networking – Wireguard VPN for home network with raspbery pi4 8Gb (64bit)

I’ve been trying to set up a wirguard VPN on my home network and been having a frustrating time I think I have solved all the ususal issues but I’m still not able to access the internet or things on my home network when I’m apparently connected to the VPN.

After I couldn’t get it working myself I re-imaged my drive and tried PIVPN’s install script, unfortunately this does not work with with 64bit raspberry pi OS I’m running because I’m on the 8Gb pi4. I don’t think the dkms module in the package repo is built for 64bit arm because I couldn’t get it to install so I built it from source which worked. Kernel 5.4 is used in the 64bit pi os buster image at the time of writing so wireguard needs dkms modules. PIVPN still wants to install the dkms module from the repo if you build them manually or if you update to a more recent kernel which has them already built in (I tried 5.10 with sudo BRANCH=next rpi-update and rebooted after any kernel changes) so I gave up on PIVPN and went back to trying to do it myself.

Common issues I’ve checked:

  • Port 51820 is forwarded to my pi on my router (UDP)

  • My Dynamic DNS is pointing to my home IP – I can ssh in to another host on my network with my public address

  • I think the key pairs are correct, I’ve double checked manualy and the connection appears to work from the peers I’ve tried unless key authentication fails silently which I doubt would be the case.

  • net.1pv4.ip_forward=1 (I didn’t change ipv6)

  • I haven’t set up a firewall on the pi yet so that’s not in the way

Here are my config files:

wg0.conf

(Interface)
Address = 10.9.0.1/24
ListenPort = 51820
# DNS = ip.of.home.router # tried with and without, also 8.8.8.8 not sure if this is supposed to be local or not
PrivateKey = "Server"privatekey=

# eth0 is the correct name for my network Interface
# I have tried it with and without these lines as some guides I have read include them an others don't and I'm not clear on what exactly they do
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(Peer)
#peer1
PublicKey = "peer"publickey=
AllowedIPs = 10.9.0.2/32

peer config file

(Interface)
Address = 10.9.0.2/32
# DNS = ip.of.home.router # tried with and without, also 8.8.8.8 not sure if this is supposed to be local or not
PrivateKey = "peer"privatekey= 

(Peer)
PublicKey = "host"publickey= 
Endpoint = mydomain.me:51820
AllowedIPs = 0.0.0.0/0, ::/0
#PersistentkeepAlive = 60

I enabled the systemd service for wireguard with sudo systemctl enable wg-quick@wg0 and this reports itself as active when I check with sudo systemctl status wg-quick@wg0.

(I sent this to my phone vi QR code with qrencode -t ansiutf8 < /etc/wireguard/peer1.conf to test the connection from the outside the network using mobile data)

I’m still pretty new to networking stuff – Have I missed something that should be obvious here?

Apparently dynamic debug logging is a post kernel 5.6 thing so I’m going to try again on kernel 5.10 with the logging on so I can try and get some error messages that point me in the right direction while I wait to see if any of you good people have any help to offer – Thanks.