Jump to content
TorGuard
  • 0

Wireguard and raspberry pi

Rate this question


Newbuilder
Go to solution Solved by Newbuilder,

Question

Trying to get wireguard working on a raspberry pi to connect with TorGuard but all user guides seem to refer to making pi a server rather than a client connecting to TorGuard.

I started by changing the settings on TG website then creating a manual configuration for the dedicated up. Can anyone give me the steps involved to change my Pi from open to wireguard vpn

Link to post
Share on other sites

17 answers to this question

Recommended Posts

  • 0
  • Solution

Sorted 

 

sudo iptables -t nat -A POSTROUTING -o torguard-wg -j MASQUERADE
sudo iptables -A FORWARD -i torguard-wg -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o torguard-wg -j ACCEPT

 

Link to post
Share on other sites
  • 0

hello, you could follow guides which setup your server too, then change the values of the interface as well as a peer to those from the config tool which you can use after logging in to your torguard account. What you can skip is configuring firewall to allow incoming connections if guides instruct so, as for torguard wireguard you will not require it, you can create additional interface in same way where you setup it up as your home server, but setup first your VPN connection.

Not sure about your OS or which guides you did follow and for which RPi, but this one should work with ubuntu and rpi4 too

Link to post
Share on other sites
  • 0

OKay have some sort of connection but not getting my private IP.  I am getting a TG IP but not mine. 

 

# TorGuard WireGuard Config
[Interface]
PrivateKey = from TG file
ListenPort = 51820
DNS = 1.1.1.1
Address = from TG file

[Peer]
PublicKey = from TG file
AllowedIPs = 0.0.0.0/0
Endpoint = from TG file
PersistentKeepalive = 25

### begin peer ###
[Peer] - NO IDEA WHERE THIS HAS COME FROM
PublicKey = wpKjj6JltiP7CpZv7lY7W+UOcJewv+pRZ8KX1g0SJFc=
PresharedKey = 3J1MGiFSR7YD23S8QtcrTlrRmep3R3WYYDJaTcpu1a4=
AllowedIPs = 10.6.0.2/32
### end peer ###
 

Link to post
Share on other sites
  • 0

If you have wg0.conf or any other config file, then replace simply everything in it by everything from config generator, here example with all dummy values:

# TorGuard WireGuard Config
[Interface]
PrivateKey = fromTGfile
ListenPort = 51820
DNS = 1.1.1.1,1.0.0.1
Address = fromTGfile

[Peer]
PublicKey = from TG file
AllowedIPs = 0.0.0.0/0
Endpoint = fromTGfile
PersistentKeepalive = 25
	

If your rpi acts as a gateway and you want to specify which IP addresses or ranges should go through it, then you have to use those IPs/ranges instead of 0.0.0.0/0 under AllowedIPs,

1 hour ago, Newbuilder said:

### begin peer ###
[Peer] - NO IDEA WHERE THIS HAS COME FROM
PublicKey = wpKjj6JltiP7CpZv7lY7W+UOcJewv+pRZ8KX1g0SJFc=
PresharedKey = 3J1MGiFSR7YD23S8QtcrTlrRmep3R3WYYDJaTcpu1a4=
AllowedIPs = 10.6.0.2/32
### end peer ###

 

You have probably created it by running some guides where you specify your wireguard address as 10.6.0.2 and use preshared and public keys for your wireguard client. You should delete this peer for wireguard interface.

Make sure you did not setup with previous setups some routes etc.. which might cause issues in case they are wrong.

  • If you still configure your wireguard server for ability to access it (as example over wireguard's port forwarding):
    • If your network uses 192.168.x.x IP's, like 192.168.1.x
      then set your wireguard server to use 192.168.2.x
      (or any number higher than your current network).

 

Link to post
Share on other sites
  • 0

Thanks, slowly understnading this. 

 

Right did some troubleshooting. 

 

I can connect to VPN and ping and traceroute at PI SSH but the whole network collapses on all devices. 

I have disabled ufw and it made no difference. 

I have dnsmasq and wonder if that is the issue. 

I am a bit confused as to what to send you for debugging. Can you help me out?

 

Thanks. 

Wireguard down

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.252   0.0.0.0         UG    202    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.0.253   192.168.0.252   255.255.255.255 UGH   0      0        0 eth0
 

252 = isp router

253 = device  i want to bypass vpn

 

Wireguard up

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.252   0.0.0.0         UG    202    0        0 eth0
10.13.128.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.0.253   192.168.0.252   255.255.255.255 UGH   0      0        0 eth0
 

 

# TorGuard WireGuard Config
[Interface]
PrivateKey = REDACTED
ListenPort = 51820
DNS = 1.1.1.3
Address = 10.13.128.xxx/24

 # Internet Gateway config: nat wg1 out to the internet on
 # eth0
PostUp = iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --set-mark 51820
PostUp = iptables -t mangle -A PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
PostUp = iptables -A FORWARD -i wg1 -j ACCEPT; iptables -t  nat -A POSTROUTING -o eth0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i wg1 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i eth0 -j CONNMARK --set-mark 51820
PostDown = iptables -t mangle -D PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
[Peer]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0
Endpoint = 149.14.999.66:1443
PersistentKeepalive = 25
 

Link to post
Share on other sites
  • 0

Actually, you should get it to work without any PostUp/Down rules.

All you need to do is to properly configure your DHCP server, if you want your RPi to act as a gateway over TG VPN, then simply add option 3,IPOfYourRPi as well as you need to pass DNS to your clients with 6, IPOfYourDNSServer or simply set it to cloudflare with 6,1.1.1.1

If Not all devices should go over wireguard:

On RPi, under allowed IP's set ranges or every single one if you want which would go over TorGuard, everything else would go over your ISP. If you use 0.0.0.0/0 then all traffic will be routed over TG VPN. Your PostUp/Down rules are not part of TorGuard Config which you have generated.

Once again, just replace your wg0.conf with the one which you created, if that works, you can then further shape on whatever you want like postup and postdown commands, however, wireguard is peer based vpn.

Link to post
Share on other sites
  • 0

Thanks for all the help. 

So I have now been asked to test the client app for Rpi that Torguard has been working on, all connected after downloading wireguard via the test repository. EXCEPT I can't get my devices to get out onto the internet. 

I have gone into dnsmasq.conf and checked the option 3 (this was set as 192.168.0.1) - the pi, but no mention of option 6 so I added that.  Rebooted pi but still no access out. My laptop can ping the pi but cannot ping outside the network. 

 

 General configuration
listen-address=::1,127.0.0.1,192.168.0.1
interface=eth0
domain-needed
bogus-priv
expand-hosts
domain=home.lan
dhcp-range=192.168.0.5,192.168.0.254,48h
dhcp-option=3,192.168.0.1
dhcp-option=6,1.1.1.1
# Static IP
#enter ",static" before ,48h to switch all to static  on
#nas
dhcp-host=00:XX:32:b9:c7:1c,192.168.0.251
#unifioutside
dhcp-host=f0:XX:c2:82:2a:dd,192.168.0.122
#unifi upstairs
dhcp-host=74:XX:c2:8c:f1:ee,192.168.0.120
#unifi controller
dhcp-host=fc:XX:da:41:79:7b,192.168.0.118
#voip phone
dhcp-host=00:XX:82:44:fc:ef,192.168.0.103
#printer
dhcp-host=64:XX:37:44:f4:29,192.168.0.108
#unifi hall
dhcp-host=18:XX:29:e6:44:53,192.168.0.121
#unifi utility
dhcp-host=f0:XX:c2:20:23:a0,192.168.0.119
#ipcam sb
dhcp-host=00:XX:6e:57:39:f6,192.168.0.252
#ipcam CB
dhcp-host=d8:XX:97:d7:44:d3,192.168.0.104
#VVSS
dhcp-host=e4XX:89:30:bc:02,192.168.0.253

#dns config
server=192.168.0.1
server=1.1.1.1
cache-size=10000

ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

dhcp-mac=set:client_is_a_pi,B8:27:EB:*:*:*
dhcp-reply-delay=tag:client_is_a_pi,2*

Link to post
Share on other sites
  • 0

Do you have more than one DHCP server enabled? If yes, you should have only one. For the bigger list of possible dhcp options, check this: http://www.networksorcery.com/enp/protocol/bootp/options.htm

Please check your ip config on your rpi, beside all of it, you did not say which OS you use at all. If your rpi acts as DHCP server, then you must ensure that your router has dhcp switched off, easier is to set your router DHCP and DNS properly where your rpi acts simply as gateway and if you configure your dhcp to send rpi as gateway to its clients, then those clients would go over TG VPN if your rpi does route every IP, if you do not use 0.0.0.0/0, then only those which are set would be routed, the rest would go over ISP, however, your rpi needs then to have static IP with set gateway of your router, not of itself which it would be if it gets it by dhcp using 3,x.x.x.x

For DNS, you can add primary and secondary server with 6,1.1.1.1,1.0.0.1 (would be cloudflares).

 

Link to post
Share on other sites
  • 0

Nope only this as DHCP server 

 Connection-specific DNS Suffix  . : home.lan
   Link-local IPv6 Address . . . . . : fe80::6812:b3fxxxxxxx6:a78b%10
   IPv4 Address. . . . . . . . . . . : 192.168.0.66
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

 

Feeling out my depth here so any more help would be grateful. 

Link to post
Share on other sites
  • 0

It looks like you did not configure properly something, somewhere as well as you might have some bad routes from previous setups like you had with peer.

You also did not really provide, like which OS you use as well as about how did you install wireguard as well as which guides did you follow, I doubt I would go through them, but you should if you enabled something. On rpi it is easy, backup your sd image, then start fresh clean one.

Link to post
Share on other sites
  • 0

So to clarify firm

 

1/ reset pi to factory defaults

2/ allocate it a static ip

3/ make sure dhcp on router is set up with gateway pointing to pi

and set up dhcp reservations 

4/ set dns on router as 1.1.1.1 (or should it point to pi????  )

5/ enable firewall 


no need to install dhcpcd or DNasq

 

do I need to install ufw on pi to protect from tunnel? 


will this then work?

 

i went for pi as dhcpcd etc as I was trying to do split tunnel but could never get it to work 

 

 

 

Link to post
Share on other sites
  • 0
1 minute ago, 19807409 said:

 

You also did not really provide, like which OS you use as well as about how did you install wireguard as well as which guides did you follow, I doubt I would go through them, but you should if you enabled something. On rpi it is easy, backup your sd image, then start fresh clean one.


See here for how I set up wireguard 

https://www.sigmdel.ca/michel/ha/wireguard/wireguard_02_en.html

 

os is Linux kernel 5.4

Link to post
Share on other sites
  • 0

1/ reset pi to factory defaults: yes, I would do it by simply flashing fresh system on SD card

2/ allocate it a static ip: yes, for rpi where you can set dns to 1.1.1.1,1.0.0.1 . Then test if you have connection with your rpi

3/ make sure dhcp on router is set up with gateway pointing to pi: yes, 3, YourRouterIP

and set up dhcp reservations 

4/ set dns on router as 1.1.1.1 (or should it point to pi????  ) yes, I would set both, primary and secondary: 1.1.1.1,1.0.0.1

5/ enable firewall optional, I would enable it, firewall matters if you want to access it from outside


no need to install dhcpcd or DNasq - exactly, no need if your router can and does both better than rpi

 

do I need to install ufw on pi to protect from tunnel?  - no, but it is recommended for quite every other reason. You can do it as last step when everything works.


will this then work? - It should and works very well for me with rockpi4/rpi devices

 

i went for pi as dhcpcd etc as I was trying to do split tunnel but could never get it to work - do you have openwrt compatible router?

Link to post
Share on other sites
  • 0
3 minutes ago, Newbuilder said:

os is Linux kernel 5.4

I assumed already that it is compatible kernel but did not know which architecture as well as which OS, as there are many with kernel 5.x, you use raspbian.

4 minutes ago, Newbuilder said:

That guide is ok, however but it has quite a lot info which you do not need for TG VPN as a client, actually most of it, for TG VPN you need only the config which includes all keys etc.. and wireguard, then you already can start it, you can also use different resolvers but defaults work fine.

Some time ago, there was a talk about requiring dnsmasq-full for wireguard to work properly, but that is probably already not the case anymore and instead to waste more time, I really would start clean. All my devices run on ubuntu aarch64 where wireguard is not available and one needs to be compiled, you could follow this guide and skip step 4 for creating configs as you do it with wireguard config tool and your config is ready. If you can install wireguard from PPA, then you can do so, if not or do not want, compile it by yourself like in step 3 on build and compilation part. @Axlerod34 has also added alternative way of using configuring it which you might also want to take a look at if that is also something that you want/need

Link to post
Share on other sites
  • 0

Hi. Raspian it is and the client app TorGuard are providing now really just means you follow the steps to get it downloaded and the app takes care of the rest

 

dont get me started on my router.... I have a 4G router due to no broadband in the area. On the whole it does well but not got the bells and whistles I want or need. Tplink archer mr600

Link to post
Share on other sites
  • 0

Clean install, Pi and wireguard are behaving but can't get the devices to route through pi to either the internet or the tunnel.  

When I change the gateway on the router to Pi then the whole WAN network collapses. 

Any ideas. 

 

[email protected]:~ $ route -n (NO VPN)
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.252   0.0.0.0         UG    202    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

 

[email protected]:~ $ route -n (WHEN VPN CONNECTED)
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         192.0.0.0       U     0      0        0 torguard-wg
0.0.0.0         0.0.0.0         128.0.0.0       U     0      0        0 *
0.0.0.0         192.168.0.252   0.0.0.0         UG    202    0        0 eth0
64.0.0.0        0.0.0.0         192.0.0.0       U     0      0        0 torguard-wg
128.0.0.0       0.0.0.0         192.0.0.0       U     0      0        0 torguard-wg
128.0.0.0       0.0.0.0         128.0.0.0       U     0      0        0 *
192.0.0.0       0.0.0.0         192.0.0.0       U     0      0        0 torguard-wg
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
213.146.188.xxx 192.168.0.252   255.255.255.255 UGH   0      0        0 eth0
 

Link to post
Share on other sites
  • 0

without VPN:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 br-lan
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

with VPN:

~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 wg0
xxx.xxx.xxx.18  192.168.0.1     255.255.255.255 UGH   0      0        0 br-lan
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

 

Like I said, you have to many routes, your wg interface uses non standard name and your routes are somehow messed up, why at all you have all of those is unclear to me as you in no part of current thread explained at all that you set up some routes.

Device which uses the wg device (192.168.0.49) and gets the address assigned by dhcp:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.49    0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

You should really get it first in simple way working then do the rest if those basic things work, if required set your routes manually and properly and if you use a router, your router is capable of running openwrt and of course you can run LTE too on it, there you can configure your static routes too if you would need it.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...