Building a Simple VPN with WireGuard with a Raspberry Pi as Server

For anyone else wanting to set this up at home, I’d recommend installing the vyatta-wireguard module [1] on an EdgeRouter X instead. It costs about the same as a Raspberry Pi, and you get a reliable network appliance with four gigabit ports and PoE, rather than a general purpose Linux box with graphics and USB. I’ve found the WireGuard module to be fast enough to keep up with my 100/40 Mbps internet connection, and now when my Linux server goes down, the network it’s connected to stays up.

[1]: https://github.com/Lochnair/vyatta-wireguard

0xEFF · 6 years ago

I upgraded from an ER-X to an ER-4 because the X can’t do full 1000 Mbit with PPPoE fiber without hardware offload. With hardware offload turned on there’s a bug in the hardware that causes some sites, most notably Netflix, to not route at all.

The ER-4 has been great with the Cavium hardware. No hardware offload issues like this.

Edit: The ER-X tops out around 500 Mbit with hardware offload turned off.

msh · 6 years ago

Huh. I have a er-x with hardware offloading turned on. I have noticed no issues with netflix.

I get about 900 megabit on my gigabit fiber.

whalesalad · 6 years ago

Love my ER-4 and all its offloading capabilities. I just wish it had a switch chip so you could bridge ports without a performance penalty.

bisby · 6 years ago

I had an ER Lite, and hardware offload was re-validating packets. Things would come in as error, and come out the other side still invalid, but validated. And at the time my ISP was sending me a lot of uncorrectable errors. So a lot of services would refuse to run with hardware offload on, because the errors weren't being handled. (with it off, the errors were identified as errors and handled. slow, but accurate).

Then the pole outside my house got hit by lightning and fried the thing, and I replaced it with something from mikrotik.

axiomdata316 · 6 years ago

I have this router and set up the wg interface but got stuck at how to route all my home traffic through wg. Any recommendations on how to troubleshoot this part?

mchristen · 6 years ago

I believe you can do this with policy based routing rules. Effectively you create a second routing table where the default route goes through your wireguard device and then you create firewall modify rules that assign traffic to that routing table by source, your local LAN range and interface in this case.

The following article has an example of using policy based routing. Your setup isn't all that different, you don't need to have more than one default route in each routing table is all and you also might only need one additional route table.

https://help.ubnt.com/hc/en-us/articles/204952274-EdgeMAX-Po...

sjy · 6 years ago

As suggested in the sibling comment, use policy-based routing, specifically something like:

    set protocols static table <table-number> interface-route 0.0.0.0/0 next-hop-interface wg1

jotef · 6 years ago

I recommend following this blog post. Helped me a lot: https://andrew.dunn.dev/posts/wireguard-from-your-isp/

karlshea · 6 years ago

Be careful with this module, lots of the `set` and `delete` commands aren't quite working right yet, leading to some commit failed errors for me. I was trying to get something working and ended up with an ERX that couldn't pass traffic last night. Luckily I had a serial-to-USB cable so I could fix it.

tssva · 6 years ago

That's partially my fault. I wrote a lot of the configuration command stuff for that module and there are a couple of bugs when it comes to validation for setting and deleting items so you can get yourself in a bad position. Plus there are some issues with EdgeOS which this seems to trigger.

I migrated from Wireguard to ipsec quite a long time ago because it was less complicated for my particular needs. It has probably been close to 2 years. No one else seems to have taken up resolving the lingering problems with the configuration issues.

Would a Pi4 be able to handle being both a VPN and a pihole, or should these be two separate boxes?

willis936 · 6 years ago

I set my Pi4 up with wireguard+pihole recently. I think pihole does nothing 99.99% of the time, so I can’t speak to how performance is in worst case scenarios, but wireguard seems fine. I get about 25 Mbps up/down (speedtest.net with a single client, so assume it’s 25 Mbps aggregate. Not a lot for hefty file transfers but comfy enough for VNC to multiple hosts. The big win is in decreased latency. I don’t have good quantifications of this beyond speedtest.net run from my work. 5 ms with no VPN. 82 ms using my router’s OpenVPN. 24 ms using Pi4 wireguard. These were just single runs so the strong law of small numbers may apply. I know iperf is more scientific, but I wanted a quick, empirical full internet test. My home internet is 550 Mbps down / 36 Mbps up.

Full data (iPhone 11 client at work):

No VPN: 145 / 139 / 5

Router OpenVPN: 25 / 6 / 82

pi4 wireguard: 24 / 27 / 24

1996 · 6 years ago

Could you recommend something that would have 2x NVME for the home internet part?

RK3399 based boards are interesting but there is only 1x NVME on the Rockpi4 NVME extender.

The Nvidia Jetson nano extenders use USB3, which is not acceptable for the usecase

doctoboggan · 6 years ago

Is your no vpn sample still on the same home network? Or are you comparing your mobile data or another network to your home network (through vpn)

If the former is true, that seems like quite a significant penalty to pay for using wg.

steve19 · 6 years ago

The hit you are taking seems larger than it should be. Have you tried different speedtest severs?

eximius · 6 years ago

Yes.

Being a VPN and a DNS server are both extremely light weight tasks that use (mostly) orthogonal resources (VPN = IO, DNS ~ fairly small IO and CPU).

j1elo · 6 years ago

Been using the Pi1 for a couple years now with OpenVPN and Pihole, never had problems (though the only one using the VPN is me, at any time), so I'd say the Pi4 should be more than capable :-)

jwcrux · 6 years ago

I run both on my Pi4 and still have plenty of resources to spare.

yomansat · 6 years ago

I run both, along with docker on a Pi Zero and there's still some RAM to spare.

0xADEADBEE · 6 years ago

Yep! This is how I started out (I run it one a VPS now so I'm not tied to my home network) and it works fine. The only limit you're likely to run into is your blocklists filling RAM. I have a 5M+ long blocklist and it won't fit into 1GB, so you might want to spec up a little bit in that area, depending on how block-happy you are.

giancarlostoro · 6 years ago

I run mine as both a OpenHAB and as PiHole server. I dont see why not. Of course a VPN might be slightly more involved. I am thinking of splitting it up and doing a VPN with PiHole though so I can get access to my internal network to manage OpenHAB remotely. I want my OpenHAB Pi to be stand alone.

samueldamon · 6 years ago

I have the original Pi 3. It handles both of these tasks just fine and with throughput to spare.

acarl005 · 6 years ago

I'm running both on a Pi 2 (without a heat sink).

brentjanderson · 6 years ago

Cool project - if you're looking to set up a secure VPN in a quick, no-nonsense way, be sure to look at [Algo](https://github.com/trailofbits/algo). Does WireGuard (and IPSec if you want), only secure, sane defaults, and nothing more. Hands down the easiest, most secure way to setup a modern VPN in a few minutes. Far better than using some random anonymous VPN service running out of some random person's closet that's.

gmac · 6 years ago

Or even quicker (no need to deal with Ansible) for IKEv2 IPSec only, my Bash script: https://github.com/jawj/IKEv2-setup

nreece · 6 years ago

+1 for Algo. I've been using it since last year on a VM (took under 5 minutes to setup), for firewall access (SSH, RDP, DBs etc.) to work servers.

Works great for secure access from anywhere when working remotely or travelling.

oddly · 6 years ago

Also check out Streisand[0] if you're interested in this.

[0] https://github.com/StreisandEffect/streisand

A question for people with experience in this area:

I've been considering setting up WireGuard so I can keep my mobile phone always connected to my home network.

Will I experience degraded network performance (either latency or bandwidth) if I have my mobile phone always connected to a VPN 24/7?

My phone is an iPhone 11 Pro and I would be running WireGuard on a Pi4

JeremyNT · 6 years ago

I do this (with OpenVPN / Android, but same idea) and the main factor that limits my own performance is the poor upload speeds of my residential cable subscription. For many residential services, you're looking at asymmetrical up/down speeds, and they usually advertise the higher download number only.

This is normally fine since you most people download way more than they upload and don't run servers in their homes, but when you route everything through your home, you may be limited by upload speeds.

fulafel · 6 years ago

Depends on how you want to use it.

If you want all your network traffic to go via your home network instead of normally over the internet, you will experience degraded network performance and it'll mostly depend on how fast your home network is & how far it is network-topologically from your phone.

tyingq · 6 years ago

Some bandwidth and latency downgrade seems certain. Google, Netflix, and others invest a lot to cache content closer to your phone. A VPN circumvents that approach. The experience, though, is individual enough, that nothing other than trying it would tell if it it's "good enough" for you.

nucleardog · 6 years ago

You don't have to route all your traffic through the VPN (though it's unclear from the question whether or not that's the goal). If he only wants access to resources on his home network, it's entirely feasible to set that up while still routing other traffic out through the public internet via your ISP/carrier.

jonstewart · 6 years ago

I do this fairly often with an Algo vpn. Sometimes the initial connection setup suffers, but there can be a gain from adblocking if you use PiHole.

I’ve had to turn it off a few times when some apps do geo-ip lookup and give me errors about not knowing whether I’m in the US. Otherwise the main drawback is battery usage.

Yeah I should have mentioned above but one of the reasons I want to do this is for pihole on the go. How much more battery usage would you estimate your setup causes?

ekianjo · 6 years ago

No degraded performance in my experience, at least not visibly. Only drawback is more battery consumption.

About how much more consumption?

moreorless · 6 years ago

I do this. Wireguard's iOS app with connect on demand is great. I get very close to the full speed of my home connection.

tenant · 6 years ago

I have beeen looking at setting up a vpn to be able to hook up my pc to the office network. I don't know a whole lot about it but I ended up trying out Softether for the job just this weekend. It's a free and opensource project from the University of Tsukuba, Japan. It promises that it can achieve speeds far higher than Openvpn. It was really just a click next, next type setup both on client and server which was the reason I went for it over openvpn which seemed more complicated and would require me to handle DNS stuff etc. I was impressed that I was able to get it up and run a desktop application designed for a local network with a minimal increase in lagginess. I'd value the opinions of people more knowledgeable than I who may have tried it.

dfc · 6 years ago

It looks like softether is just a management GUI / framework that handles a bunch of different underlying VPN products/standards? The README says the following are supported "SSL-VPN, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP by the single SoftEther VPN Server program." Looking at the documentation for client setup it looks like you just setup an IPSEC client.

saltspork · 6 years ago

I believe SoftEther has its own userspace implementation of all of these protocols + NAT.

eyegor · 6 years ago

Certainly not an expert but I switched from openvpn to softether for personal use back in 2015-16 out of curiosity, saw substantially lower latency. I see openvpn as the samba of vpn servers. Huge hassle to configure for performance, so much history that searching when you have issues is difficult.

Glad to hear of someone using it for a while and who's impressed with it. I've only used it a very little bit but I was very impressed, I think I'm going to dive into it deeper now.

fnord77 · 6 years ago

riston · 6 years ago

I have been using ZeroTier(https://www.zerotier.com/) much simpler solution to setup.

Naac · 6 years ago

Doesn't sound like it's Open Source to me.

"A commercial license is only needed if you want to offer a paid network management service or embed it into a proprietary device or app."

I would stay away from software that wants to restrict how you use it.

whycombagator · 6 years ago

From their site:

> commercial license is only needed if you want to offer a paid network management service or embed it into a proprietary device or app.

A cursory look suggests that it's open source, with restrictions that they clearly list on their site here[0]. I get your point, but I personally don't mind if a business open sources their software and allows free use of it for non commercial cases.

[0] https://www.zerotier.com/pricing/

nerdkid93 · 6 years ago

Their library version is GPL-3.0, so I'd say while everything might not be open source, some of their utilities are: https://github.com/zerotier/libzt

nif2ee · 6 years ago

> Doesn't sound like it's Open Source to me

Your parent's comment didn't even mention the open source issue here. Stop harassing startups with open source products just because you make 6 figure merely doing nothing all year.

iampims · 6 years ago

You could also use https://tailscale.com which has, subjectively, a much nicer UI and iOS integration.

als0 · 6 years ago

What's the throughput like on a Raspberry Pi?

probablyexists · 6 years ago

I was only able to get ~60mbps with OpenVPN through a hard wired Raspberry Pi 3 connected to Google Fiber, due to limitations of its bus.

The 4 is supposed to be actual gigabit, but I have not yet tried it out to confirm.

eatbitseveryday · 6 years ago

I'm trying to set it up on a RPI4 as an 802.11ac wireless router, to verify this. If it manages 100mbps+ then it'll be a cheap replacement for my current router.

tjoff · 6 years ago

OpenVPN is extremely slow, same setup with wireguard is guaranteed to be much faster.

vardump · 6 years ago

Raspberry Pi 3 can do at least 250 Mbps. Perhaps it's limited by something else, like crypto or your actual connection?

I just ran iperf from my Pi4 to my Ubuntu VM in the same LAN five minutes ago. 850 Mbps symmetric with no VPN.

kingosticks · 6 years ago

Which bus limits to 60mbps? The USB limitation shouldn't be anywhere near that low.

themattress · 6 years ago

I’ve been using a pi3 for about a year as a full time VPN on my cell phone and laptops.

3 is only 100mbit eth, but I’ve had almost no issues with it. Connects fast, no problem streaming HD video or cloning huge git repos. Maybe when I get home today I’ll take some measurements.... But my biggest issue is the trash Powerline Ethernet between my router and rest of my network.

I have issues with my wireless signal just crapping out from out of nowhere from time to time. Usually in specific spots in my home. I setup a repeater (thinking a mesh network might be the better choice, but this was a much cheaper temporary solution) but it still sometimes happens. The ethernet is fine on the other hand.

I run OpenHAB and Pi-Hole all on a RPi3 on ethernet, no issues so far.

Here is someone's benchmark from reddit: https://www.reddit.com/r/WireGuard/comments/eeafds/wireguard... (tl;dr "Avg: 829 Mbps")

Hamuko · 6 years ago

That's for a Raspberry Pi 4, which should have a pretty drastic performance difference from the Raspberry Pi 3 mentioned in the article since only one of those has proper gigabit Ethernet.

It does seem pretty good though. I'm having trouble getting past 25 Mb/s in, 100 Mb/s out on my Edgerouter X.

liv-io · 6 years ago

For anyone who wants to operate it in a broader scale: https://github.com/liv-io/ansible-roles-centos/tree/master/w...