[LINUX] Let's access your Raspberry Pi from outside your home with VPN (WireGuard)

Introduction

After the pandemic occurred, I purchased [DELL XPS 13 (9300)] [] on 2020/04. As a laptop PC, I have no complaints about its performance. The screen is wide (1920x1200), the keyboard is good, and there is nothing to say.

However, it is still insufficient in processing huge data, and You will want to use your home desktop PC. (I don't go out for work at all now, so I'm anticipating the future) Therefore, I decided to create an environment where I can log in by setting up a VPN inside my home from outside my home.

What to use for a VPN?

At first, use your home router Yamaha RTX830 [] as a VPN server and iPhone as a VPN client. I tried to connect, but I couldn't connect at all ...

Maybe the difference between IKEv1 / v2, ISP filter, mobile operator filter, misconfiguration ... etc. I think I can think of it, but I'm tired.

Thinking so, I asked Google Sensei, I created an environment where I can develop a home server over VPN with WireGuard [] He explained how to build a VPN using WireGuard [] in a very easy-to-understand manner.

So, I put it on the Raspberry Pi 4 Model B under Yamaha RTX830 []. With [DELL XPS 13 (9300)] [](Ubuntu 20.04-LTS) that I installed WireGuard [] and took it out of the house I decide to build a VPN.

1. Install Wireguard

WireGuard [] is a Peer to Peer connection, so there is no server / client concept. This means that WireGuard [] must be installed on both the Raspberry Pi and your laptop.

1-1. Wireguard installation on Raspberry Pi

WireGuard-Raspi [] explains how to install it on Raspberry Pi.

$ sudo apt-get update
$ sudo apt-get upgrade 
$ sudo apt-get install raspberrypi-kernel-headers
$ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list
$ sudo apt-get install dirmngr 
$ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add -
$ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable
$ sudo apt-get update
$ sudo apt-get install wireguard 
$ sudo reboot

1-2. Install Wireguard on Ubuntu 20.04-LTS

It's easy because it can be installed with apt.

$ sudo apt update
$ sudo apt install wireguard

2. Packet forwarding settings for Wireguard

There is a packet forwarding setting for Wireguard [].

2-1. Wireguard settings on Raspberry Pi

Set so that packets can be transferred. This is because Wireguard [] creates a P2P tunnel with UDP, To access your home network from a laptop PC outside your home This is because the Raspberry Pi side also operates as a NAT box.

$ sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf 
$ sudo reboot

Check if it is set properly.

$ sysctl net.ipv4.ip_forward 
net.ipv4.ip_forward = 1

3. VPN key generation

Generate private and public keys for VPN. Generate keys on both Raspberry Pi and laptop PCs.

The protocol is P2P, For convenience, let's set the Raspberry Pi side as the server and the laptop PC as the client.

3-1. Key generation on the Raspberry Pi side

$ mkdir wgkeys
$ cd wgkeys/
$ umask 077
$ wg genkey > server_private.key
$ wg pubkey > server_public.key < server_private.key

3-2. Key generation on the laptop PC side

$ mkdir wgkeys
$ cd wgkeys/
$ umask 077
$ wg genkey > client_private.key
$ wg pubkey > client_public.key < client_private.key

4. VPN key setting

4-1. Key setting on the Raspberry Pi side

Create a / etc / wireguard directory and place the configuration file (wg0.conf) there.

$ sudo mkdir /etc/wireguard/
$ sudo vim /etc/wireguard/wg0.conf
[Interface]

# 1.Set the IP address used in the virtual VPN network.
#This time for easy understanding 10.0.0.1/I set it at 24.
Address = 10.0.0.1/24

# 2.The port on which WireGuard listens. Since it is used to open the port of the router, change it appropriately.
#The port number can be anything.
ListenPort = 1194

# 3.Private key generated by wg command(Server side)Enter as a character string.
PrivateKey = <server private key>

# 4. replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
#A command that works at startup and termination is issued. Think of it as a spell for nat for now.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]

# 5.Public key generated by wg command(Client side)Enter as a character string.
PublicKey = <client public key>

# 6.10 client virtual IPs for clarity.0.0.2/Set to 32.
#Add to the IP that allows connection to the server.
AllowedIPs = 10.0.0.2/32

To be able to connect from multiple Peers It is OK if you increase the item of [Peer] by the amount of the client.

4-2. Key setting on the laptop PC side

Set the laptop PC side in the same way as Raspberry Pi.

$ sudo mkdir /etc/wireguard/
$ sudo vim /etc/wireguard/wg0.conf

However, no NAT settings are required on the laptop side.

[Interface]

# 1.Private key generated by wg command(Client side)Enter as a character string
PrivateKey = <client private key>

# 2.Client virtual IP
Address = 10.0.0.2/24

[Peer]

# 3.Enter the public key of the server as a string
PublicKey = <server public key>

# 4.Server virtual IP(10.0.0.1/32)Is added to the allowed connection IP to the client.
#Also add the home network address space.
AllowedIPs = 10.0.0.1/32,192.168.0.0/24

# 5.Global IP of the server(FQDN is fine)When
# ListenPort(The one who decided 1194 on the server side)To set.
Endpoint = <server global ip address>:1194

5. Automatic startup of Wireguard (Raspberry Pi)

Raise WireGuard on the Raspberry Pi (server) side as follows.

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Make WireGuard [] start automatically when starting Raspberry Pi.

$ sudo wg-quick down wg0
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0

6. Port forwarding on your home router

Set the port forwarding in Yamaha RTX830 []. Converts the port number 11194 received on the outside to the port number 1194 of Raspberry Pi and transfers it.

pp select 1
ip filter 200100 pass * <IP address of Raspberry Pi> udp * 1194
pp1# ip pp secure filter in ... 200100
no pp select
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 <IP address of Raspberry Pi> udp 11194=1194

Set according to your home router.

7. VPN connection / disconnection

When making a VPN connection from a laptop PC with Wireguard [] Execute the command as follows.

$ sudo wg-quick up /etc/wireguard/wg0.conf

To disconnect the VPN connection:

$ sudo wg-quick down /etc/wireguard/wg0.conf

Summary

Now you can connect to your home network from outside your home. Now you can access your desktop PC and comfortably process huge amounts of data.

If you don't want to keep your desktop PC running all the time ...

Please read.

References

Recommended Posts

Let's access your Raspberry Pi from outside your home with VPN (WireGuard)
VPN server construction with Raspberry Pi
Power on / off your PC with raspberry pi
Play with your Ubuntu desktop on your Raspberry Pi 4
GPGPU with Raspberry Pi
Let's do Raspberry Pi?
Face detection from images taken with Raspberry Pi camera
DigitalSignage with Raspberry Pi
Let's operate GPIO of Raspberry Pi with Python CGI
Easy introduction to home hack with Raspberry Pi and discord.py
Mutter plants with Raspberry Pi
Use your Raspberry Pi to read your student ID number from your student ID card
Let's make a cycle computer with Raspberry Pi Zero (W, WH)
Notify LINE of body temperature from BLE thermometer with Raspberry Pi # 1
Cospa's strongest IoT home appliances! Operate TPLink products from Raspberry Pi
Notify LINE of body temperature from BLE thermometer with Raspberry Pi # 2
Get US stock price from Python with Web API with Raspberry Pi
[Note] Using 16x2-digit character LCD (1602A) from Python with Raspberry Pi
Let's make an IoT shirt with Lambda, Kinesis, Raspberry Pi [Part 1]
Use vl53l0x with Raspberry Pi (python)
Servo motor control with Raspberry Pi
Serial communication with Raspberry Pi + PySerial
Output from Raspberry Pi to Line
OS setup with Raspberry Pi Imager
Try L Chika with raspberry pi
Try moving 3 servos with Raspberry Pi
Using a webcam with Raspberry Pi
Note: I want to do home automation with Home Assistant + Raspberry Pi + sensor # 1
Try tweeting arXiv's RSS feed on twitter from Raspberry Pi with python