I have been following the great interest in Wireguard and I can see that is planned to be added to DietPi for the next release if I have understood correctly (https://github.com/Fourdee/DietPi/pull/2398).
I have a free raspberry pi 3b+ available and would like to test it. However, I don’t know how to do it. Is there an easy way to download a beta image to put on a sd card and try it?
Reading the GitHub discussion, seems that Wireguard will run that all traffic will go through the vpn server.
I would like instead to install Wireguard on a clean install of dietpi with for instance MotionEye. My ideal setup would have that I can connect through my phone via Wireguard to the raspberry server to the address and port to see the motioneye webserver but all the other internet traffic on my phone (like Facebook for instance) is not routed also to the raspberry pi server. That should go through my normal available internet connection (wifi or mobile data). I have drawn a simple scheme to help understand what I mean hopefully:
Garret
The WireGuard install option was already added to the Beta, that was released yesterday. Follow these steps to update to Beta branch: https://github.com/Fourdee/DietPi/blob/beta/BRANCH_SYSTEM.md
However do a dietpi-backup first and note that it is still a testing branch. But we would assist you quickly, if you run into any issue related to the changes we made with this Beta.
More info about the current Beta: https://github.com/Fourdee/DietPi/issues/2415
Jep, the default client config, we currently create on install, forwards all traffic through the VPN tunnel. But it is veeery easy to adjust that. My aim is also to add some alternative commented settings blocks to enable other client use cases.
Currently in the client config /etc/wireguard/wg0-client.conf you will fine the line: AllowedIPs = 0.0.0.0/0
Before applying it to your mobile, replace it by AllowedIPs = 192.168.1.0/24 to only forward access to your local network through the tunnel.
If you only need access to the MotionEye server on the RPi, set it to:
AllowedIPs = 192.168.1.3/32
Perhaps it can be even limited to only a certain port, but not sure currently.
The DNS = line btw. is optional and leads to the client using the servers DNS nameserver himself. If you want to stay with the default DNS server of your mobile simply comment or remove this line.
After you did the adjustments to your need, it is very easy to apply those settings to your mobile. Run: qrencode -t ansiutf8 < /etc/wireguard/wg0-client.conf
You will see a QR code which can be scanned by the mobile WireGuard app .
Sorry for using this thread but i cannot get the QR code to work. After running the QR command the QR code seems wrong. Anyone else have the same issue?
Hi fredamn76, today I had finally time to update dietpi and install wireguard. I also tried the qrencode application but, probably because I am using putty, I get the qrcode printed in the terminal which is not usable. I tried to use the “-o” function to save the qrcode as image but windows cannot open the image file. So in the end I solved by copying manually on my android phone the content of /etc/wireguard/wg0-client.conf
However now I have another issue that MichaIng might solve quite easily. I wanted to setup wireguard as I wrote in my first post. Everything seems fine. On my android phone I can connect to the wireguard server. If I go to 192.168.1.1 I can enter the webpage of my router but if I go to 192.168.1.3 (the raspberry pi wireguard server) I cannot login for instance on sonarr or radarr installed locally on the raspberry pi. So it seems that the android client on 4G (so in an external network) only sees the router but not all the other devices connected in my home lan.
This is how I set up the /etc/wireguard/wg0-client.conf
[Interface]
# The address must be unique for each client, use "10.8.0.3/24" for the second client and so on.
Address = 10.8.0.2/24
PrivateKey = HIDDEN
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.1.1
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will most likely not work on mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --d$
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --$
[Peer]
PublicKey = HIDDEN
# Tunnel all network traffic through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
# AllowedIPs = 192.168.1.0/24
# Tunnel access to VPN server only:
# AllowedIPs = 192.168.1.2/32
AllowedIPs = 192.168.1.0/24
Endpoint = HIDDEN:51820
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
I am very close to get everything working but still miss something
Hmm, here running the QR code command on PuTTY (windows client) works very well. Not sure how different terminals and/or monitors and/or mobile phone cameras might affect this, but since the code is printed quite large and clear on my PuTTY…
What does the mobile client say when attempting to scan?
Yeah of course, if it does not work, manually copying the wg0-client.conf is the working alternative.
Garret
From your generated client config it looks like the the WireGuard server runs on 192.168.1.2 not 192.168.1.3 .
You are right. It was my mistake. The raspberry pi server is 192.168.1.2 and not 192.168.1.3.
I think I might have solved the mistery. In your first post you write to set AllowedIPs = 192.168.1.0/24. In this way I could only see 192.168.1.1 from my android phone when on 4G.
I changed to AllowedIPs = 192.168.1.0/32 and now I can see for instance the radarr or bazarr web interface when connecting to 192.168.1.2.
EDIT: I marked as solved because it seems working fine. I just have some docker containers with transmission and while I can access from my local network to 192.168.1.2:9091. On my phone putting that address says there is no connection. It seems like the docker containers are not touched by wireguard. I only miss this thing because otherwise I can ping all the devices on my home network. Like I have an octoprint server on 192.168.1.32 and I can see the webinterface from my phone on 4G.
CIDR classes the /24 leave 256 total addresses with a netmask of 255.255.255.0 (minus the gateway and the broadcast IP’s, so a total of 254 assignable addresses)
A CIDR class of /32 netmask is 255.255.255.255 and usually has only 2 workable IP’s for routers as in only has the ability to send to one and receive from one…
Indeed strange. Actually AllowedIPs = 192.168.1.0/32 should not forward all 192.168.1.X addresses through the VPN.
AllowedIPs = 192.168.1.1/32 e.g. should forward this one exact address only, AFAIK, so should only allow to access the VPN server machine, if it has this particular IP.
Need to check here if /24 somehow allows local network access but not the VPN machine itself.
Hey MichaIng actually after re-reading what WarHawk, you and the content of wg0-client.conf, it is true: having AllowedIPs = 192.168.1.0/32 does not make sense because it should be, as you wrote in the first post, AllowedIPs = 192.168.1.0/24.
I simply don’t understand. It is working to me but now for me it is more important to understand why it is working and why following what wg0-client.conf suggests instead does not make it working.
Did you have time to do some test?
I re-attached my wg0-client.conf:
[Interface]
# The address must be unique for each client, use "10.8.0.3/24" for the second client and so on.
Address = 10.8.0.2/24
PrivateKey = HIDDEN
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.1.1
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will most likely not work on mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --d$
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark -m addrtype ! --$
[Peer]
PublicKey = HIDDEN
# Tunnel all network traffic through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
# AllowedIPs = 192.168.1.0/24
# Tunnel access to VPN server only:
# AllowedIPs = 192.168.1.2/32
AllowedIPs = 192.168.1.0/32
Endpoint = HIDDEN
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
And this is how my wireguard client on my android phone is configured. Actually you will notice that here I had not changed AllowedIPs from /24 to /32
I just wanted to come back to the discussion. I don’t know if something happened with updates or not but now everything seems to work as theoretically should. I mean that now having both AllowedIPs = 192.168.1.0/24 on the server and client allows me to access the whole lan network at home (including the raspberry pi where dietpi with wireguard is sitting). So I confirm that now if sully solved.
Garret
Thanks for reporting back. v6.22 bring some other enhancements on the generated client configs to have every client as separate peer and allow concurrent connections. However existing configs are never touched by any install/reinstall step.
.
