

~~~
Naac
Doesn't sound like it's Open Source to me.

"A commercial license is only needed if you want to offer a paid network
management service or embed it into a proprietary device or app."

I would stay away from software that wants to restrict how you use it.

~~~
whycombagator
From their site:

> commercial license is only needed if you want to offer a paid network
> management service or embed it into a proprietary device or app.

A cursory look suggests that it's open source, with restrictions that they
clearly list on their site here[0]. I get your point, but I personally don't
mind if a business open sources their software and allows free use of it for
non commercial cases.

[0] [https://www.zerotier.com/pricing/](https://www.zerotier.com/pricing/)

~~~
Polylactic_acid
That's not open source. They make the source available but open source does
not restrict what you can do with it other than sometimes requiring that you
share the source for your binaries.

~~~
L-four
Open source just means you have or can get access to the source. FOSS Free
open source software also gives you the rights to use the source.

~~~
closeparen
FOSS implies restrictions on the developer in the service of end-user freedom,
eg. copyleft and anti-tivoization.

Open source implies nearly unlimited rights for the developer, like BSD, MIT,
or Apache.

With these idiosyncratic restrictions (noncommercial, research only, do no
evil, etc) we typically say “disclosed source.”

~~~
liability
> _FOSS implies restrictions on the developer in the service of end-user
> freedom_

No it doesn't. You're thinking of copyleft licenses. FOSS is not synonymous
with copyleft; many FOSS licenses (recognized as such by RMS and the FSF) are
not copyleft.

~~~
closeparen
Whoa, you’re right. I definitely remember reading a tirade against permissive
licenses that I thought was FSF’s position, but I see they do explicitly
recognize permissive licenses as Free Software.

------
als0
What's the throughput like on a Raspberry Pi?

~~~
probablyexists
I was only able to get ~60mbps with OpenVPN through a hard wired Raspberry Pi
3 connected to Google Fiber, due to limitations of its bus.

The 4 is supposed to be actual gigabit, but I have not yet tried it out to
confirm.

~~~
eatbitseveryday
I'm trying to set it up on a RPI4 as an 802.11ac wireless router, to verify
this. If it manages 100mbps+ then it'll be a cheap replacement for my current
router.

~~~
bananaeater
Are you keeping a write-up of your progress anywhere? Would love to see how
this turns out.

~~~
eatbitseveryday
Not yet; but that's a good idea. Thanks for the nudge :)

------
liv-io
For anyone who wants to operate it in a broader scale:
[https://github.com/liv-io/ansible-roles-
centos/tree/master/w...](https://github.com/liv-io/ansible-roles-
centos/tree/master/wireguard)

------
gramakri
Does WireGuard require a kernel module or a specific kernel? (I saw a day or
two ago it was in linus' tree). Can I run WireGuard on a digitalocean droplet?

~~~
corford
[https://www.digitalocean.com/community/tutorials/how-to-
crea...](https://www.digitalocean.com/community/tutorials/how-to-create-a-
point-to-point-vpn-with-wireguard-on-ubuntu-16-04)

------
finchisko
I have really good experience with rasPI first generation and WG running on
openWrt. OpenWrt is perfect lightweight OS for this task.

------
bra4you
Edge Router X looks interesting. Is there a Raspberry now that offers Dual
Gigabit Internet Ports (2XGBit)?

------
josteink
Ironically this looks considerably simpler than trying to get wireguard
working on my OpenWRT router (and with much less collateral damage should I
mess up).

I might give this a try!

~~~
h4waii
I've been running a WireGuard VPN on my OpenWrt router for quite a while with
no issues whatsoever. Rock solid since I set it up, only has a 4 or 5 peers,
but it's been excellent and I highly suggest it versus adding yet another
single purpose device.

Not sure why the RPi is so lauded for this and Pi-Hole (which is just a fancy
DNS blocklist) when OpenWrt is just as simple and powerful for both (and more)
tasks.

~~~
josteink
My main issue with doing this with OpenWRT is that it is loaded with
abstractions. Network, interfaces, firewall zones, bridged zones, etc. When
they all work, it's nice and almost magical.

But when setting up new custom zones from scratch (like this VPN subnet/zone),
I never feel quite as home as I do with the traditional Linux command-line and
iptables.

Basically OpenWRTs abstractions don't map cleanly to the underlying Linux-
primitives I know fairly well. The impedance mismatch there is what make me
consider the RPi-based solution more preferable, because I understand how and
why it works.

------
3fe9a03ccd14ca5
I think there's some issues in the config. First of all, at least one of the
CIDRs is wrong ("Address = 10.200.200.2/24"). Also by setting AllowedIPs to to
10.200.200.0/24 in the _client_ , only traffic to that subnet will actually go
through the VPN, not _all_ traffic.

Isn't there also some missing host/RPI system so that the 10.200.200.0/24 can
route to the public internet?

If someone has an example of a full VPN configuration I'd love to see them so
I can try it out.

~~~
nucleardog
> First of all, at least one of the CIDRs is wrong ("Address =
> 10.200.200.2/24"). Also by setting AllowedIPs to to 10.200.200.0/24 in the
> client, only traffic to that subnet will actually go through the VPN, not
> all traffic.

Not sure what your issue is with the address line.

As for the AllowedIPs, that's intentional. From the first lines of the
article:

> An Linux Laptop that should use the VPN only accessing network services that
> are exposed to the VPN

VPNs aren't just for routing your public traffic through some trusted host.

~~~
3fe9a03ccd14ca5
Is 10.200.200.2/24 a valid cidr? Does the system just ignore the trailing 2
and assume it’s a 0?

~~~
jlgaddis
10.200.200.2/24 is a shorthand form (a.k.a. "CIDR notation") of saying IP
address 10.200.200.2 with a 24-bit subnet mask (255.255.255.0).

------
take_a_breath
Are there any commercial products available for this or Pi-holes?

~~~
bflesch
Yes, I'm also waiting for a lightweight Wireguard/pi-hole appliance.

~~~
take_a_breath
I've thought about trying to build a commercial pi-hole product. Anyone else?

~~~
bflesch
I've also thought about this. But basically it will be re-packaging a modern
linux kernel, giving some support w/ key management and packaging it in a nice
case.

I think there is definitely a market for it.

~~~
vsareto
I feel like a Wireguard-only VPN company might be viable and a hardware
product would be a good side product

~~~
take_a_breath
The VPN gives you monthly recurring revenue versus the one-time hardware
revenue. Maybe a subscription that includes an up-to-date DNS blacklist for
the pi-hole?

