Public Wi-Fi hotspots have become the norm, the need for a secure and reliable Virtual Private Network (VPN) has never been more crucial. Public Wi-Fi networks, though convenient, often expose users to potential security risks, leaving sensitive data vulnerable to prying eyes and malicious intent. Establishing your own VPN adds an invaluable layer of protection, encrypting your online activities and shielding your personal information from potential threats. Now, envision the added advantage of hosting this protective barrier on a Raspberry Pi at your home! It is a cheap, easy and a low power solution. You can use any version of the RaspberryPi, however it is recommended to use one with ethernet as the connection is more stable. You can however even use the lightweight Raspberry Pi Zero W.
This guide not only discusses the significance of having a personal VPN in public spaces but also provides a step-by-step walkthrough for setting up a WireGuard VPN on a Raspberry Pi, ensuring that your online experiences on public networks remain private, secure, and under your control.
Table of Contents
- Introduction to VPN
- Setting Up Hostname for Dynamic DNS
- Installing Docker
- Installing WireGuard
- Configuring Clients
A VPN works by routing your internet traffic through a server. This server acts as a surrogate, masking your actual IP address and creating a veil of anonymity. However, the focus of the purpose of this tutorial is focused on allowing you to access public Wifi hotspots and remain secure. Often times public Wifi is unsecure and allows for packet sniffing and other threats making you vulnerable to data theft. With using a VPN your traffic will be encrypted and any attackers will be unable to eavesdrop on your traffic.
If you are hosting this server at your house, there is a high chance that you have a Dynamic IP Address. A dynamic IP address changes from time to time, generally when the router is restarted. When hosting a server, you need the IP to be static or you need a DDNS. If you have a static IP address then this section is not necessary.
With DDNS, a client installed on the server regularly informs a DDNS server about its current IP address. The DDNS server then updates the DNS records associated with your chosen domain name ensuring that the domain always points to the correct IP address, even if it changes.
1. Create No-IP Account
Create account at No-IP. They have a free version, the only downside is that you will have to log in and verify your account every 30 days. It only takes a few seconds and they send you a reminder e-mail to do it.
- When you first log in, it will ask you how you plan to use their service. Select
- Choose the free service.
- On the left hand side select
- In the
hostnamefield enter your desired name and select a
Domainthat you like. The IP Address field should have auto populated with your IP, if it didnt make sure to enter it.
2. Download & Install No-IP Script
Download and install the auto update script on your Raspberry Pi, this will ensure that the
No-IP service stays updated with your current IP address. You'll need to create a directory for the
$ mkdir /home/$(whoami)/noip && cd /home/$(whoami)/noip
No-IP script by running the following
wget command and untar it:
$ wget https://www.noip.com/client/linux/noip-duc-linux.tar.gz
$ tar vzxf no-ip-duc-linux.tar.gz
Next navigate to the directory you just created:
$ cd noip-2.1.9-1
Now you will need to install the application using the following commands:
$ sudo make
$ sudo make install
make install you will be prompted for your
No-IP username and password. It will also ask you how often you want the update to happen and you must choose 5 minutes or more. This is how often the script will send your IP address to
No-IP ensuring that your hostname is always pointing to the correct IP address.
3. Run The Script
To run the script type the following:
$ sudo /usr/local/bin/noip2
This script will not auto run at start. So if you have to reboot your Raspberry Pi you'll need to run the command above after boot up. If you want to auto run the script at start up(which I suggest) you will add it to the
rc.local file by typing:
$ sudo nano /etc/rc.local
sudo /usr/local/bin/noip2 BEFORE the
exit 0 line in the file.
We will be using a docker container for WireGuard, if you don't have docker installed run the following command to download and install it:
$ curl -sSL https://get.docker.com | sh
Once docker is installed you will add non-root users to the Docker group, which will enable running the executed docker commands.
$ sudo usermod -aG docker $(whoami)
Once exited you will need to log in again.
To automatically install and run WireGuard simply copy and paste the following. Make sure to set
<YOUR_HOSTNAME> to your WAN or DDNS hostname and set
<YOUR_ADMIN_PASSWORD> to your desired password for the WireGuard Web UI account:
$ docker run -d \
-e WG_HOST=<YOUR_HOSTNAME> \
-e PASSWORD=<YOUR_ADMIN_PASSWORD> \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--restart unless-stopped \
WireGuard will use ports 51820 for the VPN and 51821 for the Web UI. Make sure to port forward UDP traffic for port 51820 on your router. Every router is different so search for your specific router and how to do it.
The great thing about WireGuard is that it is useable on just about every platform including but not limited to: PC, MacOSX, IOS devices, Android Devices, Linux, and many more. You can download the client app for the devices in their respective App Stores or through WireGuard's Installation Page.
To access the Web UI to configure and add clients, go to your Raspberry Pi's local IP address (not your WAN IP address). If you don't know it use the
ifconfig command to retrieve it. Go to the following site and enter the Admin password you chose in the last section:
You can now add a user/client:
Click on the
+ New and add the name of the user you'd like to add. There is a couple options to the right of the user you created, for IOS and Android devices click on the QR Code icon.
Fo IOS or Android devices, open up the WireGuard application. In the top right corner click the
+ and tap
Create From QR Code and scan the QR code that is in the Web UI.
For other devices such as laptops, you will download the
config file for the user and then add it to the client application on the laptop or other device.
You can now connect to public Wifi spots and not have to worry about eavesdropping!