Setting Up a WireGuard VPN Server on a Raspberry Pi

This Post Has 198 Comments

1. 

   Domenick September 10, 2020

   I want to implement this but my Pi is currently running Pi-Hole natively. Am I correct in assuming that my DNS and my Wireguard VPN can’t have the same IP address?

   1. 

      WunderTech September 10, 2020

      You can! You will connect to your VPN using the DDNS hostname (explained in the instructions) and your DNS server using your internal IP address. When you configure WireGuard, the automatic installer will even ask if you want to use Pi-hole as your DNS server. I’ve been using it as both, my Pi-hole DNS server and my WireGuard VPN server for a while and everything works well. Let me know if you have any questions!

      1. 

         Domenick September 11, 2020

         Ah, ok. I wasn’t sure if there would be some conflict. This is my weekend task, I’ll report back once I’m done!

         1. 

            WunderTech September 11, 2020

            Sounds good, let me know if you need help!

            1. 

               Domenick September 23, 2020

               Ok, so I’ve followed these steps as closely as I can but there are two or three items that I think are making me stumble:
               1.) Step 1-11. On my instance it saw that I was using PiHole and asked if I wanted it to automatically take that into account. So I said yes and it skipped the IP address of the DNS part. Then I noticed in the client conf files it didn’t have the correct IP address of my pi-hole but rather one that is on the same VPN subnet (a 10.6.X.X number) so I think that may be one issue… I should change that to the internal IP address, right?
               2.) I’m not sure if I’m referencing my DuckDNS domain properly. In step 1-14 I put in http://[DOMAINNAME].duckdns.org but it said it was invalid. I then put in [DOMAINNAME].duckdns.org (left off the http://) and it accepted it. Is this the accepted behavior or did I put something in wrong? Also, is there a way to verify my domain name and that it’s set up properly? I keep REALLY checking for spelling errors lol but I think I’m doing it correctly.

            2. 

               WunderTech September 24, 2020

               1. The address that it added is correct. That is the address that it specified for the internal Pi-hole connection so that should stay as-is (if you want to use Pi-hole, that is). Don’t add the internal IP address there. The only thing to add (if you haven’t already) is the 10.6.X.X/24 subnet to the “AllowedIPs” list (if you’re using the split-tunnel VPN connection).
               2. You are correct that you should exclude the “http://”. The best way to check this is to pull up a terminal/command prompt window and type “nslookup [DOMAIN_NAME].duckdns.org”. You should get your external IP address as the IP address (you can validate this by typing into google “what is my IP”). If you don’t get it back, then something isn’t working on the DuckDNS side.

               Hopefully this makes sense, but let me know how it goes and if you have any questions!

            3. 

               Domenick September 23, 2020

               What’s the best way to test that this is working? I think I might have it all right but since COVID I don’t leave as much as I used to. I guess I’m going to have to wait until the next time I go to the grocery store and try it from there lol

            4. 

               WunderTech September 24, 2020

               The best way to test this is by using an external network and trying to connect to your home network. The easiest way for most is by installing the WireGuard application on your phone, using your data (as opposed to Wi-Fi) and then trying to connect to the VPN. If you connect successfully, you should be able to access your local resources (you can try and connect to a PC, file share, etc). If you can’t use a phone, the only other way is to try and connect from an outside network (public Wi-Fi).

               Let me know if you have any questions!

            5. 

               Domenick September 29, 2020

               Just wanted to thank you for all your help and apologize for rapid firing questions out there before you even got a chance to answer the previous ones! One of those things where I was working on it and the questions kept flowing! Thanks to your help, last time I went out I was able to verify that this was working using my cell phone and it all seems to be working perfectly. Thanks so much again! I love your guides/videos!

            6. 

               WunderTech September 29, 2020

               No need to apologize! I do this in my spare time, so I’m sorry for the often delayed responses, but I always try and get back as quickly as I can.

               I’m glad to hear that everything is working!! Thank you for the kind words!

2. 

   Stuart September 22, 2020

   Been fighting this for a long time. This tutorial is by far the best and I have a fully working Full and Split Tunnel VPN running in one try. THANK YOU!

3. 

   Thomas September 23, 2020

   Very good guide, thanks for that. I was able to setup to setup wireguard on top of a pihole/unbound pie in a breeze. Seems to work just fine. Only thing which caught my eye was that the split tunnel profile delivers my home isps ip adress, which contradicts point 8.1.3 What might have gone wrong here? I set my home networks ip range ending with zero in the config under allowed ips.

   1. 

      WunderTech September 23, 2020

      You are correct – this is kind of a band-aid solution, but you can change Pi-hole’s admin port using the instructions below:

      Edit the lighttpd file (change the server.port to something other than 80) and restart the service. This will break after updates to Pi-hole, but it’s a good short-term fix to get to the admin portal.

      sudo nano /etc/lighttpd/lighttpd.conf
      sudo service lighttpd restart

      Then, you can navigate to the address http://[RASPBERRYPI_IP]:[PORT]/admin

      Let me know if you have any questions! Thanks for checking out the tutorial!

   2. 

      WunderTech September 23, 2020

      That’s definitely strange, because only local IP addresses should be sent through WireGuard. Just to confirm, you have in the “AllowedIPs” section, “X.X.X.0/24”? Also, you’re connecting from an external network, right?

      1. 

         Thomas September 24, 2020

         Ok just a quick heads-up, i might figured out what happened. After setting up another mobile client i saw that the allowed ip of the ST was not correctly put through the qr code and was set back to 0.0.0.0 same as FT. I localy changed that an now its working as intended, say it gives me the external ip. That also explains the disrepancy to the windows client where i used the config files directly and no problem.

         So i guess the qr-code is to blame here and the tunnel setup should be checked on client side, to be safe.
         Another point worth mentioning: i had to add my local pihole ip to the dns= in the interfaces section for working internet acces via ST.
         Thanks again and keep up the good work.

         1. 

            WunderTech September 24, 2020

            That’s definitely interesting – I didn’t run into that, but I really appreciate you sharing. I am going to update the tutorial to let people know that they should check the settings when scanning the QR code to ensure they’re correct.

            Glad it’s fixed, but if I can answer any other questions, please let me know!

4. 

   Marc October 5, 2020

   Hi, thank you for the tutorial, but it doesn’t work for me… I hope you can help me fixing the problem 🙂

   First I want to apologize for my english, I’m not a native speaker 😉

   My configuration looks like that: 1 Raspberry-Pi with Pi-Hole (192.168.178.51) and 1 Raspberry-Pi with Nextcloud and PiVPN. I only have a Dual Stack lite internet connection. During the installation process I gave the PiVPN-Pi a DHCP reservation, at the DNS-Provider setup I tried the options “PiVPN-is-local-DNS” and “Custom” with the internal IP (192.168.178.51) .

   I want to use a full-tunnel vpn, I tested it with the PostUp/PostDown options on/off but it doesn’t work.

   I can access the UDP-Port via UDP-Port scanner. When I use tcpdump on my Pi, it only creates output when I use the Portscanner. When I connect to the VPN, there is no output added. So I think, that the client configuration is broken.

   But I don’t know where to look. In my Pi with Pi-Hole I also tried the option “Listen on all interfaces” and on the client I deleted the “::/0” in the allowed ip tab.

   I hope you can help me. Thank you in advance 🙂

   1. 

      WunderTech October 6, 2020

      No need to apologize, your English is very good!

      I believe that your problem is the “PiVPN-is-local-DNS”. Technically, your PiVPN is NOT the local DNS since the second Pi (192.168.178.51) is the DNS server you’d like to use. Uncheck “PiVPN-is-local-DNS”, keep the “custom” checked off and then proceed.

      When you try and connect, are you trying to connect from an outside network? Also, check to make sure that the settings on the WireGuard client device (where you’re trying to connect FROM) are listed properly. There have been reports that the QR code generated doesn’t always work properly.

      Let me know how this goes and then we can continue troubleshooting!

5. 

   Jim November 3, 2020

   curl -L https://install.pivpn.io | bash
   % Total % Received % Xferd Average Speed Time Time Time Current
   Dload Upload Total Spent Left Speed
   100 162 100 162 0 0 955 0 –:–:– –:–:– –:–:– 952
   curl: (6) Could not resolve host: raw.githubusercontent.com

   1. 

      WunderTech November 3, 2020

      This generally means that you’re running into DNS issues and your Raspberry Pi can’t resolve the domain name. Do you know what DNS server you’re using and is DNS resolution working for other services?

      Let me know and we can continue troubleshooting!

6. 

   Jim November 3, 2020

   Jim
   And now suddely it works!
   🙂

   1. 

      WunderTech November 3, 2020

      Glad to hear it fixed itself!

7. 

   eric November 18, 2020

   hello, thanks for your tutorial, I thought I could manage with yours, because you indicate some settings on the router, but for me it doesn’t work! I’ve been trying for several days to get out of it, but without success! if you could help me please?
   – wireguard is installed on the raspberry, I recovered its conf file on Macos.
   – but I don’t understand “nothing” at the router level, which I have to enter, because the fields are a bit distinct on mine, not being a network specialist.
   – here is a picture of my config to tell me what to put in my case: https://image.noelshack.com/fichiers/2020/47/3/1605734995-descriptif-routeur.jpg
   – looking forward to your help, cordially

   1. 

      WunderTech November 18, 2020

      It looks like you might be using an ISP provided router, is that correct? If so, do you have a model name and number for the router?

      My suspicion is that you are behind a CGNAT, which means that your internet service provider has assigned you a private IPv4 address which it translates into a public address. For this reason, setting up a VPN isn’t as straight forward as this guide shows. Assuming you are behind a CGNAT, hopefully this link will help: https://www.reddit.com/r/WireGuard/comments/blcxb2/bypass_cgnat_public_access_to_home_services/

      Is there any way that you can try and find out if you’re behind a CGNAT? If you’re not, can you try and find the model name and number of your router? Let me know and we can continue troubleshooting!

      1. 

         eric November 19, 2020

         hello, it’s a Router Askey RTF8115VW. cordially

         1. 

            WunderTech November 19, 2020

            If you follow the instructions on this page, can you see if the port forwarding works? https://portforward.com/askey/rtv1907vw/

            Let me know how it goes!

            1. 

               Eric November 20, 2020

               hello frank,
               I didn’t quite understand why show me where the port mapping is, since I know where it is, what I need is what to indicate in it please. (sorry I understand very little English, I have to google it to translate).
               – it’s true, that all this is complicated (i bought a raspberry only to create this VPN, i didn’t know anything about this system before too). so all this information at once !! is not easy to absorb mentally.
               – i’ll take this up with you later!
               – (moreover my macos keyboard and trackpad doesn’t work with the raspberry (I tried “barrier” to share them, but no !), so I have to ask my fiancée to lend me hers when it’s available, it’s complicated).
               – so I’ve ordered a keyboard and mouse, and will pick that up when my package arrives.
               – in the meantime I’ll continue to read about it, and will come back to you at that time.
               cordially.

            2. 

               WunderTech November 20, 2020

               Sounds good! The link that I sent has instructions on how you can open port 51820 on your router (which is needed for WireGuard). The instructions I have, supplemented with those instructions on how to open the port should allow you to set up the VPN server. After you get your mouse and keyboard, if there’s any questions I can answer, please let me know!

      2. 

         eric July 26, 2021

         hello frank,
         I was able to make progress in my configuration: my particular router has its address, as well as my computer that was connected to it (which was not the case before even though I had reserved an IP for them on my router, they always had an IP given by the router modem! I didn’t understand why?) Anyway, this was solved by connecting a second Ethernet cable from my particular router to my modem router.
         – I reinstalled all of Wireguard on the Raspberry
         – I did a port forwarding on my router (internal port external: 51820 UDP, By indicating the IP address reserved by my router 192.168.10.29 for my raspberry in wifi). Didn’t I make a mistake?
         – before when I activated Wireguard on macos, it cut my Internet connection.
         – Now there is a progress, the Internet connection is not cut.

         – but! The question is this: While doing a test to know what is my mi IP, I find that my IP does not change, what is the problem please?
         (In the Macos client configuration, I have indicated my current dynamic IP.
         Nb: In this regard I have registered on the No-IP service, have I understood the purpose of this service, I have to replace my current dynamic IP by the domain name I have chosen on No-IP?)

         thanks

         Here is my client configuration
         [Interface]
         PrivateKey = xxxxxxxx
         Address = 10.6.0.2/24
         DNS = 1.1.1.1, 1.0.0.1

         [Peer]
         PublicKey = zzzzzzzzz
         PresharedKey = yyyyyyyyy
         AllowedIPs = 10.6.0.2/32
         Endpoint = 190.x.x.x:51820
         PersistentKeepalive = 25

         1. 

            WunderTech July 28, 2021

            When you say that you do a test and the IP doesn’t change, where are you testing? If you are testing from your cell phone network (for example), you should be able to do the test before the VPN and after. If the IP address doesn’t change to your home networks IP address (and you’re using the full-tunnel VPN), then something isn’t working. If you’re using the split-tunnel VPN and can access your local resources but the IP address doesn’t change, then it’s working as expected!

8. 

   Boris November 30, 2020

   Hi Woundertech,

   excellent blog , good job!

   I did mistake on step 13 (You will now be prompted to use your public IP address or public DNS entry).
   I mistakenly choose Public IP instead of DDnS hostname . How I can fix this , where to go and change this information from public IP to my public DDNS name.

   Thank you

   Boris

   1. 

      WunderTech November 30, 2020

      Hi Boris,

      That is used when you create new peers (clients). As long as you update the client record to use the DDNS hostname as opposed to the IP address (you will see it in the client config file), there’s no where else that you’ll need to update it.

      Please let me know if you have any other questions or if I can help in any way!

9. 

   Mac Owens December 1, 2020

   If I have 2 laptops at my home network and I wanted one to route oubound via the VPN, I need to use the Full Tunnel option but I wanted to use the other bypassing the VPN I use the Split Tunnel option.
   How do I configure it so that this happens at the same time without any reconfiguration?

   I get confused between clients and servers in connection with this.

   Thanks

   1. 

      WunderTech December 1, 2020

      You can create two separate profiles – one for split-tunnel and one for full-tunnel. The YouTube video I created does a better job of explaining that portion, so I suggest watching that if you can.

      However, I do want to confirm that you are trying to connect to an outside server, right?

      Let me know how else I can help!

10. 

    Daniel December 1, 2020

    Hi Wundertech. Thanks for your article. I am not sure if I understand it right, but are other applications running on the Wireguard serving RaspPi also accessible through the VPN? E.g. I have a Zabbix server running on the RaspPi which I would like to access remotely to view managed elements in my house. So can I setup Wireguard on the same RasbPi? Thanks!

    1. 

       WunderTech December 1, 2020

       Yes! You should be able to access everything on the Raspberry Pi. If you need help with anything, please let me know!

       Thanks for checking out the tutorial!

11. 

    Bob Pasky December 18, 2020

    Hi Wundertech,
    I have WireGuard installed on my RaspPi and it appears to work when I activate it on my Windows10 system.
    The problem I have is that I also have OpenMediaVault installed on the Pi, but it’s not accessable when WireGuard is active.
    If I deactivate WG, then OMV works again. I assume there’s some conflict, but I don’t know where to start. Can you help?

    1. 

       WunderTech December 19, 2020

       When you say that you can’t access it, do you mean from an outside network? Meaning you connect to WireGuard from an outside network and cannot access your OpenMediaVault sever?

       Let me know and we can continue troubleshooting!

12. 

    Chris January 11, 2021

    In the Oracle Cloud Infrastructure, I have a fully functional Wireguard PiVPN implementation (with the latest versions – just installed yesterday) that I want to use for a secure connection to public WIFI connections, BUT… I cannot for the life of me get the full-tunnel to function correctly! I’ve made sure my AllowedIPs = 0.0.0.0/0, ::0/0, but for some reason, I can still browse (even do a full TCP scan) of my local home network while connected to the VPN. While connected to the VPN and via a DuckDuckGo “what’s my IP” search, I’ve verified that my public IP address is the gateway of the VPN (and not my local ISP home gateway/router), so I know all web traffic is being tunneled to the VPN, but I don’t understand why ALL traffic isn’t being tunned, rendering traffic to my local network dead when the VPN’s enabled (e.g. printing to my local home printer, seeing AirPlay devices and othe UPnP-type devices as well). Any/all thoughts, input or help would GREATLY be appreciated!

    1. 

       WunderTech January 11, 2021

       What client device are you connecting with? As far as I know, the only way to do what you’re requesting is to use the “Block untunneled traffic (kill-switch)” option. On windows, if you right-click and edit the WireGuard configuration, you will see the checkbox at the bottom. On other devices, it should exist somewhere. I believe that this will do what you’re looking for.

       If it doesn’t or I can answer any other questions, please let me know!

       1. 

          Chris January 11, 2021

          I am using the iPhone Wireguard app (v1.0.12) on an iPhone 12 Pro running iOS 14.2 as well as the MacOS Catalina (10.15.7) Wireguard app (v1.0.12(22)). I don’t see this kill-switch toggle in either of these.

          I’m super confused, as what I feel I am trying to do is native VPN functionality found in most other VPN solutions when doing full tunneling. Based on this hidden kill-switch, the lack of anyone else doing this that I can find online, but your mention of why you’d use “full tunnel” to secure your comms on public WiFi, what am I missing? Is what I’m experiencing with being able to access my local devices, even when fully tunneled, the way it’s supposed to work? If so, then isn’t my device accessible (obviously to an extent) to other random devices on the same public WiFi since I’m not 100% isolated in my established tunnel?

          1. 

             WunderTech January 12, 2021

             When you are on to an external network and connect to a WireGuard VPN (I can’t comment on other VPN protocols) your traffic is routed based on the “AllowedIPs” parameter. However, local traffic is NOT limited. The only way it IS limited is if the local subnet and remote subnet share the same addresses. For example, if you are on a 192.168.1 subnet and use a full tunnel connection TO a 192.168.1 subnet, when you navigate to an IP address (192.168.1.5 for example), you will navigate to the VPN Server’s device. If the local subnet is different (192.168.2 for example), traffic will NOT be limited.

             What you’re looking for is the VPN kill switch. At least on Android, when you edit the connection, there is an “exclude private IPs” checkbox on the bottom. In the Windows client, it’s called the “kill switch”. This stops ANY traffic from being sent outside of the tunnel. You cannot access the local network using this option.

             This isn’t a major concern when you’re on an external network trying to secure your connection because all external traffic is routed through the VPN tunnel. Your external IP address being the VPN server’s IP address is proof of that.

             It’s somewhat confusing because WireGuard handles it differently than other VPN providers. Basically, if you don’t want ANY traffic locally (your device to other devices), you need to enable that checkbox. Whether you should do it or not is up to you. External networks can see that you’re on their network whether you have the VPN enabled or not. You’re trying to secure your traffic and your traffic only when you’re on an external network.

13. 

    Chris January 12, 2021

    Thank you for your persistence in troubleshooting this with me! My local WIFI LAN IP is 10.0.0.57 and my external VPN IP is 10.6.0.1. I found the “exclude private IPs” toggle on the iPhone WireGuard app (didn’t check my Mac yet, turned it on, but still no luck… When I toggled that on, it changed my AllowedIPs=0.0.0.0/0, ::/0 to AllowedIPs= 1.0.0.0/8, 2.0.0.0/8, 3.0.0.0/8, 4.0.0.0/6, 8.0.0.0/7, 10.6.0.1/32, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, ::/0. I even ran a trace route to 10.0.0.102 (my printer) on my local LAN from my phone and the first hop was it. Not that it mattered, but then did the same to my 10.6.0.1 within my VPN and it was also the first hop. Any other thoughts? Is this a bug that I need to report?

    1. 

       WunderTech January 14, 2021

       No problem!

       That’s a little strange that it switched to those IP’s, but I guess it depends on how it functions. I would say that on mobile, it’s slightly harder to troubleshoot than on Windows/Mac. If you set it up on your Mac and try and ping a local resource, does it reply? Mine does NOT. I return a “general failure”, which shows that it’s working.

       Hopefully you can try that out when you get some time. Let me know how it goes!

14. 

    Crotofroto January 28, 2021

    Hi Frank! I made a post in Spanish about the same topic on my blog using yours as a reference, I have also used your images. I hope you don’t mind. Obviously I have given you the credits you deserve. I hope that this way we can help the community in both languages. If you want me to remove the images let me know, I thought it appropriate to let you know.

    1. 

       WunderTech January 28, 2021

       Thanks for letting me know, always happy to help other communities! You have an awesome blog, you are more than welcome to use the screenshots!

15. 

    chris February 7, 2021

    How to Configure wireguarde with ipv6

    1. 

       WunderTech February 8, 2021

       I unfortunately haven’t looked into this yet, but I will hopefully have a tutorial for it in the future!

16. 

    Robi March 1, 2021

    Hi! Brilliantly detailed tutorial! I was able to set up my VPN on my Pi with Pihole. I scanned the QR code on my phone and my up and download speeds have decreased to around 6-8 MBps, although I have gig speed internet. What am I doing wrong?

    1. 

       WunderTech March 1, 2021

       What Raspberry Pi Device are you using? Technically, all traffic will flow through that, so it could be a bottleneck, but that generally only happens with Pi Zero/older Pi devices.

17. 

    Daniel March 1, 2021

    Hi there, first of all: I really like what you are doing here. Great step-by-step tutorial. I appreciate that you dedicate your free time to this and all the questions. Thanks a lot!

    I’m trying to get Wireguard to run for several days now. But unfortunately it won’t work.
    My setup: Raspberry Pi 4 with Pihole and unbound as DNS Server. My internet provider is connecting me with a DS-Lite tunnel (not quiet sure what this means), I’m using DuckDNS to resolve my dynamic IP.

    I wanted to be ad-free on the go. So that’s my use case for Wireguard (full tunnel). Or at least that’s what I’d like to accomplish. I’m following your step-by-step tutorial, there are no problems with the installation process. The problem starts when I try to connect my phone (iOS) with my Pi over the Wireguard tunnel. The log of the client app shows that DuckDNS is working and it is resolving the right IP address. It even sends some data (says the client app). But than it runs into the error loop “Handshake did not complete after 5 seconds, retrying”. This happens in my local network and on a LTE connection. It also happens with my tablet and laptop.

    Do you have any suggestions? What could be the cause of this “handshake loop”? Since my provider uses a DS-Lite Tunnel to connect me, I even tried to do the hole configuration with IP6 addresses. But if I’m honest, I don’t really know what I’m doing here 😉 … I’m just trying things…

    It would be awesome, if you could help me!

    1. 

       WunderTech March 1, 2021

       Thanks for checking out the tutorial! At first glance, it sounds like what you’re trying to do is fairly straight forward (in the grand scheme of things). Just connect to WireGuard and use Pi-hole as your DNS provider to block ads. Few questions:

       1. Did you install Pi-hole first, and if so, did you point PiVPN to use Pi-hole as the DNS provider during installation?
       2. Is this a fresh install, or are you trying to install it on top of the existing applications?

       One thing I found online from a quick google search was this response – “It might be stupid, but did you try to create new server keys, client keys, and retry? Wireguard can act exactly like this when the profiles are wrong.”. Might not hurt to try!

18. 

    Daniel March 2, 2021

    Hi there, thanks a lot for your quick reply!

    1. Yes, Pihole first, then unbound and last Wireguard (using PiVPN).
    2. I’m not sure what you mean with “fresh install”. The initial Pi setup is running for over a year. Mainly to run Homebridge. Pihole is running on the initial setup for a month now. I did not install the hole system from scratch. On this existing setup I installed Wireguard. I also found the mentioned google result. An reinstalled Wireguard several times with PiVPN and used the option to reconfigure. “Reinstall PiVPN with new settings” I did this countless times.. It always ends with this same handshake-loop.

    I’m not sure if it is the port forwarding on my router. If I use any online port forwarding test, it sometimes says it closed and some specific udp port tests are saying it is “open or filtered”. But then again the log on the client app says that it
    received data. So I guess the port is not the issue here.
    Can you recommend a online port forwarding test for udp ports? Is the result “open or filtered” the one I’m looking for?

    Maybe I should just setup the hole pi from scratch…

    1. 

       WunderTech March 3, 2021

       Sorry, by “fresh install” I meant trying to install everything from scratch. “Open or filtered” is expected for the UDP port, so it looks like that’s all working as expected. You have a somewhat non-standard setup, so it might be worth installing from scratch and checking along the way to see what exactly is stopping WireGuard from connecting.

19. 

    Daniel March 5, 2021

    Thanks again for your input!
    So, in the meantime I actually did start from scratch. New install of Raspberry OS, Pihole + Unbound. Then Wireguard. Still the same error messages. I found some tutorials for integrating IP6, put some specific rules with iptables/ ip6tables for the interfaces, IPs and the port (also tried different ports) into the config of the peer acting as server (the Pi). I even changed the value of the MTU for both peers (Some post suggested that the DSL Connection uses 8 Bits of the MTU, so the default value 1420 wouldn’t work). Still no success.
    Next I’ll try to begin with wireguard after doing a fresh install of Raspberry OS and see whether this will work.
    Who knows maybe on the weekend I’ll try OpenVPN and see if at least this works.

    I’ll keep you posted. And again: Thanks a lot for your help!

    1. 

       WunderTech March 5, 2021

       That was going to be my suggestion. If you can try with WireGuard first, you should be able to get WireGuard working. If you can’t, then there’s a problem with WireGuard (outside of Pi-hole) that we have to figure out. Let me know how it goes!

20. 

    Daniel March 8, 2021

    Hi Frank, hope you had a nice weekend.
    I tried some stuff. Spoiler: no success.
    I bought a new Pi 4, so I’m able to work with a test system (and when I’m done it is gonna get a Retro Pi 😉).
    What I did: fresh install of Raspberry OS, changed the password of the user Pi, deactivated WiFi (it is connected by wire) with rfkill, installed WireGuard (exactly like your tutorial suggests), put my other Pi (with Pihole) as DNS Server, changed the port forwarding in the config of my router to the IP of the new Pi, added a client, added the config of that client to my Phone (iOS) via QR code, took my phone off my WiFi … same handshake loop

    Just “for fun” I tried OpenVPN. Used your tutorial on that. OpenVPN runs into a time-out.

    I’m still suspecting my router or ISP. I’m not sure, if the port forwarding works like it should.(WireGuard is running into the same handshake loop, when I deactivate all ports on purpose.) 🤔 Unfortunately I have no idea how to test this properly. Do you have any ideas?

    1. 

       WunderTech March 8, 2021

       I’m starting to think that it might be your ISP. One thing that you can try is using OpenVPN and TCP port 443 (if you’d like). This will mask all of the traffic without using a “known” VPN port. It might be a pain, but it could be worth it to try and isolate if the ISP is at fault.

21. 

    Daniel March 12, 2021

    Hi Frank, just a quick update.
    I tried something knew. I did a fresh install of ubuntu server 20.10 on the test system (Raspberry Pi 4). Then I installed Wireguard without the comfort of PiVPN. Which is But in the end the result is the same handshake loop on my peer log (iOS) on WiFi and LTE.
    I’ll try your suggestion with the TCP port 443 and OpenVPN tomorrow.
    If this still doesn’t work, I’ll call my ISP.

    1. 

       WunderTech March 12, 2021

       Ugh, sorry to hear that. Sounds like the ISP might be causing some issues. I am hoping that using TCP port 443 fixes that!

22. 

    Daniel March 17, 2021

    Frank, finally some good news.

    So, as last resort I tried your suggestion with OpenVPN and TCP port 443 on a freshly installed Raspberry OS on my test system. But still no luck. Again timeout messages.

    Then I started researching once more, because it didn’t seem to be the port forwarding. All the time I was not sure about the DS-Lite connection from my ISP. But I ignored that, because of my ignorance of that topic.
    Turns out, that DS (Dual Stack) Lite is not a native IP4/IP6 connection. It is a pure IP6 connection, which is turned locally into a IP4 & IP6 network. Unfortunately there is no way to connect from a native IP4 network (like my mobile ISP is using) to a native IP6 network (DS-Lite at home) without some server between the both to forward packages. There are inexpensive ways to rent a small server for this purpose, BUT I called my ISP and they turned my DS-Lite connection into a DS Connection without any extra costs.

    Problem solved! My phone immediately connects to the Wireguard server on my Pi now. Using Pihole + Unbound this way is surprisingly fast.

    Thanks so much for your help and suggestions!
    Stay safe & healthy
    Daniel

    1. 

       WunderTech March 18, 2021

       That’s awesome! I honestly would have never guessed that, so it’s great that you were able to figure it out.

       Not a problem at all. Sorry for not being much help, but I’m glad you were able to resolve it!

23. 

    Saad March 27, 2021

    Thank You for the tutorial. Everything works fine, except Spotify app on my IOS device shows offline(while using Cellular Data). I have tried both Split Tunnel and Full Tunnel Configs. No issues while on WIFI or On Cellular Data (With Wireguard VPN Off).

    Running PiHole on Raspberry Pi.

    Thanks again!

    1. 

       WunderTech March 29, 2021

       If you’re on cellular data with WireGuard VPN off, it shouldn’t be routing any traffic through the VPN. I would look at the device to see if you’re running into any other network issues.

24. 

    Saad March 27, 2021

    Adding to my Question above:

    A couple of more things I have tested which is making me think it has something to do with IPv6. Have a look at the link below for screenshots.
    https://imgur.com/a/gKRma5N

    Any suggestions?

    Thanks!

    1. 

       WunderTech March 29, 2021

       Is the primary DNS set as a local network server? If it is, you will have to be connected to the VPN to access the DNS server. Without the VPN, you will have to use a public DNS server to resolve domain names.

25. 

    lawyernerd April 5, 2021

    First, thanks for your tutorials and write-ups. I stumbled upon one of your videos a few months back and now you’re my go-to source whenever I’m about to embark on another COVID tinkering adventure. Many thanks! Second, I would really like to run Wireguard on my Synology NAS, which is otherwise restricted to OpenVPN and a few other older protocols (at least through Synology’s VPN Server package), and was wondering whether it was possible and if so, whether you might make such a tutorial. Many thanks and stay well!

    1. 

       WunderTech April 7, 2021

       Thank you for watching! I’m glad to hear they help!

       As of right now, running WireGuard on the NAS is not supported. There are some alternative ways of doing it, but none that seem to be particularly easy or straightforward. If you really want to run it, the best way is most likely by installing a virtual machine with Ubuntu and installing it through there.

       If Synology ever updates and allows it, I will certainly create a tutorial on it!

26. 

    Patrick April 14, 2021

    Hi Frank,

    first of all I would like to thank you for your great tutorial.
    I have implemented this step by step, however I still cannot connect to my local resources such as my NAS.
    In the connection details of Wireguard packets are also only sent successfully but not received.
    Do you have any idea what the problem is?

    My configuration looks like this:

    Home-Network:
    192.168.50.0/24
    VPN-Network:
    10.6.0.0/24

    Static Route has been set up:
    10.6.0.0
    255.255.255.0
    192.168.50.3 (Raspberry Pi – Home IP)

    Peer Client config
    Interface]
    PrivateKey = xxxxxxxx
    Address = 10.6.0.2/24
    DNS = 10.6.0.1 (Raspberry Pi – VPN IP – Pi-hole)

    [Peer]
    PublicKey = xxxxxxxx
    PresharedKey = xxxxxxxx
    Endpoint = vpn.example.com:51820
    AllowedIPs = 192.168.50.0/24, 10.6.0.0/24

    Server config
    [Interface]
    PrivateKey = xxxxxx
    Address = 10.6.0.1/24
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -$ListenPort = 51820
    ### begin TestVPN ###
    Peer]
    PublicKey = xxxxx
    PresharedKey = xxxxxx
    AllowedIPs = 10.6.0.2/32
    PersistentKeepalive = 25
    ### end TestVPN ###

    External IP is implemented via DynDNS.

    I really appreciate any tips you can give me.

    1. 

       Patrick April 14, 2021

       Ok nvm….Problem is solved!

       The problem was with my DynDNS provider, which has not synchronized reasonably.

       Nevertheless, thanks again for the great tutorial!

       1. 

          WunderTech April 14, 2021

          Very happy that you were able to get it resolved! Thanks for the update and sorry for not getting to your message in time!

27. 

    Mark Sanders May 2, 2021

    Hi WunderTech,
    First, thank your for your good tutorial. So I have a question. I will extend this solution with a further vpn. Means, I want to connect to two different vpn at the same time. How I can achieve that? Do I have to setup a second interface, like wg1? But how it works with the routing? Or can I use the same wg0 interface for both?

    Thanks a lot in advance.

    1. 

       WunderTech May 3, 2021

       When you say that, do you mean two different locations, so that each location can access the other locations resources? If so, check out site-to-site VPN’s (I believe you can do it using WireGuard, though I don’t have a tutorial for it). That should do exactly what you want!

28. 

    Kristan May 3, 2021

    Hi, very good article.

    1. 

       WunderTech May 3, 2021

       Thanks so much!

29. 

    Mark Sanders May 4, 2021

    Yes, two different locations (in future 3 or 4). I was aware of using different subnets in each location. In detail, I will do some maintaining of NASes, Computer and some other equipment. Means, my “homebas” is site A and I want connections to the supported sites B,C (D and E in future) at the same time. For my understanding, it would be enough to setup a correct routing on site A, because it’s “one way” means no member from supported sites need to access ressources in site A.

    1. 

       WunderTech May 4, 2021

       I believe that using WireGuard for this is a great option, but you are correct in saying that you would have to do some IP routing. I suspect that it might take a little trial and error, but there are a ton of tutorials online that should be able to help you along the way.

       I apologize for not having anything right now that could help, but I will keep it in mind for a future tutorial!

30. 

    HiggsBoson May 10, 2021

    Thank you very much for your comprehensive guide – I’ve been working at this for over a week (*sigh*) and I’m starting to wonder if this doesnt play well with the Eero Pro. I think my issue is port forwarding on number 6. Do you have any experience with Eero? Do you happen to have any resources?

    Any insight is welcome – thank you again!

    1. 

       WunderTech May 10, 2021

       I unfortunately have no experience with Eero, but it should be very similar to other devices. I assume you have a Raspberry Pi with WireGuard running – are you able to open the UDP port on the Eero to the Raspberry Pi?

31. 

    leunam May 13, 2021

    hey wundertech, first off all thank you for the great tutorial. I installed WireGuard just like you have shown it in the video and the instalation always works perfect and I am also able insert the tunnel into my android application. But somehow I can´t load any website even though it shows in- and outgoing packages with pivpn -c. Whats irritating is the fact that I can use the amazon app but fonts and the text are displayed in a weird format. I have tried it with a local dns as well as cloudflace and also tested post up & post down but nothing worked.

    1. 

       WunderTech May 13, 2021

       Hmm, that’s definitely a strange issue. So you’re able to confirm that it’s not a DNS issue (because ultimately, that’s kind of what it sounds like)? How about accessing local resources? Can you ping local devices by IP address?

       Also just to confirm, you’re using your mobile network for this testing, right?

32. 

    leunam May 14, 2021

    I use LTE to simulate a connection from outside my connection. I can´t ping local devices like my computer at 192.168.178.32 but somehow I am able to ping my raspi on 192.168.178.118. My config files look like this:
    [Interface]
    PrivateKey = xxx
    Address = 10.6.0.2/24
    MTU = 1420
    DNS = 192.168.178.1

    [Peer]
    PublicKey = xxx
    PresharedKey = xxx
    Endpoint = xxx:51820
    AllowedIPs = 0.0.0.0/0, ::0/0

    My /etc/wireguard/wg0.conf:
    [Interface]
    PrivateKey = xxx
    Address = 10.6.0.1/24
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j AC$
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j $
    MTU = 1420
    ListenPort = 51820
    ### begin home ###
    [Peer]
    PublicKey = xxx
    PresharedKey = xxx
    AllowedIPs = 10.6.0.2/32
    ### end home ###

    I have tried to configure wireguard with my local dns,google and cloudflare. Nothing worked

    1. 

       WunderTech May 14, 2021

       If you can’t access any of the local services, then the VPN isn’t working properly. Unfortunately, WireGuard shows “connected” even when it’s not necessarily connected (not ideal, I know). If you’re able to ping the RPi, that’s a good sign, but you’re going to need to try and isolate why the rest of the network isn’t accessible. There’s a good chance that it’s your PostUp/PostDown lines.

       Can you look over this step again and make sure you’re using the correct network interface names? https://www.wundertech.net/setup-wireguard-on-a-raspberry-pi-vpn-setup-tutorial/#pup-pdo

       1. 

          Leunam May 16, 2021

          I am using eth0 so this shouldn´t be the problem

          1. 

             WunderTech May 16, 2021

             The PostUp/PostDown rules you entered are different than the ones I have on the site. Can you try using the ones I have?

33. 

    leunam May 14, 2021

    *outside my network

34. 

    Leunam May 17, 2021

    I think I accidentally forget to copy the full line, sry for that.

    1. 

       WunderTech May 18, 2021

       No worries!

       1. 

          Leunam May 19, 2021

          They are correct but Its still not working 🙁

       2. 

          leunam May 20, 2021

          It is still not working and I have no Idea why 🙁

          1. 

             WunderTech May 20, 2021

             Just looking over your setup again – can you try and change the DNS from 192.168.178.1 to 8.8.8.8? That is Google’s DNS and since you’re running into DNS issues, I am hoping that we can test to ensure everything is working this way.

35. 

    leunam May 21, 2021

    Ok now Im getting really confused. I used google as dns as wall as another dyndns provider (noip.com) and now I can ping all my local devices (router at 192.168.178.1, raspi at 192.168.178.118 etc.) as well as websites like google, twitter, youtube, wundertech.net … , but not access my router settings in the browser at 192.168.178.1. I can also open your website in the browser but not YoutTube or Twitter like wtf!

    1. 

       leunam May 21, 2021

       Forgot to add this: I also configured a static route like it is shown in the written instructions

    2. 

       WunderTech May 21, 2021

       So you’re able to access the sites but can’t access YouTube or Twitter? You’re not on your local network when testing, right? You should be able to access everything or nothing. Also, the static route will only be necessary for communicating with the connected device from your local network, so that shouldn’t impact this.

36. 

    Leunam May 22, 2021

    I am using Mobile Data from my phone to simulate an outside Access. At the moment there ist no other way for me to simulate this cause im in Lockdown and working from home.

    1. 

       WunderTech May 24, 2021

       The mobile network is fine, but it doesn’t make sense that you’re connecting to some websites and not others. Can you confirm if you can access devices using their IP address on your local network?

37. 

    leunam May 25, 2021

    I tested it out and I am not able to connect to my raspi vis ssh (I used Putty). It says “Permission denied” I also can´t ping any local device but I can ping any website. What I found out is that I can somehow connect to any .net Website in my browser (i have tried multible) but not .com which explains why I could connect to your WebSite. I dont know why. Here´s some info on my current settings: https://pastebin.com/wtG5D5Md

    1. 

       WunderTech May 25, 2021

       I don’t think that you’re successfully connecting to the VPN. Can you connect to the VPN on your mobile device and on your Raspberry Pi, run the command “wg show” to confirm that the peer is properly connected?

38. 

    leunam May 26, 2021

    This is the result of “wh show”:
    interface: wg0
    public key: xxx
    private key: (hidden)
    listening port: 51820

    peer: xxx
    preshared key: (hidden)
    endpoint: (my public Ip):48495
    allowed ips: 10.6.0.2/32
    latest handshake: 31 seconds ago
    transfer: 12.54 MiB received, 302.47 MiB sent

    1. 

       WunderTech May 26, 2021

       It looks like you’re successfully connected. Unfortunately, I’m not entirely sure what it can be since it looks like you’re connected and with the proper DNS server, can access outside network resources. It could be worth it to start over and just take it step by step and ensure that everything is successful after each step.

39. 

    BMH June 11, 2021

    Is there anything additional I need to do if deploying Wireguard as a docker container? I have deployed it and I have added my iPhone as a peer and I was able to make the VPN connection over 4G/local wifi networks.

    When connecting to VPN on local wifi:
    – everything seems to be working just fine ( i can connect to all local hosted services as well as the Internet)

    When connecting to VPN from 4G network:
    – I can browse and access the Internet.
    – I cannot access any local services 🙁

    Kindly find below my config files:

    wg0.conf:

    [Interface]
    Address = 10.13.13.1
    ListenPort = 51820
    PrivateKey = (hidden)
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    [Peer]
    # peer1
    PublicKey = (hidden)
    AllowedIPs = 10.13.13.2/24, 192.168.2.0/24

    peer1.conf

    [Interface]
    Address = 10.13.13.2/24
    PrivateKey = (hidden)
    ListenPort = 51820
    DNS = 10.13.13.1

    [Peer]
    PublicKey =
    Endpoint = EXTERNAL_IP:51820
    AllowedIPs = 0.0.0.0/0

    I have tried to add AllowedIPs = 192.168.2.0/24 – but I still wasn’t able to connect to local services.

    I also added a port forward rule to my router to point to my raspberry pi’s IP on the LAN.

    Anything I am missing?

    1. 

       WunderTech June 11, 2021

       Unfortunately, there’s no way to test a VPN locally (since you can normally access all of your local resources). If it’s not working on your 4G network, it’s not working. I haven’t personally used Docker and WireGuard, but are you able to see inside of Docker than the 4G device is connected to WireGuard?

       1. 

          BMH June 11, 2021

          > but are you able to see inside of Docker than the 4G device is connected to WireGuard?
          When I added my iPhone as a peer using QR Code and activated it, my iphone’s IP address was within the IP range specified (10.13.13.2). Is there any other way to test if my iphone is connected to the WireGuard?

          1. 

             WunderTech June 11, 2021

             You can generally run a few different commands (“wg” or “wg show” is what’s normally used on Linux) to check to make sure the peer is successfully connected. If it’s not, you will need to get the connection working first.

             1. 

                BMH June 11, 2021

                So I have deleted everything (containers, folders, config files..etc) and did a fresh deployment and now everything seems to be working just fine!
                this is wg output:

                interface: wg0
                public key: (hidden)
                private key: (hidden)
                listening port: 51820

                peer: (hidden)
                endpoint: 5.156.49.xx:2702 (4G ip)
                allowed ips: 10.13.13.2/32
                latest handshake: 22 seconds ago
                transfer: 182.78 KiB received, 1.31 MiB sent

                Next, I’ll try to deploy AdGuard Home and see if I can get both work together..

                Much appreciated!

             2. 

                WunderTech June 14, 2021

                Glad that you got it working!

40. 

    Stas June 14, 2021

    @WunderTech,
    I have set up everything exactly as in the manual (my port is different and my IP is static, no DDNS), full tunnel is working pretty fast, but split tunnel doesn’t want to work. Official PiVPN guide tells me that you will block internet access if you add local subnet to AllowedIPs and mine is blocked. Do you know where I can start troubleshooting?
    I gave more details on Reddit: reddit.com/r/pihole/comments/nymp14/wireguard_vpn_split_tunnel/

    1. 

       WunderTech June 16, 2021

       When you say that it’s not working on split-tunnel, what exactly isn’t working? Are you able to access the external internet and not the local network, or access the local network and not the outside internet?

       1. 

          Stas June 19, 2021

          I can access only local network, but not the outside internet

          1. 

             WunderTech June 22, 2021

             That would make me feel like it’s a DNS issue. Do you know what DNS server you specified?

       2. 

          Stas June 20, 2021

          @WunderTech,
          Exactly, I am able to access the internal LAN resources, but not the external internet.

41. 

    BigBen June 15, 2021

    So what are these 10.xx.xx.xx IP adresses used in the example??? Should this be altered to 192.168.xxx.xxx for your own homerange?

    1. 

       WunderTech June 16, 2021

       Those are the IP addresses that are assigned to the VPN clients. The 192.168.X IP subnet is used for your local subnet, and the 10.X subnet is used for the VPN.

42. 

    Max June 15, 2021

    Hello Wundertech, Thank you for this tutorial. Now here is my problem: I followed the tutorial and it went well up-to the point where i asked the program to generate a QR code. Something looking like ASCII-code appears, no QR code. I am using a RasPi 3B, fresh installed with the latest Raspian and all updates. I have tested ALL screen resolutions either using VNC or a (high end) monitor on the Pi’s HDMI port with same result, no QR-code. I see a kind of ladder consisting of capital and small letters A with a tilde (wave form) above the letter. Is there a solution and if not, how do i get the data (and what data) on my phone?

    1. 

       WunderTech June 16, 2021

       I haven’t seen that error in specific, but googling it quickly, it appears like a lot of people have experienced this. Are you able to manually enter in the config settings into whatever app you’re using to try and connect? The QR code technically just transfers that information to the app (which makes it significantly easier, but not the only way to do it).

       1. 

          Max June 16, 2021

          Hi Wundertech, thanks for your kind reply. I have an Iphone so i can enter every bit of data for a VPN. I did use openVPN for a while and this was just a case of transferring a small file to the phone, click on it and you are done but as Wireguard got great reviews i wanted to try that. So yes, i can enter data in the VPN settings on the Iphone and i do have the WireGuard app also (but this only seems to work with the QR-code and won’t let you go any further without it). Yesterday i tryed installing on a brandnew Raspi-4 with the same results. Hope you have a fix.

          1. 

             WunderTech June 16, 2021

             Got it, glad that you at least have a workaround. I will have to do some testing on my side when I get some time. There’s a chance that PiVPN was updated and it accidently broke this functionality. I’m not sure when I will have a chance to test it, but I will do my best to see if it’s PiVPN related!

             1. 

                Max June 18, 2021

                Hi WunderTech, I am almost sure its a bug in PiVPN but no idea where to report it so will leave it with you. Thank you for you comments.

43. 

    Josh June 15, 2021

    Hi! Great stuff in this thread! Quick question for anyone who can answer- So, I have successfully setup the PiVPn WG server along with PiHole and it’s working great. What would happen if I used a USB to ethernet adapter and manually plugged another device (ie. a Synology NAS) directly into the pi? Would it go through the VPN?

    1. 

       WunderTech June 16, 2021

       The VPN is a tunnel back to your local network. Since your Synology NAS is on your local network, the VPN will not have any impact on it. Think of the VPN as a way to access your local network when you’re outside of your house.

44. 

    Josh June 16, 2021

    Thanks for the reply. So, with what you said considered, could I close any ports that are open for the NAS and if so, how could I still use the services (Syno Photos, webdav call, etc)? If a client was connected to the VPN, could it access them directly since they’re essentially on the same network? Thanks

    1. 

       WunderTech June 16, 2021

       You are correct. The client will connect via VPN, and then to the NAS’s internal IP address. This is potentially different than how you’re connecting now, but you’ll only be allowing people to access the services through VPN (which is the safest route).

45. 

    Carlin July 5, 2021

    Struggling to get an internet connection with WireGuard when this is installed on the same Pi as is running my DNS via AdGuardHome.

    I’m suspecting AdGuard at home is somehow blocking the connection with WireGuard, I’ve varied the WireGuard DNS settings from Google DNS, the Pi IP itself (which is the DSN IP), and using the “pivpn-is-local-dns” (whatever that does).

    Any suggestions for me, or is it not possible to use the same Pi for both DNS filtering and WireGuard?

    1. 

       WunderTech July 5, 2021

       Are you sure that the connection isn’t working, or is DNS just not working? Meaning can you ping servers/devices by IP address? Can you check to see if any devices are connected to WireGuard?

46. 

    Fisch July 13, 2021

    Dear WunderTech,

    I have done anything you said until the split-tunnel which i do not desire. I have a Pihole which serves as an unbound DNS and DHCP server, and my other raspberry serves as a VPN. Everything seems to be working besides the fact that the port is not visible from outside my network. I can ping the port 22 because it uses a service, but eventhought i have opened the 51820 from ufw it doesn’t seem to be accessable to the public web. Do i have to install the piVPN as a service? Here are the ufw status that the VPN created:

    To Action From
    — —— —-
    51820/udp ALLOW Anywhere # allow-wireguard
    22 ALLOW Anywhere # SSH
    51820/udp (v6) ALLOW Anywhere (v6) # allow-wireguard

    Anywhere on eth0 ALLOW FWD 10.6.0.0/24 on wg0

    Thank you for your time

    1. 

       WunderTech July 13, 2021

       Do you want port 22 (SSH) to be visible to the world? That is generally a riskier thing to do. As for the UDP port, it appears like you allowed it in UFW properly. I am assuming that you port forwarded it on your router as well? Did you complete the PiVPN setup? PiVPN should set everything up properly as far as the service goes.

       1. 

          Fisch July 14, 2021

          Dear WunderTech,

          The port 22 was allowed locally to check if the port forward function worked well for the modem and for the RasPi and i had a success. But for the 51820 port it didn’t work, i have read that the port must be opened by the server/RasPi in order to connect (The SSH runs the service all the time), so what should i do? Reinstall the piVPN again or check if the services are running for the WireGuard? I don’t know much about the linux world, i am new!

          Thank you very much!!

          1. 

             WunderTech July 14, 2021

             Got it – if we take a step back, can you confirm that everyone on the router side is set up properly? Since you opened the port on the RPi’s firewall, I would check to see if the router is properly port forwarded.

             1. 

                Fisch July 15, 2021

                Dear WunderTech,

                The router setup is proper, because i used the same config for SSH at port 22 and it got probed by the port scanners. I have selected for the wireguard the 51820 UDP port, but it doesn’t get the open sign, if there any tool to check if the PiVPN is running properly? Can you give me a guide to open another port like 443, to check if there isn’t any problem with the RasPi? My ISP isn’t blocking any port, nor does is have CGNAT enabled!

                Thank you very much!!

47. 

    Fisch July 15, 2021

    Dear WunderTech,

    I have made this experiment:

    A) I have selected the port 443 for the WireGuard, opened both UDP and TCP ports from modem. They seem closed from internet.
    B) The roules of UFW that i have made are:

    To Action From
    — —— —-
    443/udp ALLOW Anywhere # allow-wireguard
    22 ALLOW 192.168.2.0/24 # SSH
    443/tcp ALLOW Anywhere # HTTPS
    443/tcp (v6) ALLOW Anywhere (v6) # HTTPS
    443/udp (v6) ALLOW Anywhere (v6) # allow-wireguard

    Anywhere on eth0 ALLOW FWD 10.6.0.0/24 on wg0

    I can’t ping nothing from the internet 443 TCP or UDP. But the port 22 seems to be pingable every time i disable the firewall, but 443 in always closed with or without firewall.
    C) If the port 22 is open from the internet then the port forward is working right?
    D) When the Firewall is closed i am running those commands:

    sudo nmap -sT -p 443 localhost

    PORT STATE SERVICE
    443/tcp closed https

    sudo nmap -sU -p 443 localhost

    PORT STATE SERVICE
    443/udp open|filtered https

    With the Firewall enabled i got the commands:

    sudo nmap -sT -p 443 localhost

    PORT STATE SERVICE
    443/tcp closed https

    sudo nmap -sU -p 443 localhost

    PORT STATE SERVICE
    443/udp open|filtered https

    Please tell me what am i doing wrong??

    Thank you for your patience and time!!!!!

    1. 

       WunderTech July 15, 2021

       Can you run the command “sudo ufw status verbose” and respond with the output? It’s very difficult to troubleshoot network issues remotely unfortunately, but if the router is opened properly and PiVPN was configured properly, there’s a chance it’s the firewall.

       1. 

          Fisch July 15, 2021

          Dear WunderTech,

          The output is:

          Status: active
          Logging: on (low)
          Default: deny (incoming), allow (outgoing), disabled (routed)
          New profiles: skip

          Is it wrong to use 443 for PiVPN? I am just doing it in case the ISP is blocking ports above a certain range, are there any others ports you suggest to test the whole forwarding/open ports issue? I am so grateful for your time and knowledge you give to me!!

          Thank you very much!!!

          1. 

             WunderTech July 16, 2021

             It’s not wrong to use 443, but it isn’t normally necessary either (as long as your ISP doesn’t block specific ports). The firewall rules are interesting, because I was expecting specific ports, but it looks like it’s denying all incoming traffic.

             As a final effort, can you disable the firewall entirely and see if you’re able to get the VPN working?

             1. 

                Fisch July 17, 2021

                Dear WunderTech,

                I copy the verbosed firewall output:

                To Action From
                — —— —-
                5555/udp ALLOW IN Anywhere # allow-wireguard
                22 ALLOW IN 192.168.2.0/24 # SSH
                5555/tcp ALLOW IN Anywhere # Wire
                5555/udp (v6) ALLOW IN Anywhere (v6) # allow-wireguard

                Anywhere on eth0 ALLOW FWD 10.6.0.0/24 on wg0

                I have tried to setup WireGuard with 5555 and still nothing. Can’t ping UDP or TCP with or without the firewall. I have DNS my Pihole @ 192.168.2.2 and unbound is enabled, do you thing that this has something to do or because i use the no-ip.com *.zapto.org ? I don’t know i am quitting this madness if nothing is working..

                Thank you very much!!

             2. 

                WunderTech July 18, 2021

                If you completely disable the firewall (and the port is opened on your router) and the port still doesn’t show as open outside of your local network, then it is in fact the PiVPN setup. It’s hard for me to say exactly what is wrong, but it would have to be something. It shouldn’t be the no-ip as that’s just a dynamic DNS name.

                In its simplest form, I would install PiVPN (Wireguard) and use UDP port 51820. Port forward UDP 51820 to your Raspberry Pi on your router. Disable the firewall on the Raspberry Pi and see if you can connect from outside of your local network.

48. 

    Val July 18, 2021

    Hi, thank you so much for the wonderful detailed tutorial! But unfortunately it isn’t working for me.
    I have followed your steps but chose my public ip during installation as I have a static ip. I also used the custom dns that’s used by my isp. I created a full tunnel vpn & even added the Postup & Postdown lines.
    Then I transferred the config file to my phone to connect using the app, but no packets are being transferred.
    I tried re-installing everything by creating a static ip using duckdns & choosing Google’s dns but it still doesn’t transfer packets.
    My phone doesn’t even show up as a client in “pivpn -c”.
    I also checked if port forwarding & ip forwarding was enabled and it was.

    1. 

       WunderTech July 18, 2021

       Hello and thank you! I know this is a basic question, but are you testing from outside of your local network (on your mobile network, for example)?

       1. 

          Val July 20, 2021

          Yes I’m using mobile data on my smartphone to test it

          1. 

             WunderTech July 20, 2021

             Got it – can you now confirm that port 51820 is properly opened on your router? You can use a port checker to ensure that it’s open from the outside if you aren’t sure.

49. 

    Percy Sundberg August 3, 2021

    Hello!
    Followed this tutorial and its working fine. Have one question i did two config files one for FT and one for ST.
    When i add clients it seams to use FT file by default, how to create a client with ST file?

    1. 

       WunderTech August 3, 2021

       When you say that you add clients, do you mean on the actual configuration side? If so, I’m not sure if you can change those values unfortunately. I will try and test it out as soon as I get some time!

       1. 

          Percy August 5, 2021

          Hello!
          Thanks for quick replay.
          I mean when i do pivpn add
          Can i do two clients and just change allowed ips manuell after.

          1. 

             WunderTech August 5, 2021

             Yes, that’s exactly what you can do!

       2. 

          Percy Sundberg August 5, 2021

          Hello!
          Im sorry for the first comment, i did not pay enugh attention watching th video, you do explain how to do.
          I did as you said in the youtube video and changed the allowed ip in the config file for my ST file from 0.0.0.0/0, ::0/0 till
          192.168.10.0/24, 10.6.0.0/24.
          Then i scanned the file to my phone but when i checked the settings in the wireguard app the allowed ips are 0.0.0.0/0,
          ::0/0 does it matter?

          1. 

             WunderTech August 5, 2021

             It does – there seems to be a bug in this version of PiVPN that doesn’t actually transfer over the AllowedIPs to the phone. If you change it to 192.168.10.0/24, 10.6.0.0/24 on your phone, it should be split-tunnel.

             1. 

                Percy Sundberg August 7, 2021

                Hello!
                Changed it and now i works, confirmed with whatsmyip.
                My next task is to try to connect my laptop with Manjaro xfce with kernel 5.10.53-1 thru
                networkmanager.
                This time i have to import file and copy and paste in to networkmanager.
                I hope this works.
                Thanks for your answers to my questions.

             2. 

                WunderTech August 9, 2021

                Glad you got it working!

50. 

    Pete August 9, 2021

    Great guide thanks.
    How would you change the DDNS name after install?

    1. 

       WunderTech August 9, 2021

       Thanks! In the client configuration file, you will see an “endpoint” where you can change the DDNS hostname.

51. 

    Max G August 11, 2021

    What a great step by step procedure, THANK YOU! I am somewhat of a novice in the the vpn world and your tutorial was just what I needed.

    The results of my installation are as stated in Section 8 Item 3 and I can access my files remotely on my phone. So it appears everything is working. I do have a couple questions though.

    1. I was surprised to see the home ip address does not change when going to whatismyip.com. After thinking about it though, I believe this is because the duckdns.org ddns is not the vpn server so the home ip would remain unchanged. Am I understanding this correctly?

    2. With Split Tunnel and Full Tunnel profiles created, does the PiVPN with Wireguard default to the Full Tunnel mode? If the full tunnel mode throttles my streaming TV, is it possible to switch it to split tunnel and how would I do that?

    1. 

       WunderTech August 11, 2021

       Glad that it helped!

       1. Yes, these are home VPN’s, which means that you use them to access local resources and for that reason, it will appear like you’re home (home IP address) when you’re not actually home.

       2. Yes, it will default to full tunnel, but it should be as easy as disconnecting from the full tunnel VPN and connecting to the split tunnel VPN.

52. 

    Murat August 15, 2021

    Hey WunderTech,
    Thanks for the tutorial!
    I have followed your tutorial to the letter, but I seem to be having trouble getting a connection through the VPN.
    I have setup wireguard, created a profile (FT), copied it across to my android using a QR code. I can activate the connection using the app, and I can see the connection using the -c command, but I am unable to navigate to any websites from my phone while the connection is active.
    What could I have done wrong?

    1. 

       WunderTech August 15, 2021

       Just to confirm, you are on an external network right? Also, have you specified a valid DNS server to use?

       1. 

          Murat August 16, 2021

          Yes and yes, but I think you can ignore me completely. It looks like data transfer is broken on android 12 beta when using a VPN. Explains why it just suddenly stopped working.

          Thanks for replying anyway!

          1. 

             WunderTech August 16, 2021

             Got it – not a problem!

53. 

    RAW August 26, 2021

    Hi, I have gone through your tutorials, I have set up split tunnel Wireguard pi VPN with free ddns domain and google dns server and not added any route in router. I have created couple of clients and tested the connections. Everything works fine however my VPN client public IP address and location does not change after connecting to VPN. Do you have any idea if I am missing anything?
    Thanks in advance!

    1. 

       RAW August 26, 2021

       Hi again, I have read above comments and learn that i need to set up full tunnel connection for that. I can confirm VPN client’s Public IP address and location does change in full tunnel connection. Nice tutorial! thank you very much!

       1. 

          WunderTech August 27, 2021

          Glad you got it working!

54. 

    Richard August 31, 2021

    Thank you so much.

    Additionally, i go to pihole (on my rasp pi) and edit the settings, specifically the Upstream DNS server, i choose: “Listen to all interfaces, allow all origings”.

    This is to keep a second router with a DHCP function working properly. Wireguard installation changes this setting without notice.

    1. 

       WunderTech September 1, 2021

       Is the second router giving out IP addresses to a different subnet?

55. 

    Matteo September 8, 2021

    I have two questions (preface: I am a complete newbie)

    -I would like to use this setup as my VPN server instead of Synology+OpenVPN. The Synology NAS and the Raspberry Pi will be on the same local network. If I understood right, I would need to install a client only if I am trying to enter the VPN remotely, correct? So I don’t need to setup anything on the NAS. Is this right?

    -Is it possible to use the same raspberry as the DNS server and VPN server?

    1. 

       WunderTech September 8, 2021

       1. That is correct. You will set up the VPN server on the Pi, connect to it whenever you’re outside of your local network, and then you’ll be able to access all local resources (including your NAS).
       2. You can, though I believe that the setup is slightly different. There are a few tutorials online I believe, but following the two tutorials I have for them might not work properly (since they’re both occupying the same Raspberry Pi).

       1. 

          Matteo September 9, 2021

          Thank you very much! I really appreciate the work you do, you saved me a lot of time!

          1. 

             WunderTech September 9, 2021

             Thanks for the kind words, glad that the information helps!

56. 

    Danny September 21, 2021

    I’m using Adguard on my Raspberry Pi, and I want to set up wireguard by PiVPN.
    Adguard Home works if I set the DNS up.
    For PiVPN, I set it up with mostly the default setting by clicking OK to the next step.
    I’ve forward my port (should be correctly set up but not so sure), and added those two lines you mentioned. Though once I connected the VPN, I couldn’t connect to the Internet.
    Anything I could do to resolve this problem?

    Also, where could I send my debug message privately?

    1. 

       WunderTech September 21, 2021

       When you set up WireGuard, what are you using as the DNS server? Are you sure that it’s an internet issue and not a DNS issue? I haven’t run WireGuard + AdGuard Home, but a bunch of people run WireGuard + Pi-hole so I don’t think that would be the problem.

       1. 

          Danny September 22, 2021

          Hi WunderTech,

          Thanks for replying. I tried your tutorial on port forwarding, though found out that seems not working on my router. Here is how I set it:
          Local External
          IP Address Start Port End Port IP Address Start Port End Port Prot Description Enabled
          192.168.0.18 51820 51820 192.168.0.18 51820 51820 BOTH Yes

          I used http://www.portchecktool.com and put in 192.168.0.18. Seems not a valid port.

          I tried a few DNS servers: Google, my home IP address, 192.168.0.18. Though none of those worked out.
          Any suggestions?

          Best,
          Zhenyu

          1. 

             WunderTech September 22, 2021

             The port that you’ll have to check is 51820 – the 192.168.0.18 is the IP address. However, you sent me a TCP port checker and WireGuard uses UDP. So I would use this site instead: https://www.ipvoid.com/udp-port-scan/

             Google “what is my IP”, and put your external IP address in the first line of “IPv4 Address”, then put 51820 in as the second. Agree to the terms and you can see if it’s open.

             1. 

                Danny September 23, 2021

                It says:
                Port Type Status Service
                51820 UDP Open|filtered unknown

                PLAT=Raspbian
                OSCN=buster
                USING_UFW=0
                IPv4dev=eth0
                dhcpReserv=1
                IPv4addr=192.168.0.18/24
                IPv4gw=192.168.0.1
                install_user=pi
                install_home=/home/pi
                VPN=wireguard
                pivpnPORT=51820
                pivpnDNS1=192.168.0.18
                pivpnDNS2=
                pivpnHOST=my external IP address here.

                Am I setting up correct?

             2. 

                Danny September 23, 2021

                Also, here is one of my wireguard profile for my computer:
                [Interface]
                PrivateKey =
                Address = 10.6.0.2/24
                DNS = 192.168.0.18

                [Peer]
                PublicKey =
                PresharedKey =
                Endpoint = MyExternalIPAddress:51820
                AllowedIPs = 0.0.0.0/0, ::0/0

             3. 

                WunderTech September 24, 2021

                From this info, it looks correct – other than DNS. Are you running a DNS server at 192.168.0.18? If not, change that to something public (like 8.8.8.8 or 1.1.1.1) and test again.

       2. 

          Steve September 22, 2021

          Is there a way to troubleshoot the following issue. On a raspberry piW with pihole and unbound, decided to follow the full tutorial and it went well. But, when I activated wireguard from my mobile device and scaned the qr code it could not reach anything on the internet. And i could not connect to my pc with duckdns. I sudo -u pivpn and I will try installing it again in case i missed a step but I am not sure i know where the fault lies. Is there a chance to be a router issue?

          1. 

             WunderTech September 22, 2021

             WireGuard has a bug (some versions of it, at least) where the QR code doesn’t always work. Can you open your mobile app and ensure that the correct information was properly passed to the application?

             1. 

                Steve September 23, 2021

                Well, I did and after i changed dns to 1.1.1.1, i was able to reach the internet but still i am anable to connect from the outside to my ddns. And i checking through putty the sudo wg situation, there isn’t a handshake as it should. I am rather troubled by all of this….

             2. 

                WunderTech September 23, 2021

                I am a little confused on what you mean by “connect from the outside to my DDNS”? DDNS ensures that the domain name being used is always updated with your external IP address. Typing that into a web browser won’t necessarily do anything unless you’re exposing something on your local network (via port forwarding).

57. 

    Steve September 24, 2021

    Well yes, for that reason I have opened a port. So in theory it should give me the ability to connect to my system/server with wireguard at least for pihole on the go. It doesnt though and i am perplexed.

    1. 

       WunderTech September 24, 2021

       What is your goal for using WireGuard? You want a full-tunnel VPN connection that will use Pi-hole as DNS? This shouldn’t be too difficult to get working, but if 1.1.1.1 worked as your DNS server, then it’s a Pi-hole issue. What are you setting as the DNS server when you try and get Pi-hole working?

58. 

    Danny September 24, 2021

    Hi WunderTech,

    Thanks for your help above. Though when I changed my DNS server as Google, when I created a PiVPN profile, and added to my device. My device could not connect to the Internet as before.

    Here is my PiVPN debug report:
    ::: Generating Debug Output
    :::: PiVPN debug ::::
    =============================================
    :::: Latest commit ::::
    Branch: master
    Commit:
    Author: Orazio
    Date: Wed Sep 15 17:52:17 2021 +0200
    Summary: Important change to custom MTU handling (mainly to fix issue #1357)
    =============================================
    :::: Installation settings ::::
    PLAT=Raspbian
    OSCN=buster
    USING_UFW=0
    IPv4dev=eth0
    IPv4addr=192.168.0.18/24
    IPv4gw=192.168.0.1
    install_user=pi
    install_home=/home/pi
    VPN=wireguard
    pivpnPORT=51820
    pivpnDNS1=8.8.8.8
    pivpnDNS2=8.8.4.4
    pivpnHOST=REDACTED
    INPUT_CHAIN_EDITED=0
    FORWARD_CHAIN_EDITED=0
    pivpnPROTO=udp
    pivpnMTU=1420
    pivpnDEV=wg0
    pivpnNET=10.6.0.0
    subnetClass=24
    ALLOWED_IPS=”0.0.0.0/0, ::0/0″
    UNATTUPG=1
    INSTALLED_PACKAGES=()
    =============================================
    :::: Server configuration shown below ::::
    [Interface]
    PrivateKey = server_priv
    Address = 10.6.0.1/24
    MTU = 1420
    ListenPort = 51820
    ### begin zwu-sam ###
    [Peer]
    PublicKey = zwu-sam_pub
    PresharedKey = zwu-sam_psk
    AllowedIPs = 10.6.0.2/32
    ### end zwu-sam ###
    =============================================
    :::: Client configuration shown below ::::
    [Interface]
    PrivateKey = zwu-sam_priv
    Address = 10.6.0.2/24
    DNS = 8.8.8.8, 8.8.4.4

    [Peer]
    PublicKey = server_pub
    PresharedKey = zwu-sam_psk
    Endpoint = REDACTED:51820
    AllowedIPs = 0.0.0.0/0, ::0/0
    =============================================
    :::: Recursive list of files in ::::
    ::::[4m/etc/wireguard shown below ::::
    /etc/wireguard:
    configs
    keys
    wg0.conf

    /etc/wireguard/configs:
    clients.txt
    zwu-sam.conf

    /etc/wireguard/keys:
    server_priv
    server_pub
    zwu-sam_priv
    zwu-sam_psk
    zwu-sam_pub
    =============================================
    :::: Self check ::::
    :: [OK] IP forwarding is enabled
    :: [OK] Iptables MASQUERADE rule set
    :: [OK] WireGuard is running
    :: [OK] WireGuard is enabled (it will automatically start on reboot)
    :: [OK] WireGuard is listening on port 51820/udp
    =============================================
    :::: Having trouble connecting? Take a look at the FAQ:
    :::: https://docs.pivpn.io/faq
    =============================================
    :::: WARNING: This script should have automatically masked sensitivity ::::
    :::: information, however, still make sure that PrivateKey, PublicKey ::::
    :::: and PresharedKey are masked before reporting an issue. An example key ::::
    :::: that you should NOT see in this log looks like this: ::::
    :::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe ::::
    =============================================
    :::: Debug complete ::::
    :::
    ::: Debug output completed above.
    ::: Copy saved to /tmp/debug.log
    :::

    1. 

       WunderTech September 26, 2021

       There’s nothing that I see that’s out of the ordinary. When you connect to WireGuard (even if it doesn’t work), can you check to see if the client is connected through the terminal?

       1. 

          Danny September 27, 2021

          Hi WunderTech,

          Appreciate again for your help.
          After connecting to the wireguard VPN on my laptop, I could still not connect to the Internet.
          Here is the VPN profile on my laptop:
          [Interface]
          PrivateKey =
          Address = 10.6.0.3/24
          DNS = 8.8.8.8, 8.8.4.4

          [Peer]
          PublicKey =
          PresharedKey =
          Endpoint = My_IP_Address:51820
          AllowedIPs = 0.0.0.0/0, ::0/0

          I figured when I connect the VPN, the listening port is 54851.
          And data only shows sent out, not receiving.

          Anything I did wrong over these setups?

          1. 

             WunderTech September 27, 2021

             When you say that the listening port is 54851, did you change that? Generally, that should be 51820 which matches what the client is connecting to.

             1. 

                Danny September 28, 2021

                No, I didn’t change the listening port. And I realized it changed every time I connect the WireGuard VPN.

             2. 

                WunderTech September 28, 2021

                That is most likely the issue, however, I am not sure why it keeps changing. The listening port and server port should both be the same (51820).

59. 

    Steve September 25, 2021

    First of all thanks for all the time you are taking to troobleshoot. Well, a full or split tunnel vpn with wireguard using pi-hole/unbound as dns and have the ability of remote access. My setting is a custom 127.0.0.1#5335 and i think pi-hole is working.

    1. 

       WunderTech September 26, 2021

       Glad to try and help! Is Unbound working without WireGuard connected? If it is, what do you have set as the DNS address for the WireGuard client?

       1. 

          Steve September 28, 2021

          Yes it does work without it cause i had set it about a month prior. You don’t mean the duckdns adress or i understand something wrong? A lot of steps were done by pivpn and maybe i have missed something!

          1. 

             WunderTech September 28, 2021

             From what I’ve read (haven’t tried it myself), the process is not as simple as just setting up WireGuard and Unbound separately. Have you searched Google to see how to implement it? I’m afraid that following both of my tutorials would mean that one or the other would work, but not both at the same time.

             1. 

                Steve October 3, 2021

                Ahh this then poses an entire different set of issues i hadn’t realise they exist. Thank you i’ll try and find a solution for that and come back with my findings or pihole and wireguard alone 😛

60. 

    Foad September 28, 2021

    Hi there,

    I have been trying to setup Wireguard VPN on Raspberry pi 4GB using PiVPN. The process is successful when using LAN (my raspberry LAN ip is different from eth0 ip). But when I used the eth0 to set it up (meaning I connect the raspberry pi to my router with a cable) I can’t get the VPN to work. I have also changed the Port forwarding IP on my router according to LAN/eth0 IP. Am I doing anything wrong? I just want to do this thinking that it would improve the internet speed!

    Thank you for your help!

    1. 

       WunderTech September 29, 2021

       When you say that the Eth0 IP is different than the LAN IP address, what exactly do you mean? Are you using Wi-Fi or anything? Generally, the LAN IP address and the Eth0 IP address should be the same.

61. 

    Percy September 30, 2021

    Great tutorial I was able to set up WireGuard in an evening. I initially set up full tunneling. My goal was to be able to access my devices on my local network while out of the house. I can connect to the vpn while on an outside wifi but I cannot access devices on my local network. However if I switch my phone to cellular and connect to the vpn and I can access devices on my locale network . I added split tunnel with the same results.

    1. 

       WunderTech September 30, 2021

       Sorry about that, I have to moderate the posts due to tons of spam that I receive.

       So when you say that it works on the mobile network, it does everything that you expect? Is it only a single external Wi-Fi network that isn’t working, or is all of them?

62. 

    Percy September 30, 2021

    It’s any Wi-Fi network, I tried it on two different networks. One is our network at work it’s not part of our corporate network we call it the dirty feed. It’s a Spectrum business network and I control the router. I’ve tried it on my mother-in-laws network Spectrum residential account netgear wireless router. As I’m writing this the one at work is double NAT only because the router is in my office and we have not moved it yet at which time I will configure the modem as pass through. My mother-in-laws was configured for pass through but they replaced it a month ago and I don’t remember if I reconfigure it.

63. 

    Percy September 30, 2021

    I just tried it on another Wi-Fi net that I know is not double NAT and still no luck. I’m going to do a clean install.

    1. 

       WunderTech October 1, 2021

       Yes, a clean install is best, but is your network double NAT? That could be the problem.

64. 

    Goger October 9, 2021

    Hi,

    I followed your tutorial and everything works fiine. But I have one problem. I tried to set up a split tunnel and a full tunnel, did everything as stated. After a bit of try and error it seems as if the qr code is generated when the client is generated. If I change a config of a user, the qr code does not get updated. Only way for me to solve this was to edit /etc/pivpn/wireguard/setupVars.conf to set allowed IPs for a split tunnel and generate a client. Is there a way to renew the created QR code?

    1. 

       WunderTech October 10, 2021

       I believe that that’s a bug with WireGuard unfortunately. One of the easier methods (that I’ve found) is to manually edit the config in the WireGuard client, though your option is probably better if you’re using that client multiple times.

Comments are closed.