Public Wi-Fi hotspots have become the norm, the need for a secure and reliable Virtual Private Network (VPN) has never been more crucial. Public Wi-Fi networks, though convenient, often expose users to potential security risks, leaving sensitive data vulnerable to prying eyes and malicious intent. Establishing your own VPN adds an invaluable layer of protection, encrypting your online activities and shielding your personal information from potential threats. Now, envision the added advantage of hosting this protective barrier on a Raspberry Pi at your home! It is a cheap, easy and a low power solution. You can use any version of the RaspberryPi, however it is recommended to use one with ethernet as the connection is more stable. You can however even use the lightweight Raspberry Pi Zero W.

This guide not only discusses the significance of having a personal VPN in public spaces but also provides a step-by-step walkthrough for setting up a WireGuard VPN on a Raspberry Pi, ensuring that your online experiences on public networks remain private, secure, and under your control.

Table of Contents

Introduction To VPN

A VPN works by routing your internet traffic through a server. This server acts as a surrogate, masking your actual IP address and creating a veil of anonymity. However, the focus of the purpose of this tutorial is focused on allowing you to access public Wifi hotspots and remain secure. Often times public Wifi is unsecure and allows for packet sniffing and other threats making you vulnerable to data theft. With using a VPN your traffic will be encrypted and any attackers will be unable to eavesdrop on your traffic.

Setting Up Hostname for Dynamic DNS

If you are hosting this server at your house, there is a high chance that you have a Dynamic IP Address. A dynamic IP address changes from time to time, generally when the router is restarted. When hosting a server, you need the IP to be static or you need a DDNS. If you have a static IP address then this section is not necessary.

With DDNS, a client installed on the server regularly informs a DDNS server about its current IP address. The DDNS server then updates the DNS records associated with your chosen domain name ensuring that the domain always points to the correct IP address, even if it changes.

1. Create No-IP Account

Create account at No-IP. They have a free version, the only downside is that you will have to log in and verify your account every 30 days. It only takes a few seconds and they send you a reminder e-mail to do it.

  • When you first log in, it will ask you how you plan to use their service. Select Remote Access
  • Choose the free service.
  • On the left hand side select Dynamic DNS then No-IP Hostanmes.
  • Click Create Hostname
    ddns01.png
  • In the hostname field enter your desired name and select a Domain that you like. The IP Address field should have auto populated with your IP, if it didnt make sure to enter it.

2. Download & Install No-IP Script

Download and install the auto update script on your Raspberry Pi, this will ensure that the No-IP service stays updated with your current IP address. You'll need to create a directory for the No-IP script:

$ mkdir /home/$(whoami)/noip && cd /home/$(whoami)/noip

Download the No-IP script by running the following wget command and untar it:

$ wget https://www.noip.com/client/linux/noip-duc-linux.tar.gz
$ tar vzxf no-ip-duc-linux.tar.gz

Next navigate to the directory you just created:

$ cd noip-2.1.9-1

Now you will need to install the application using the following commands:

$ sudo make
$ sudo make install

During the make install you will be prompted for your No-IP username and password. It will also ask you how often you want the update to happen and you must choose 5 minutes or more. This is how often the script will send your IP address to No-IP ensuring that your hostname is always pointing to the correct IP address.

3. Run The Script

To run the script type the following:

$ sudo /usr/local/bin/noip2

This script will not auto run at start. So if you have to reboot your Raspberry Pi you'll need to run the command above after boot up. If you want to auto run the script at start up(which I suggest) you will add it to the rc.local file by typing:

$ sudo nano /etc/rc.local

Then add sudo /usr/local/bin/noip2 BEFORE the exit 0 line in the file.

Installing Docker

We will be using a docker container for WireGuard, if you don't have docker installed run the following command to download and install it:

$ curl -sSL https://get.docker.com | sh

Once docker is installed you will add non-root users to the Docker group, which will enable running the executed docker commands.

$ sudo usermod -aG docker $(whoami)
$ exit

Once exited you will need to log in again.

Installing WireGuard

To automatically install and run WireGuard simply copy and paste the following. Make sure to set <YOUR_HOSTNAME> to your WAN or DDNS hostname and set <YOUR_ADMIN_PASSWORD> to your desired password for the WireGuard Web UI account:

$ docker run -d \
  --name=wg-easy \
  -e WG_HOST=<YOUR_HOSTNAME> \
  -e PASSWORD=<YOUR_ADMIN_PASSWORD> \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  weejewel/wg-easy

WireGuard will use ports 51820 for the VPN and 51821 for the Web UI. Make sure to port forward UDP traffic for port 51820 on your router. Every router is different so search for your specific router and how to do it.

Configuring Clients

The great thing about WireGuard is that it is useable on just about every platform including but not limited to: PC, MacOSX, IOS devices, Android Devices, Linux, and many more. You can download the client app for the devices in their respective App Stores or through WireGuard's Installation Page.

To access the Web UI to configure and add clients, go to your Raspberry Pi's local IP address (not your WAN IP address). If you don't know it use the ifconfig command to retrieve it. Go to the following site and enter the Admin password you chose in the last section:

http://<RaspberryPI_Local_IP>:51821

You can now add a user/client:
wireguard1.png

Click on the + New and add the name of the user you'd like to add. There is a couple options to the right of the user you created, for IOS and Android devices click on the QR Code icon.

Fo IOS or Android devices, open up the WireGuard application. In the top right corner click the + and tap Create From QR Code and scan the QR code that is in the Web UI.

For other devices such as laptops, you will download the config file for the user and then add it to the client application on the laptop or other device.

You can now connect to public Wifi spots and not have to worry about eavesdropping!