Wireguard server + OpenVPN client, again

General Discussion
7

Hello, hope it’s ok to bump this old topic, but I solved it! I ditched OpenVPN entirely, configuring my Raspberry Pi 3 as both WireGuard client and server according to this guide: Reddit - Dive into anything

Now from my phone I have access to my local DietPi services like Nextcloud, while my external IP appears that of my ProtonVPN.

Update: You can even use dietpi-software to do most of the config work!

  1. Using dietpi-software, install WireGuard as client.

  2. Grab the WireGuard config file from your VPN provider and put it in the folder /etc/wireguard/. To avoid confusion (when selecting interface to bind in qbittorrent :slight_smile:) name it vpn-client.conf

  3. Modify vpn-client.conf: under section [Interface] add line: FwMark = 51820. I think this can be anything (correct me if I’m wrong) but this value is recognizable as the default WireGuard port. Don’t forget to activate it with sudo systemctl enable --now wg-quick@vpn-client

  4. Using dietpi-software, install PiVPN, using WireGuard, using port 51821 to avoid conflict (assuming your vpn-client.conf is configured with default port 51820).

  5. Modify the WireGuard server config, /etc/wireguard/wg0.conf. Add the following lines under [Interface]:

FwMark = 51820

# forwarding
PostUp  = iptables -A FORWARD -o eth0 ! -d 192.168.100.0/24 -j REJECT
PostUp  = iptables -A FORWARD -i %i -j ACCEPT
PostUp  = iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp  = iptables -A FORWARD -j REJECT
PreDown = iptables -D FORWARD -o eth0 ! -d 192.168.100.0/24 -j REJECT
PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PreDown = iptables -D FORWARD -j REJECT

# NAT
PostUp  = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp  = iptables -t nat -A POSTROUTING -o vpn-client -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o vpn-client -j MASQUERADE

where 192.168.100.1/24 is my own local network, although I understand more commonly people have 192.168.0.1/24; and eth0 is the interface through which my Raspberry gets its internet (in my case an Ethernet connection).

  1. Now generate your (phone) client config as usual with pivpn add.

  2. On your (phone) client install the config (easiest with pivpn -qr if the WireGuard app lets you scan QR codes) and activate tunnel.

  3. On your (phone) client with tunnel activated verify: 1) you can access DietPi ssh, services, admin webpage etc.; 2) you can access the Internet for normal browsing; 3) your IP address appears to be that from your VPN provider (not your phone’s IP as it appears without the tunnel, and not your home network’s external IP!)

1 Like