WireGuard VPN Server on Raspberry Pi
20 views

What Is WireGuard?

WireGuard is a modern, fast, and lightweight VPN protocol that encrypts traffic between your devices and your Raspberry Pi. It’s ideal for securely accessing your home network remotely.

Requirements

  • Raspberry Pi 5 with Raspberry Pi OS (fully updated)
  • Static IP or dynamic DNS (e.g. duckdns.org)
  • Port forwarding access to your router
  • SSH or terminal access

Step 1: Update Your System

sudo apt update && sudo apt upgrade -y

Step 2: Install WireGuard

sudo apt install wireguard -y

Step 3: Generate Server Keys

umask 077 wg genkey | tee server_private.key | wg pubkey > server_public.key

You’ll get two files:

  • server_private.key
  • server_public.key

Step 4: Create WireGuard Config

sudo nano /etc/wireguard/wg0.conf

Paste the following, and replace values as needed:

[Interface] Address = 10.0.0.1/24 PrivateKey = <contents of server_private.key> ListenPort = 51820 SaveConfig = true # Enable IP forwarding PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Save and exit (Ctrl+O, Enter, Ctrl+X).

Step 5: Enable IP forwarding

sudo nano /etc/sysctl.conf

Uncomment or add:

net.ipv4.ip_forward=1

Then apply:

sudo sysctl -p

Step 6: Start WireGuard

sudo systemctl start wg-quick@wg0 sudo systemctl enable wg-quick@wg0

Check status:

sudo wg

Step 7: Port Forwarding

Login to your router and forward UDP port 51820 to the IP of your Raspberry Pi (e.g. 192.168.1.100).

Step 8: Create a Client Config

Generate client keys:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Create a config file (e.g. client.conf):

[Interface] PrivateKey = <client_private_key> Address = 10.0.0.2/32 DNS = 1.1.1.1 [Peer] PublicKey = <server_public_key> Endpoint = <your_public_ip_or_dns>:51820 AllowedIPs = 0.0.0.0/0

Step 9: Add Client to Server

On the Pi:

sudo wg set wg0 peer <client_public_key> allowed-ips 10.0.0.2/32 sudo wg-quick save wg0

Step 10: Connect From Client

  • On Android: use the WireGuard app, scan the QR code or import the config
  • On Windows/Linux/macOS: use the official WireGuard client
Back to all knowledge base articles Similar articles
© 2025 Rapi.Host | All rights reserved.
Top