Configure Raspberry Pi WireGuard client
Reconfigure Traefik to enable WireGuard client
pi make traefik config
? Traefik: > Config Install (make install) Admin Exit (ESC) ? Traefik Configuration: ^ Entrypoints (including dashboard) TLS certificates and authorities Middleware (including sentry auth) > Advanced Routing (Layer 7 / Layer 4 / WireGuard) Error page template Logging level Access logs ? Traefik routes Configure layer 7 TLS proxy Configure layer 4 TCP/UDP proxy > Configure wireguard VPN ? Should this Traefik instance connect to a wireguard VPN? No, Traefik should use the host network directly. Yes, and this Traefik instance should start the wireguard server. > Yes, but this Traefik instance needs credentials to connect to an outside VPN.
There is an important choice to make regarding how you want the network of the Pi to be setup:
? Should Traefik bind itself exclusively to the VPN interface? No, Traefik should work on all host interfaces (including the VPN). > Yes, Traefik should only listen on the VPN interface.
- Do you still want to be able to access the Pi directly from your
LAN, without needing to go through the sentry? Perhaps you won’t
always have internet access and you still want to access these
services? If so, choose
No. - The more secure option is to choose
Yesand always go through the sentry. This will block access between the Pi and your LAN. You should
Regardless of this choice, the SSH service will be provided to the LAN, so you can change this setting at any time.
Finish entering your wireguard client settings by copying them from the temporary buffer you saved them in:
TRAEFIK_VPN_CLIENT_INTERFACE_ADDRESS: Enter the wireguard client Interface Address (e.g., 10.13.16.2) : 10.13.16.2 TRAEFIK_VPN_CLIENT_INTERFACE_PRIVATE_KEY: Enter the wireguard PrivateKey (ends with =) : 2E1vQHCS5JuaoRrt21GO0bYVrafOhplrGNFqoFBivEY= TRAEFIK_VPN_CLIENT_INTERFACE_LISTEN_PORT: Enter the wireguard listen port (e.g., 51820) : 51820 TRAEFIK_VPN_CLIENT_PEER_PUBLIC_KEY: Enter the Peer PublicKey (ends with =) : AZiNh/5sk71QTy6Rk0ygzIUsSGAX8/s3EeGN6lT9oj0= TRAEFIK_VPN_CLIENT_PEER_PRESHARED_KEY: Enter the Peer PresharedKey (ends with =) : tEIW8FuxR6I+Qu79bORatbD+JgNPeigNvc9V18f7to8= TRAEFIK_VPN_CLIENT_PEER_ENDPOINT: Enter the Peer Endpoint (host:port) : sentry.example.com:51820 TRAEFIK_VPN_CLIENT_PEER_ALLOWED_IPS: Enter the Peer AllowedIPs (e.g., 10.13.16.1/32) : 10.13.16.1/32
Reinstall Traefik
Press ESC twice to go back to the main menu, then re-install:
? Traefik: Config > Install (make install) Admin Exit (ESC)
Once reinstalled, press ESC to quit the config tool.
Test VPN connectivity
Check the logs:
pi make traefik logs service=wireguard-client
wireguard-client-1 | 2024-09-28T08:42:09.445201647Z **** All tunnels are now active ****
Enter the wireguard client shell to test networking parameters:
pi make traefik shell service=wireguard-client
Show the connected wireguard peers:
wg
The output of wg should show the peer and the latest handshake
time, for example:
latest handshake: 45 seconds agoIf you do not see a handshake time, then there is some kind of problem connecting to the WireGuard server that you need to resolve.
Ping the WireGuard server (10.13.16.1):
ping -c3 10.13.16.1
When you are done using the shell press Ctrl-D or type exit to
quit.
Check that whoami is available publicly
In the last chapter you created a layer 7 route for the URL
https://whoami.pi.example.com. Now that your wireguard connection
is active on both ends, it should be publicly accessible. Test the URL
in your personal web browser.
Next steps
- Set up public SSH.
- Install core services.
- Install apps.