What is WireGuard
Knowing that our browsing habbits are a product that can also be used against us, i decided to start protecting my privacy and my online habbits. I dont want Facebook, Amazon, any state or my internet service provider to know what i do, log it and sell it to make a profit. One option is to use tor, but it is slow, not good for streaming or torrenting, so VPN is the only way. Well actually one of the tools you can use to protect your privacy online. Its always a question of who you trust, VPN’s are not a perfect privacy tool, but depending of your location and online activities, can be a helpfull tool to protect your privacy.
So Mullvad mostly because of this guy. An indipedent researcher that you really need to chech out his site. Mullvad is the most “anonymous” VPN provider, with no log policy and offers bitcoin or cash payments. Also because they offer WireGuard, which is ideal for use with a Raspberry, low latency and 5 times the bandwidth of openvpn on a raspberry Pi. If your provider can give that bandwidth.
Create an account and login to Mullvad.net .Download the Wireguard configuration file from this page. Keep the Killswitch off as it will block your ssh access to the Raspberry.
Wireguard creates an interface named after the configuration file e.g. mullvadfr1, mullvadse1, depending on the server you are using to connect. For simplicity reasons it is better to rename your working configuration file to wg0.conf . It will be easier to maintain the iptables rules we will create later.
Before we start configuration on the Pi it would be wise to set a static ip, since it will act as a gateway to some or all your devices on the network. so go ahead and edit:
sudo nano /etc/dhcpcd.conf
and add this lines in the end of the file:
interface eth0 static ip_address=192.168.1.10/24 static routers=192.168.1.1 static domain_name_servers=184.108.40.206
In static routers you have to enter the ip of your current gateway. For DNS it would be wise to enter the DNS server of Mullvad or whatever VPN provider you use.
Restart the service using this and ssh again using the new static ip
sudo service dhcpcd restart
Set up Wireguard on the Pi
First we need to update sources and upgrade your Raspian OS and install software we will need later.
sudo apt update && sudo apt-get upgrade sudo apt-get install hostapd dnsmasq libmnl-dev linux-headers-rpi build-essential git dnsutils bc raspberrypi-kernel-headers iptables-persistent
We then set up Wireguard on the Pi. Install Wireguard from source as follows:
git clone https://git.zx2c4.com/WireGuard cd WireGuard/src make sudo make install sudo modprobe wireguard
Copy the file named wg0.conf that you have already downloaded from Mullvad to the Pi. Use scp or whatever other method you prefer then move it to /etc/wireguard/wg0.conf on the Pi.
Set the permissions to the conf file so only root can read it
sudo chown root:root -R /etc/wireguard/*.conf && sudo chmod 600 -R /etc/wireguard/*.conf
Bring up the Wireguard interface on the Pi and enable it to start on boot:
sudo wg-quick up wg0 sudo systemctl enable firstname.lastname@example.org
The VPN tunnel between the Pi and the VPN Server should now be up and running. You can confirm this by checking the public IP on the Pi using the following commands:
curl ifconfig.co curl https://am.i.mullvad.net/
Setup Routing, NAT and Firewall
Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.
sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"
If you run sudo sysctl -p you should see this printed on the screen:
net.ipv4.ip_forward = 1
Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Allowing any traffic from eth0 (internal) to go over wg0 (tunnel):
sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
Allowing traffic from gw0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED, ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection:
sudo iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Allowing the Raspberry Pi’s own loopback traffic:
sudo iptables -A INPUT -i lo -j ACCEPT
Allowing computers on the local network to ping the Raspberry Pi:
sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT
Allowing SSH from the internal network:
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
If traffic doesn’t match any of the the rules specified it will be dropped:
sudo iptables -P FORWARD DROP sudo iptables -P INPUT DROP sudo iptables -L
Finally this saves the rules after you changed them. Iptable rules are in effect as soon as you add them if you messed up in the process and lost access just reboot and the ones not already saved will revert:
sudo systemctl enable netfilter-persistent
Now you can set any device to use the Raspberry as a gateway. You can even set the gateway to your dhcp so every device in the network will have the traffic routed throught the vpn. Important note: in order not to have dns leaks you have to set the mullvad dns to every device that connects throught the raspberry gateway. You can also use a pihole to filter your dns requests from advertisments and trackers, and have pihole connect to the mullvad dns server. More on that, and how to combine the vpn and pihole soon.
That’s all folks!
I have used a lot of material from these two posts: https://www.instructables.com/id/Raspberry-Pi-VPN-Gateway/
Also check out this great post for an on the road secure gateway https://danrl.com/blog/2016/travel-wifi/