Raspberry Pi WireGuard VPN gateway

What is WireGuard

WireGuard is a new, experimental VPN protocol that aims to offer a simpler, faster, and more secure solution for VPN tunneling than the existing VPN protocols. WireGuard has some major differences when compared to OpenVPN and IPSec, such as the code size (under 4,000 lines!), speed, and encryption standards. Because of the diferent architecture it can offer better speeds specifically in ARM architecture devices such as Raspberry Pi.You can read more about it in the projects website.Also check out this post for a detailed review

Why Mullvad

Knowing that our browsing habbits are a product that can also be used against us, i decided to start protecting my privacy and my online habbits. I dont want Facebook, Amazon, any state or my internet service provider to know what i do, log it and sell it to make a profit. One option is to use tor, but it is slow, not good for streaming or torrenting, so VPN is the only way. Well actually one of the tools you can use to protect your privacy online. Its always a question of who you trust, VPN’s are not a perfect privacy tool, but depending of your location and online activities, can be a helpfull tool to protect your privacy.

So Mullvad mostly because of this guy. An indipedent researcher that you really need to chech out his site. Mullvad is the most “anonymous” VPN provider, with no log policy and offers bitcoin or cash payments. Also because they offer WireGuard, which is ideal for use with a Raspberry, low latency and 5 times the bandwidth of openvpn on a raspberry Pi. If your provider can give that bandwidth.


Create an account and login to Mullvad.net .Download the Wireguard configuration file from this page. Keep the Killswitch off as it will block your ssh access to the Raspberry.

Wireguard creates an interface named after the configuration file e.g. mullvadfr1, mullvadse1, depending on the server you are using to connect. For simplicity reasons it is better to rename your working configuration file to wg0.conf . It will be easier to maintain the iptables rules we will create later.

Before we start configuration on the Pi it would be wise to set a static ip, since it will act as a gateway to some or all your devices on the network. so go ahead and edit:

sudo nano /etc/dhcpcd.conf

and add this lines in the end of the file:

interface eth0
   static ip_address= 
   static routers= 
   static domain_name_servers=

In static routers you have to enter the ip of your current gateway. For DNS it would be wise to enter the DNS server of Mullvad or whatever VPN provider you use.

Restart the service using this and ssh again using the new static ip

sudo service dhcpcd restart

Set up Wireguard on the Pi

First we need to update sources and upgrade your Raspian OS and install software we will need later.

sudo apt update && sudo apt-get upgrade 
sudo apt-get install hostapd dnsmasq libmnl-dev linux-headers-rpi build-essential git dnsutils bc raspberrypi-kernel-headers iptables-persistent

We then set up Wireguard on the Pi. Install Wireguard from source as follows:

git clone https://git.zx2c4.com/WireGuard
cd WireGuard/src
sudo make install
sudo modprobe wireguard

Copy the file named wg0.conf that you have already downloaded from Mullvad to the Pi. Use scp or whatever other method you prefer then move it to /etc/wireguard/wg0.conf on the Pi.

Set the permissions to the conf file so only root can read it

sudo chown root:root -R /etc/wireguard/*.conf && sudo chmod 600 -R /etc/wireguard/*.conf

Bring up the Wireguard interface on the Pi and enable it to start on boot:

sudo wg-quick up wg0 
sudo systemctl enable wg-quick@wg0.service

The VPN tunnel between the Pi and the VPN Server should now be up and running. You can confirm this by checking the public IP on the Pi using the following commands:

curl ifconfig.co
curl https://am.i.mullvad.net/

Setup Routing, NAT and Firewall

Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.

sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"

If you run sudo sysctl -p you should see this printed on the screen:

net.ipv4.ip_forward = 1

Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.

Enable NAT:
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

Allowing any traffic from eth0 (internal) to go over wg0 (tunnel):

sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

Allowing traffic from gw0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED, ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection:

sudo iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allowing the Raspberry Pi’s own loopback traffic:

sudo iptables -A INPUT -i lo -j ACCEPT

Allowing computers on the local network to ping the Raspberry Pi:

sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT

Allowing SSH from the internal network:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If traffic doesn’t match any of the the rules specified it will be dropped:

sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -L

Finally this saves the rules after you changed them. Iptable rules are in effect as soon as you add them if you messed up in the process and lost access just reboot and the ones not already saved will revert:

sudo systemctl enable netfilter-persistent

Now you can set any device to use the Raspberry as a gateway. You can even set the gateway to your dhcp so every device in the network will have the traffic routed throught the vpn. Important note: in order not to have dns leaks you have to set the mullvad dns to every device that connects throught the raspberry gateway. You can also use a pihole to filter your dns requests from advertisments and trackers, and have pihole connect to the mullvad dns server. More on that, and how to combine the vpn and pihole soon.

That’s all folks!




I have used a lot of material from these two posts: https://www.instructables.com/id/Raspberry-Pi-VPN-Gateway/


Also check out this great post for an on the road secure gateway https://danrl.com/blog/2016/travel-wifi/

One comment

Leave a Reply to Pi-Hole + Unbound + WireGuard VPN gateway – … Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s