Installing wireguard VPN on kiwi

KF6ZEOKF6ZEO
in Configuration and Operation

Hey everybody, I use wireguard VPN for management of all my remote devices. I recently got wireguard installed on the KiwiSDR BBG running Debian 10.11 (buster). I stole this mostly from here.

This how-to assumes you are a bit familiar with wireguard, and that you already have a central server somewhere on the public internet that can accept new incoming connections. I use the 172.30.1.0/24 private IP space for my wireguard network, you can use any IP range you want but be aware that LANs typically use 192.168.1.0/24 or 10.0.0.0/8, and docker typically uses 172.17.0.0/16.

It's probably a good idea to make sure nobody is using your KiwiSDR when you are installing wireguard, as we all know the beaglebone is underpowered.

Step 1: Add the buster-backports repo, and set it to a lower priority than the existing repos. This ensures that any updates will come from the original repos, not the backports repo.

debian@kiwisdr:~$ sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list.d/backports.list"
debian@kiwisdr:~$ sudo sh -c "printf 'Package: *\nPin: release a=buster-backports\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-backports"

Step 2: Update the package list to get the new backports repo, and install wireguard and wireguard-tools

debian@kiwisdr:~$ sudo apt update
debian@kiwisdr:~$ sudo apt install wireguard=1.0.20210223-1~bpo10+1 wireguard-tools=1.0.20210223-1~bpo10+1

This will also install: dkms fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86 wireguard wireguard-dkms wireguard-tools. Say Yes. After some churning, wireguard will be installed. If you're feeling adventurous, you can also do a sudo apt upgrade to get all the security updates.

Step 3: Generate your client public/private keys for your Kiwi. Set the umask to keep your private key secure. This will create your public and private keys.

debian@kiwisdr:~$ (umask 077 && wg genkey > wg-private.key)
debian@kiwisdr:~$ wg pubkey < wg-private.key > wg-public.key

Step 4: Create the wireguard configuration file in /etc/wireguard/wg0.conf. Must use sudo. Change your IP network and private client key, and the public server key and endpoint. Don't use DNS for the endpoint, as the tunnel may come up before DNS works.

debian@kiwisdr:~$ sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 172.30.1.10/32
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 

[Peer]
PublicKey = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=
AllowedIPs = 172.30.1.0/24
Endpoint = 1.1.1.1:51820
PersistentKeepalive = 25

Step 5: Add the Kiwi's public key and private IP address to your wireguard server configuration file. This typically means adding another [peer] section to the wg0.conf file on the server. Don't forget to restart wireguard on the server to reload the conf file!

Step 6: Back on your KiwiSDR, start the wireguard service, and double check that it's connected to your server.

debian@kiwisdr:~$ sudo wg-quick up wg0
debian@kiwisdr:~$ sudo wg
interface: wg0
 public key: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
 private key: (hidden)
 listening port: 39608

peer: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=
 endpoint: 1.1.1.1:51820
 allowed ips: 172.30.1.0/24
 latest handshake: 1 minute, 6 seconds ago
 transfer: 235.28 KiB received, 2.40 MiB sent
 persistent keepalive: every 25 seconds

Step 7: Enable wireguard via systemctl so it will automatically start on boot.

sudo systemctl enable wg-quick@wg0

That's all. I've successfully done this on two KiwiSDRs, it works pretty well. Hopefully this helps you.

Comments

  • rz3dvprz3dvp

    Hi @KF6ZEO thanks for sharing your guide! Wireguard good and fast VPN technology supporting on many different OS and popular routers - Mikrotik ROS7, OpenWRT & etc.

    73! Yuri

  • KF6ZEOKF6ZEO

    Update December 2022:

    Something has changed recently with regards to the dependencies for Wireguard. Using the same Debian 10 Buster image that these directions were originally written for, the above procedure now bricks the BeagleBone by installing a much older kernel.

    This dependency causes linux-image-4.19.0-22-rt-armmp to be installed, which will brick your Kiwi, requiring a fresh install from the SD card. The kernel required for the Kiwi is linux-image-4.19.94-ti-r42.

    To fix, before installing Wireguard, first install the kernel headers for this kernel:

    sudo apt install linux-headers-4.19.94-ti-r42

    Also probably a good idea to do an apt update and apt upgrade to get security updates for all the packages. Then install Wireguard and DKMS:

    debian@kiwisdr:~$ sudo apt install wireguard=1.0.20210223-1~bpo10+1 wireguard-tools=1.0.20210223-1~bpo10+1 wireguard-dkms dkms
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following additional packages will be installed:
 fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86
Suggested packages:
 python3-apport menu openresolv | resolvconf
The following NEW packages will be installed:
 dkms fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86 wireguard wireguard-dkms wireguard-tools
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 9,443 kB of archives.
After this operation, 65.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y

    This will also install fakeroot and linux-headers-3.8.13-xenomai-r86, which is fine. Double check that the 4.19.0-22-rt-armmp kernel is NOT installed.

    You'll know that everything is successful when the DKMS module is built towards the end of the install:

    Setting up dkms (2.6.1-4) ...
Setting up fakeroot (1.23-1) ...
update-alternatives: using /usr/bin/fakeroot-sysv to provide /usr/bin/fakeroot (fakeroot) in auto mode
Setting up wireguard-dkms (1.0.20210219-1~bpo10+1) ...
Loading new wireguard-1.0.20210219 DKMS files...
Building for 4.19.94-ti-r42
Building initial module for 4.19.94-ti-r42
Done.

wireguard.ko.xz:
Running module version sanity check.
 - Original module
 - Installation
  - Installing to /lib/modules/4.19.94-ti-r42/updates/dkms/

depmod............

DKMS: install completed.
Setting up wireguard-tools (1.0.20210223-1~bpo10+1) ...
wg-quick.target is a disabled or a static unit, not starting it.
Setting up wireguard (1.0.20210223-1~bpo10+1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+deb10u2) ...
debian@kiwisdr:~$

    Verify that the initrd.img-4.19.94-ti-r42, System.map-4.19.94-ti-r42, and vmlinuz-4.19.94-ti-r42 files are still in /boot , and that the BeagleBone boot still points towards the 4.19.94-ti-r42 kernel:

    debian@kiwisdr:~$ cat /boot/uEnv.txt
#Docs: http://elinux.org/Beagleboard:U-boot_partitioning_layout_2.0

uname_r=4.19.94-ti-r42
###uuid=
#dtb=
.......

    After that, continue with making your private/public keys, wg0.conf file, etc.

Sign In or Register to comment.