Installing wireguard VPN on kiwi
Hey everybody, I use wireguard VPN for management of all my remote devices. I recently got wireguard installed on the KiwiSDR BBG running Debian 10.11 (buster). I stole this mostly from here.
This how-to assumes you are a bit familiar with wireguard, and that you already have a central server somewhere on the public internet that can accept new incoming connections. I use the 172.30.1.0/24 private IP space for my wireguard network, you can use any IP range you want but be aware that LANs typically use 192.168.1.0/24 or 10.0.0.0/8, and docker typically uses 172.17.0.0/16.
It's probably a good idea to make sure nobody is using your KiwiSDR when you are installing wireguard, as we all know the beaglebone is underpowered.
Step 1: Add the buster-backports repo, and set it to a lower priority than the existing repos. This ensures that any updates will come from the original repos, not the backports repo.
debian@kiwisdr:~$ sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list.d/backports.list" debian@kiwisdr:~$ sudo sh -c "printf 'Package: *\nPin: release a=buster-backports\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-backports"
Step 2: Update the package list to get the new backports repo, and install wireguard and wireguard-tools
debian@kiwisdr:~$ sudo apt update debian@kiwisdr:~$ sudo apt install wireguard=1.0.20210223-1~bpo10+1 wireguard-tools=1.0.20210223-1~bpo10+1
This will also install: dkms fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86 wireguard wireguard-dkms wireguard-tools. Say Yes. After some churning, wireguard will be installed. If you're feeling adventurous, you can also do a sudo apt upgrade to get all the security updates.
Step 3: Generate your client public/private keys for your Kiwi. Set the umask to keep your private key secure. This will create your public and private keys.
debian@kiwisdr:~$ (umask 077 && wg genkey > wg-private.key) debian@kiwisdr:~$ wg pubkey < wg-private.key > wg-public.key
Step 4: Create the wireguard configuration file in /etc/wireguard/wg0.conf. Must use sudo. Change your IP network and private client key, and the public server key and endpoint. Don't use DNS for the endpoint, as the tunnel may come up before DNS works.
debian@kiwisdr:~$ sudo vim /etc/wireguard/wg0.conf [Interface] Address = 172.30.1.10/32 PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= [Peer] PublicKey = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= AllowedIPs = 172.30.1.0/24 Endpoint = 184.108.40.206:51820 PersistentKeepalive = 25
Step 5: Add the Kiwi's public key and private IP address to your wireguard server configuration file. This typically means adding another [peer] section to the wg0.conf file on the server. Don't forget to restart wireguard on the server to reload the conf file!
Step 6: Back on your KiwiSDR, start the wireguard service, and double check that it's connected to your server.
debian@kiwisdr:~$ sudo wg-quick up wg0 debian@kiwisdr:~$ sudo wg interface: wg0 public key: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB= private key: (hidden) listening port: 39608 peer: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= endpoint: 220.127.116.11:51820 allowed ips: 172.30.1.0/24 latest handshake: 1 minute, 6 seconds ago transfer: 235.28 KiB received, 2.40 MiB sent persistent keepalive: every 25 seconds
Step 7: Enable wireguard via systemctl so it will automatically start on boot.
sudo systemctl enable wg-quick@wg0
That's all. I've successfully done this on two KiwiSDRs, it works pretty well. Hopefully this helps you.