Configure Raspberry Pi WireGuard client

Reconfigure Traefik to enable WireGuard client

Run this on the Raspberry Pi
pi make traefik config
(stdout)
? Traefik:
> Config
  Install (make install)
  Admin
  Exit (ESC)

? Traefik Configuration:
^ Entrypoints (including dashboard)
  TLS certificates and authorities
  Middleware (including sentry auth)
> Advanced Routing (Layer 7 / Layer 4 / WireGuard)
  Error page template
  Logging level
  Access logs

? Traefik routes
  Configure layer 7 TLS proxy
  Configure layer 4 TCP/UDP proxy
> Configure wireguard VPN

? Should this Traefik instance connect to a wireguard VPN?
  No, Traefik should use the host network directly.
  Yes, and this Traefik instance should start the wireguard server.
> Yes, but this Traefik instance needs credentials to connect to an outside VPN.

? Should Traefik bind itself exclusively to the VPN interface?
> No, Traefik should work on all host interfaces (including the VPN).
  Yes, Traefik should only listen on the VPN interface.

TRAEFIK_VPN_CLIENT_INTERFACE_ADDRESS: Enter the wireguard client Interface Address (e.g., 10.13.16.2)

: 10.13.16.2

TRAEFIK_VPN_CLIENT_INTERFACE_PRIVATE_KEY: Enter the wireguard PrivateKey (ends with =)

: 2E1vQHCS5JuaoRrt21GO0bYVrafOhplrGNFqoFBivEY=

TRAEFIK_VPN_CLIENT_INTERFACE_LISTEN_PORT: Enter the wireguard listen port (e.g., 51820)

: 51820

TRAEFIK_VPN_CLIENT_PEER_PUBLIC_KEY: Enter the Peer PublicKey (ends with =)

: AZiNh/5sk71QTy6Rk0ygzIUsSGAX8/s3EeGN6lT9oj0=

TRAEFIK_VPN_CLIENT_PEER_PRESHARED_KEY: Enter the Peer PresharedKey (ends with =)

: tEIW8FuxR6I+Qu79bORatbD+JgNPeigNvc9V18f7to8=

TRAEFIK_VPN_CLIENT_PEER_ENDPOINT: Enter the Peer Endpoint (host:port)

: sentry.example.com:51820

TRAEFIK_VPN_CLIENT_PEER_ALLOWED_IPS: Enter the Peer AllowedIPs (e.g., 10.13.16.1/32)

: 10.13.16.1/32

Reinstall Traefik

Press ESC twice to go back to the main menu, then re-install:

(stdout)
? Traefik:
  Config
> Install (make install)
  Admin
  Exit (ESC)

Once reinstalled, press ESC to quit the config tool.

Test VPN connectivity

Check the logs:

Run this on the Raspberry Pi
pi make traefik logs service=wireguard-client
(stdout)
wireguard-client-1  | 2024-09-28T08:42:09.445201647Z **** All tunnels are now active ****

Enter the wireguard client shell to test networking parameters:

Run this on the Raspberry Pi
pi make traefik shell service=wireguard-client

Show the connected wireguard peers:

Run this in the WireGuard Client shell
wg
Look for the last handshake time

The output of wg should show the peer and the latest handshake time, for example:

latest handshake: 45 seconds ago

If you do not see a handshake time, then there is some kind of problem connecting to the WireGuard server that you need to resolve.

Ping the WireGuard server (10.13.16.1):

Run this in the WireGuard Client shell
ping -c3 10.13.16.1

When you are done using the shell press Ctrl-D or type exit to quit.

Check that whoami is available publicly

In the last chapter you created a layer 7 route for the URL https://whoami.pi.example.com. Now that your wireguard connection is active on both ends, it should be publicly accessible. Test the URL in your personal web browser.

Next steps

  • Set up public SSH.
  • Install core services.
  • Install apps.