Installing wireguard VPN on kiwi

Hey everybody, I use wireguard VPN for management of all my remote devices. I recently got wireguard installed on the KiwiSDR BBG running Debian 10.11 (buster). I stole this mostly from here.

This how-to assumes you are a bit familiar with wireguard, and that you already have a central server somewhere on the public internet that can accept new incoming connections. I use the private IP space for my wireguard network, you can use any IP range you want but be aware that LANs typically use or, and docker typically uses

It's probably a good idea to make sure nobody is using your KiwiSDR when you are installing wireguard, as we all know the beaglebone is underpowered.

Step 1: Add the buster-backports repo, and set it to a lower priority than the existing repos. This ensures that any updates will come from the original repos, not the backports repo.

debian@kiwisdr:~$ sudo sh -c "echo 'deb buster-backports main' >> /etc/apt/sources.list.d/backports.list"
debian@kiwisdr:~$ sudo sh -c "printf 'Package: *\nPin: release a=buster-backports\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-backports"

Step 2: Update the package list to get the new backports repo, and install wireguard and wireguard-tools

debian@kiwisdr:~$ sudo apt update
debian@kiwisdr:~$ sudo apt install wireguard=1.0.20210223-1~bpo10+1 wireguard-tools=1.0.20210223-1~bpo10+1

This will also install: dkms fakeroot libfakeroot linux-headers-3.8.13-xenomai-r86 wireguard wireguard-dkms wireguard-tools. Say Yes. After some churning, wireguard will be installed. If you're feeling adventurous, you can also do a sudo apt upgrade to get all the security updates.

Step 3: Generate your client public/private keys for your Kiwi. Set the umask to keep your private key secure. This will create your public and private keys.

debian@kiwisdr:~$ (umask 077 && wg genkey > wg-private.key)
debian@kiwisdr:~$ wg pubkey < wg-private.key > wg-public.key

Step 4: Create the wireguard configuration file in /etc/wireguard/wg0.conf. Must use sudo. Change your IP network and private client key, and the public server key and endpoint. Don't use DNS for the endpoint, as the tunnel may come up before DNS works.

debian@kiwisdr:~$ sudo vim /etc/wireguard/wg0.conf
Address =

AllowedIPs =
Endpoint =
PersistentKeepalive = 25

Step 5: Add the Kiwi's public key and private IP address to your wireguard server configuration file. This typically means adding another [peer] section to the wg0.conf file on the server. Don't forget to restart wireguard on the server to reload the conf file!

Step 6: Back on your KiwiSDR, start the wireguard service, and double check that it's connected to your server.

debian@kiwisdr:~$ sudo wg-quick up wg0
debian@kiwisdr:~$ sudo wg
interface: wg0
 private key: (hidden)
 listening port: 39608

 allowed ips:
 latest handshake: 1 minute, 6 seconds ago
 transfer: 235.28 KiB received, 2.40 MiB sent
 persistent keepalive: every 25 seconds

Step 7: Enable wireguard via systemctl so it will automatically start on boot.

sudo systemctl enable wg-quick@wg0

That's all. I've successfully done this on two KiwiSDRs, it works pretty well. Hopefully this helps you.


  • Hi @KF6ZEO thanks for sharing your guide! Wireguard good and fast VPN technology supporting on many different OS and popular routers - Mikrotik ROS7, OpenWRT & etc.

    73! Yuri

Sign In or Register to comment.