Skip to main content

Set Up WireGuard VPN on Raspberry Pi

Create your own home VPN server using a Raspberry Pi

Low Power

Perfect for 24/7 home VPN server

Cost Effective

Affordable home VPN solution

Home Server

Ideal for personal use

Prerequisites

Before starting, ensure you have:

  • Raspberry Pi 3B+ or newer (Pi 4 recommended for better performance)
  • Raspberry Pi OS (Debian-based) installed
  • MicroSD card (16GB minimum, 32GB recommended)
  • Power supply for your Raspberry Pi
  • Ethernet connection or WiFi configured
  • SSH access enabled

1. Update Raspberry Pi OS

Start by updating your system:

copy
sudo apt update && sudo apt upgrade -y
sudo reboot

2. Install WireGuard

Install WireGuard on Raspberry Pi:

copy
sudo apt install wireguard wireguard-tools -y

Note: WireGuard is included in Raspberry Pi OS repositories, so no additional repositories are needed.

3. Enable IP Forwarding

Enable IP forwarding for VPN routing:

copy
# Enable IP forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf

# Apply changes
sudo sysctl -p

4. Generate Server Keys

Generate private and public keys for the server:

copy
# Generate private key
sudo wg genkey | sudo tee /etc/wireguard/privatekey
sudo chmod 600 /etc/wireguard/privatekey

# Generate public key
sudo cat /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

5. Create Server Configuration

Create the WireGuard configuration file:

copy
sudo nano /etc/wireguard/wg0.conf

Add the following configuration (replace with your actual private key):

copy
[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true

# Get your network interface name
# Run: ip route | grep default | awk '{print $5}'
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Important: Replace eth0 with your actual network interface (could be wlan0 for WiFi or eth0 for Ethernet).

6. Configure Firewall (Optional but Recommended)

If using UFW firewall:

copy
sudo ufw allow 51820/udp
sudo ufw allow ssh
sudo ufw enable

7. Start WireGuard Service

Enable and start the WireGuard service:

copy
# Enable WireGuard to start on boot
sudo systemctl enable wg-quick@wg0

# Start WireGuard
sudo systemctl start wg-quick@wg0

# Check status
sudo systemctl status wg-quick@wg0

8. Verify Installation

Check that WireGuard is running:

copy
# Show WireGuard status
sudo wg show

# Check if interface is up
ip addr show wg0

# Test from client device

9. Raspberry Pi Specific Optimizations

Optimize your Pi for VPN performance:

copy
# Reduce swap usage (Pi has limited RAM)
echo "vm.swappiness=10" | sudo tee -a /etc/sysctl.conf

# Apply optimizations
sudo sysctl -p

Tip: For better performance, use a Pi 4 with at least 2GB RAM. Consider using a high-quality microSD card (Class 10 or better) or boot from USB SSD for even better performance.

Raspberry Pi Tips

  • Performance: Pi 4 with 4GB+ RAM is recommended for multiple concurrent connections
  • Storage: Use a fast microSD card (Class 10, A2 rating) or USB SSD for better I/O
  • Cooling: Ensure adequate cooling if running 24/7
  • Power: Use official Raspberry Pi power supply for stable operation
  • Port Forwarding: Configure your router to forward UDP port 51820 to your Pi's IP address

Additional Resources