Installing Wireguard on a Rasbperry Pi 3 Running Octoprint and Windows
Table of Contents
First Things First – What’s the Point?
Why would you want to setup wireguard in the first place? Simply put – it makes life easier. What wireguard is a VPN, what this means it that it allows you to open up a secure tunnel through the internet from one point to another. Think of it like a concrete tunnel running through the ocean– no one can see into the tunnel, and you are protected from all of the sharks. A vpn is really the only secure way to connect to something which is on your home network when you are not on your home network, as the only hole it opens up in your network is protected by crypographic keys, which, until everyone has a quantum computer, is virtually uncrackable. Thus this allows you to access you Octoprint setup from anywhere in the world without having a hole in your network a country mile wide.
I yoinked this from the the github of one of the people who works on wireguard and modifying it a little bit. The original is here. I will just be adding comments here and there to make this a little bit more user friendly.
First things first, you will need
ssh access to the pi. Uou should be able
to just open up powershell (should be installed on your laptop by default) and
ssh firstname.lastname@example.org. Or, if that doesn’t work,
ssh pi@<your pi's ip addr here>. The only thing to be wary of is that copy and pasting into
powershell is … weird. You have to right click and (in my testing), if you
mess up you have to copy again. Though that could have just bee me. If that
doesn’t work, look here for a step by step guide to ssh w/
1. Wireguard installation
pi@raspberrypi:~ $ sudo apt update pi@raspberrypi:~ $ sudo apt upgrade pi@raspberrypi:~ $ sudo apt install raspberrypi-kernel-headers pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list pi@raspberrypi:~ $ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add - pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable pi@raspberrypi:~ $ sudo apt-get update pi@raspberrypi:~ $ sudo apt-get install wireguard
Enable ipv4 forwarding then reboot to make changes active:
nano like so:
pi@raspberrypi:~ $ sudo nano /etc/sysctl.conf
And uncomment the following line (by getting rid of the
#) so that
Now we reboot:
pi@raspberrypi:~ $ sudo reboot
To check if it has been enabled:
pi@raspberrypi:~ $ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
If you get
net.ipv4.ip_forward = 0, manually edit
sudo nano /etc/sysctl.conf and add
net.ipv4.ip_forward = 1.
3. Generate private and public keys for server and client1
pi@raspberrypi:~ $ mkdir wgkeys pi@raspberrypi:~ $ cd wgkeys pi@raspberrypi:~/wgkeys $ wg genkey > server_private.key Warning: writing to world accessible file. Consider setting the umask to 077 and trying again. pi@raspberrypi:~/wgkeys $ wg pubkey > server_public.key < server_private.key pi@raspberrypi:~/wgkeys $ wg genkey > client1_private.key Warning: writing to world accessible file. Consider setting the umask to 077 and trying again. pi@raspberrypi:~/wgkeys $ wg pubkey > client1_public.key < client1_private.key pi@raspberrypi:~/wgkeys $ ls client1_private.key client1_public.key server_private.key server_public.key
cat command to view content of the file. You need this in the next step.
pi@raspberrypi:~/wgkeys $ cat server_public.key Aj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI=
4. Setup Wireguard interface on server
pi@raspberrypi:~/wgkeys $ sudo nano /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <server_private.key> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE [Peer] #Client1 e.g. Laptop PublicKey = <client1_public.key> AllowedIPs = 10.0.0.2/32
5. Start Wireguard
Start Wireguard with
pi@raspberrypi:~/wgkeys $ sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip address add 192.168.99.1/24 dev wg0 [#] ip link set mtu 1420 dev wg0 [#] ip link set wg0 up
sudo wg command to check if it is working:
pi@raspberrypi:~/wgkeys $ sudo wg interface: wg0 public key: Aj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI= private key: (hidden) listening port: 51820 peer: ht4+w8Tk28hFQCpXWnL4ftGAu/IwtMvD2yEZ+1hp7zA= allowed ips: 10.0.0.2/32
You can launch automatically at startup:
pi@raspberrypi:~/wgkeys $ sudo systemctl enable wg-quick@wg0 Created symlink /email@example.com → /lib/systemd/system/wg-quick@.service.
6. Setup clients
You will need to install wireguard on clients as well. Wireguard does not have
separate apps for server and client, just differences in the configuration
file. On Debian based distros (Ubuntu, Debian etc.) you just run
sudo apt-get install wireguard. Next I will walk you through setting it up on Windows (I
had to spin up gulp a a windows vm for this!)
We generated credentials for one user above, so we don’t have to generate any for your laptop.
Windows First things first, here’s another tutorial for ya (if you do look at that one, don’t worry about the author saying that wireguard isn’t ready, it’s an older article and since then wireguard has been mainlined into the Linux kernel, so the powers that be seem to think it’s ready now…) , download the [.msi file here][windows wg download]. Now we need create a new text file, let’s call it wg0-client.conf (using your favorite text editor. I like atom or vscodium) and paste this into it:
[Interface] Address = 10.0.0.2/24 PrivateKey = <contents of client1_public.key> [Peer] PublicKey = <conents of server1_public.key> Endpoint = <insert your public ip here>:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 21
Now open Wireguard from the system menu, click
import from file and select
wg0-client.conf. Then it should import just fine! Now whenever you want to
connect to your pi you just fire up the wireguard connection and type
10.0.0.1 into the browser and it should open up octoprint.
NOTE This won’t work if you’re on the same network as octo print, just be warned if you want to try to test it, you should probably use a hotspot on your phone or something.
Mobile clients (iOS, Android)
Generate key pairs:
pi@raspberrypi:~/wgkeys $ wg genkey > client2_private.key Warning: writing to world accessible file. Consider setting the umask to 077 and trying again. pi@raspberrypi:~/wgkeys $ wg pubkey > client2_public.key < client2_private.key
To the bottom of your config add:
pi@raspberrypi:~/wgkeys $ sudo nano /etc/wireguard/wg0.conf [Peer] #Client2 PublicKey = <client2_public.key> AllowedIPs = 192.168.99.2/32 pi@raspberrypi:~/wgkeys $ sudo wg-quick down wg0 pi@raspberrypi:~/wgkeys $ sudo wg-quick up wg0
And that is it! Now you will need to forward port 51820
What’s left for you to do
- Port forwarding on router UDP 51820
- Double WARN users for using the right key at the right place