First Things First – What’s the Point?

Why would you want to setup wireguard in the first place? Simply put – it makes life easier. What wireguard is a VPN, what this means it that it allows you to open up a secure tunnel through the internet from one point to another. Think of it like a concrete tunnel running through the ocean– no one can see into the tunnel, and you are protected from all of the sharks. A vpn is really the only secure way to connect to something which is on your home network when you are not on your home network, as the only hole it opens up in your network is protected by crypographic keys, which, until everyone has a quantum computer, is virtually uncrackable. Thus this allows you to access you Octoprint setup from anywhere in the world without having a hole in your network a country mile wide.

I yoinked this from the the github of one of the people who works on wireguard and modifying it a little bit. The original is here. I will just be adding comments here and there to make this a little bit more user friendly.

First things first, you will need ssh access to the pi. Uou should be able to just open up powershell (should be installed on your laptop by default) and just ssh pi@octopi.local. Or, if that doesn’t work, ssh pi@<your pi's ip addr here>. The only thing to be wary of is that copy and pasting into powershell is … weird. You have to right click and (in my testing), if you mess up you have to copy again. Though that could have just bee me. If that doesn’t work, look here for a step by step guide to ssh w/ powershell.

1. Wireguard installation

pi@raspberrypi:~ $ sudo apt update
pi@raspberrypi:~ $ sudo apt upgrade 
pi@raspberrypi:~ $ sudo apt install raspberrypi-kernel-headers
pi@raspberrypi:~ $ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list
pi@raspberrypi:~ $ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add -
pi@raspberrypi:~ $ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable
pi@raspberrypi:~ $ sudo apt-get update
pi@raspberrypi:~ $ sudo apt-get install wireguard 

Enable ipv4 forwarding then reboot to make changes active:
Open /etc/sysctl.conf with nano like so:

pi@raspberrypi:~ $ sudo nano /etc/sysctl.conf

And uncomment the following line (by getting rid of the #) so that

#net.ipv4.ip_forward=1

Becomes:

net.ipv4.ip_forward=1

Now we reboot:

pi@raspberrypi:~ $ sudo reboot

To check if it has been enabled:

pi@raspberrypi:~ $ sysctl net.ipv4.ip_forward 
net.ipv4.ip_forward = 1

If you get net.ipv4.ip_forward = 0, manually edit sudo nano /etc/sysctl.conf and add net.ipv4.ip_forward = 1.

3. Generate private and public keys for server and client1

Ignore the umask warnings

pi@raspberrypi:~ $ mkdir wgkeys
pi@raspberrypi:~ $ cd wgkeys  
pi@raspberrypi:~/wgkeys $ wg genkey > server_private.key  
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.

pi@raspberrypi:~/wgkeys $ wg pubkey > server_public.key < server_private.key
pi@raspberrypi:~/wgkeys $ wg genkey > client1_private.key  
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.
pi@raspberrypi:~/wgkeys $ wg pubkey > client1_public.key < client1_private.key
pi@raspberrypi:~/wgkeys $ ls
client1_private.key client1_public.key server_private.key server_public.key

Use cat command to view content of the file. You need this in the next step.

pi@raspberrypi:~/wgkeys $ cat server_public.key 
Aj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI=

4. Setup Wireguard interface on server

pi@raspberrypi:~/wgkeys $ sudo nano /etc/wireguard/wg0.conf    
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820

PrivateKey = <server_private.key>

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

[Peer]
#Client1 e.g. Laptop
PublicKey = <client1_public.key>
AllowedIPs = 10.0.0.2/32

5. Start Wireguard

Start Wireguard with wg-quick command.

pi@raspberrypi:~/wgkeys $ sudo wg-quick up wg0 
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 192.168.99.1/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up

Use sudo wg command to check if it is working:

pi@raspberrypi:~/wgkeys $ sudo wg 
interface: wg0
public key: Aj2HHAutB2U0O56jJBdkZ/xgb9pnmUPJ0IeiuACLLmI=
private key: (hidden)
listening port: 51820

peer: ht4+w8Tk28hFQCpXWnL4ftGAu/IwtMvD2yEZ+1hp7zA=
allowed ips: 10.0.0.2/32

You can launch automatically at startup:

pi@raspberrypi:~/wgkeys $ sudo systemctl enable wg-quick@wg0  
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.

6. Setup clients

You will need to install wireguard on clients as well. Wireguard does not have separate apps for server and client, just differences in the configuration file. On Debian based distros (Ubuntu, Debian etc.) you just run sudo apt-get install wireguard. Next I will walk you through setting it up on Windows (I had to spin up gulp a a windows vm for this!)

We generated credentials for one user above, so we don’t have to generate any for your laptop.

Windows First things first, here’s another tutorial for ya (if you do look at that one, don’t worry about the author saying that wireguard isn’t ready, it’s an older article and since then wireguard has been mainlined into the Linux kernel, so the powers that be seem to think it’s ready now…) , download the [.msi file here][windows wg download]. Now we need create a new text file, let’s call it wg0-client.conf (using your favorite text editor. I like atom or vscodium) and paste this into it:

[Interface] Address = 10.0.0.2/24 PrivateKey = <contents of client1_public.key>

[Peer]
PublicKey = <conents of server1_public.key>
Endpoint = <insert your public ip here>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

Now open Wireguard from the system menu, click import from file and select wg0-client.conf. Then it should import just fine! Now whenever you want to connect to your pi you just fire up the wireguard connection and type 10.0.0.1 into the browser and it should open up octoprint.

NOTE This won’t work if you’re on the same network as octo print, just be warned if you want to try to test it, you should probably use a hotspot on your phone or something.

Mobile clients (iOS, Android)

Generate key pairs:

pi@raspberrypi:~/wgkeys $ wg genkey > client2_private.key
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.

pi@raspberrypi:~/wgkeys $ wg pubkey > client2_public.key < client2_private.key

To the bottom of your config add:

pi@raspberrypi:~/wgkeys $ sudo nano /etc/wireguard/wg0.conf
[Peer]
#Client2
PublicKey = <client2_public.key>
AllowedIPs = 192.168.99.2/32

pi@raspberrypi:~/wgkeys $ sudo wg-quick down wg0
pi@raspberrypi:~/wgkeys $ sudo wg-quick up wg0

And that is it! Now you will need to forward port 51820

What’s left for you to do

  • Port forwarding on router UDP 51820
  • Double WARN users for using the right key at the right place

Resources