Installing wireguard VPN on kiwi

Hey everybody, I use wireguard VPN for management of all my remote devices. I recently got wireguard installed on the KiwiSDR BBG running Debian 10.11 (buster). I stole this mostly from here.

This how-to assumes you are a bit familiar with wireguard, and that you already have a central server somewhere on the public internet that can accept new incoming connections. I use the private IP space for my wireguard network, you can use any IP range you want but be aware that LANs typically use or, and docker typically uses

It's probably a good idea to make sure nobody is using your KiwiSDR when you are installing wireguard, as we all know the beaglebone is underpowered.

Step 1: Add the buster-backports repo, and set it to a lower priority than the existing repos. This ensures that any updates will come from the original repos, not the backports repo.

debian@kiwisdr:~$ sudo sh -c "echo 'deb buster-backports main' >> /etc/apt/sources.list.d/backports.list"
debian@kiwisdr:~$ sudo sh -c "printf 'Package: *\nPin: release a=buster-backports\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-backports"

Step 2: Update the package list to get the new backports repo, and install wireguard and wireguard-tools

debian@kiwisdr:~$ sudo apt update
debian@kiwisdr:~$ sudo apt install wireguard=1.0.20210223-1~bpo10+1 wireguard-tools=1.0.20210223-1~bpo10+1

This will also install: dkms fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86 wireguard wireguard-dkms wireguard-tools. Say Yes. After some churning, wireguard will be installed. If you're feeling adventurous, you can also do a sudo apt upgrade to get all the security updates.

Step 3: Generate your client public/private keys for your Kiwi. Set the umask to keep your private key secure. This will create your public and private keys.

debian@kiwisdr:~$ (umask 077 && wg genkey > wg-private.key)
debian@kiwisdr:~$ wg pubkey < wg-private.key > wg-public.key

Step 4: Create the wireguard configuration file in /etc/wireguard/wg0.conf. Must use sudo. Change your IP network and private client key, and the public server key and endpoint. Don't use DNS for the endpoint, as the tunnel may come up before DNS works.

debian@kiwisdr:~$ sudo vim /etc/wireguard/wg0.conf
Address =

AllowedIPs =
Endpoint =
PersistentKeepalive = 25

Step 5: Add the Kiwi's public key and private IP address to your wireguard server configuration file. This typically means adding another [peer] section to the wg0.conf file on the server. Don't forget to restart wireguard on the server to reload the conf file!

Step 6: Back on your KiwiSDR, start the wireguard service, and double check that it's connected to your server.

debian@kiwisdr:~$ sudo wg-quick up wg0
debian@kiwisdr:~$ sudo wg
interface: wg0
 private key: (hidden)
 listening port: 39608

 allowed ips:
 latest handshake: 1 minute, 6 seconds ago
 transfer: 235.28 KiB received, 2.40 MiB sent
 persistent keepalive: every 25 seconds

Step 7: Enable wireguard via systemctl so it will automatically start on boot.

sudo systemctl enable wg-quick@wg0

That's all. I've successfully done this on two KiwiSDRs, it works pretty well. Hopefully this helps you.


  • Hi @KF6ZEO thanks for sharing your guide! Wireguard good and fast VPN technology supporting on many different OS and popular routers - Mikrotik ROS7, OpenWRT & etc.

    73! Yuri

  • Update December 2022:

    Something has changed recently with regards to the dependencies for Wireguard. Using the same Debian 10 Buster image that these directions were originally written for, the above procedure now bricks the BeagleBone by installing a much older kernel.

    This dependency causes linux-image-4.19.0-22-rt-armmp to be installed, which will brick your Kiwi, requiring a fresh install from the SD card. The kernel required for the Kiwi is linux-image-4.19.94-ti-r42.

    To fix, before installing Wireguard, first install the kernel headers for this kernel:

    sudo apt install linux-headers-4.19.94-ti-r42

    Also probably a good idea to do an apt update and apt upgrade to get security updates for all the packages. Then install Wireguard and DKMS:

    debian@kiwisdr:~$ sudo apt install wireguard=1.0.20210223-1~bpo10+1 wireguard-tools=1.0.20210223-1~bpo10+1 wireguard-dkms dkms
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    The following additional packages will be installed:
     fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86
    Suggested packages:
     python3-apport menu openresolv | resolvconf
    The following NEW packages will be installed:
     dkms fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86 wireguard wireguard-dkms wireguard-tools
    0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
    Need to get 9,443 kB of archives.
    After this operation, 65.8 MB of additional disk space will be used.
    Do you want to continue? [Y/n] Y

    This will also install fakeroot and linux-headers-3.8.13-xenomai-r86, which is fine. Double check that the 4.19.0-22-rt-armmp kernel is NOT installed.

    You'll know that everything is successful when the DKMS module is built towards the end of the install:

    Setting up dkms (2.6.1-4) ...
    Setting up fakeroot (1.23-1) ...
    update-alternatives: using /usr/bin/fakeroot-sysv to provide /usr/bin/fakeroot (fakeroot) in auto mode
    Setting up wireguard-dkms (1.0.20210219-1~bpo10+1) ...
    Loading new wireguard-1.0.20210219 DKMS files...
    Building for 4.19.94-ti-r42
    Building initial module for 4.19.94-ti-r42
    Running module version sanity check.
     - Original module
     - Installation
      - Installing to /lib/modules/4.19.94-ti-r42/updates/dkms/
    DKMS: install completed.
    Setting up wireguard-tools (1.0.20210223-1~bpo10+1) ... is a disabled or a static unit, not starting it.
    Setting up wireguard (1.0.20210223-1~bpo10+1) ...
    Processing triggers for man-db (2.8.5-2) ...
    Processing triggers for libc-bin (2.28-10+deb10u2) ...

    Verify that the initrd.img-4.19.94-ti-r42,, and vmlinuz-4.19.94-ti-r42 files are still in /boot , and that the BeagleBone boot still points towards the 4.19.94-ti-r42 kernel:

    debian@kiwisdr:~$ cat /boot/uEnv.txt

    After that, continue with making your private/public keys, wg0.conf file, etc.

Sign In or Register to comment.