Installing Wireguard VPN

Hi everyone,
I just saw that AutoPi now supports MQTT natively. I’m using Home Assistant and would love to switch over from the Rest API to MQTT. The problem is that my MQTT server isn’t opened to the web. I do have Wireguard installed on my devices so I was wondering, is it possible to install it on AutoPi?
I’m really not good with Linux things so I’d rather ask here first before I mess something up :slight_smile:

Thanks in advance!

2 Likes

Just finished Wireguard VPN for my setup :slight_smile:

I needed VPN tunneling between my server (Ubuntu), AutoPi and laptop (Windows). I decided to use 4323 as UDP port for Wireguard.

Server setup:

Server is running Ubuntu 18.04

Check ip forwarding

Make sure that sysctl net.ipv4.ip_forward returns net.ipv4.ip_forward = 1. If not, add following to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

and run sudo sysctl -p /etc/sysctl.conf.

Install wireguard:

sudo apt update && sudo apt install -y wireguard wireguard-tools

Create keys

(umask 0077; wg genkey | tee peer_A.key | wg pubkey > peer_A.pub) && echo 'Private:' && cat peer_A.key && echo 'Public:' && cat peer_A.pub

Wireguard conf and setting up as a service

Create /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <server_private_key:
Address = 10.0.0.1/24
ListenPort = 4323

[Peer]
PublicKey = <autopi_public_key>
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <laptop_public_key>
AllowedIPs = 10.0.0.3/32

Start wireguard at boot, and immediately:

systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

Firewall

Wireguard UDP traffic needs port 4323 to be allowed through the server firewall. I use ufw as firewall interface so had to only do:

ufw allow 4323

Autopi setup:

GEN3 AutoPi is running kernel:

uname -a
# Linux autopi-7a8b384f0f90 4.19.66-v7+ #1253 SMP Thu Aug 15 11:49:46 BST 2019 armv7l GNU/Linux

Followed instructions from: Installing and Configuring WireGuard on Raspberry Pi OS (January 2021)

echo "deb http://archive.raspbian.org/raspbian testing main" | sudo tee --append /etc/apt/sources.list.d/testing.list  
printf 'Package: *\nPin: release a=testing\nPin-Priority: 50\n' | sudo tee --append /etc/apt/preferences.d/limit-testing  
sudo apt update
sudo apt install wireguard -y

I lost connection to AutoPi during the installation and had to restart the AutoPi by unplugging it. Probably unrelated to the installation.

Keys

Generate same way as for the server

Wireguard conf and setting up as a service

[Interface]
PrivateKey = <autopi_private_key>
Address = 10.0.0.2/32

[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.0.0.0/24
Endpoint = <server ip or fqdn>:4323
PersistentKeepalive = 60

Start wireguard at boot, and immediately:

systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

Firewall

In AutoPi.io Cloud added iptables rule:

-I INPUT 1 -i wg0 -j ACCEPT

this allows all traffic through the VPN tunnel.

Laptop

Used Windows client for Wireguard and following conf:

[Interface]
PrivateKey = <laptopt_private_key>
Address = 10.0.0.3/32

[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.0.0.0/24
Endpoint = <server ip or fqdn>:4323
PersistentKeepalive = 60

End

Now ssh/https/etc works from any of the machines, to any other machine.

5 Likes

Woah! Thank you very much!
I’ll have to modify this a bit since I’m running Wireguard on my Home Assistant server but I’ll manage that.

Thanks again, I will try this on Friday evening and report back :slight_smile:

So uhh. Friend and I tried to get it working on Gen2 AutoPi but couldn’t get Wireguard to start.
We now set up a private MQTT broker so hopefully that’ll work :slight_smile:
Thanks for the help! Appreciate it.

This topic was automatically closed 33 days after the last reply. New replies are no longer allowed.