JustToThePoint English Website Version
JustToThePoint en español
JustToThePoint in Thai

Installing, configuring, and using VPN with WireGuard, Duckdns, OpenVPN, and PiVPN

A VPN protects your privacy. It separates your location from your data. It is basically a secure tunnel between you and the Internet, so all your traffic is encrypted.

This article is based on our articles Samba, Docker, Docker compose, Portainer, Shell In A Box, Webtop, and Nextcloud in the Pi and Dotfiles with Git + GNU Stow. Servers: Syncthing, Docker, Pi-hole, OpenVPN..

  1. Go to the duckdns website, register your subdomain (justtothepoint.duckdns.org), and retrieve your token.

  2. Second, let’s create a folder in the home directory (mkdir duckdns), go inside it, and create a folder (mkdir config) where all the duckdns configuration data will reside.

  3. Finally, navigate to your “Portainer dashboard”, Pi’s address:9000, Stacks, Add a stack. Type “duckdns” in the Name field, copy and paste the following configuration into the Web editor and click on Deploy the stack.

---
version: "2.1"
services:
  duckdns:
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    environment:
      - PUID=1001 # User PUID, just type in the terminal: id
      - PGID=1001 # Group PGID
      - TZ=Europe/Madrid # It sets the timezone for your location.
      - SUBDOMAINS=justtothepoint # The domain that you have just registered in Duck Dns.
      - TOKEN=YOUR-DUCK-DNS-TOKEN
      - LOG_FILE=false #optional
    volumes:
      - /home/pi/duckdns/config:/config #optional
    restart: unless-stopped
  1. First, let’s create a folder in the home directory (mkdir wireguard), go inside it, and create a folder (mkdir config) where all the wireguard configuration data will reside.

  2. Navigate to your “Portainer dashboard”, Pi’s address:9000, Stacks, Add a stack. Type “wireguard” in the Name field, copy and paste the following configuration into the Web editor and click on Deploy the stack.

    ---
    version: "2.1"
    services:
      wireguard:
        image: lscr.io/linuxserver/wireguard
        container_name: wireguard
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        environment:
          - PUID=1001 # User PUID, just type in the terminal: id
          - PGID=1001 # Group PGID
          - TZ=Europe/Madrid # It sets the timezone for your location.
          - SERVERURL=192.168.1.7
    

    This is the most important one. If your clients are outside of your network, you should type your external IP or domain name for your docker host. If you set it to auto, the container will try to determine and set the external IP automatically. If your clients are outside your private network, this is the way to go.

    On the other side, if your clients are inside your private network, this is the Pi’s IP address in the local network.

    If you have a dynamic external IP address which changes quite often, you can use DuckDNS, e.g., SERVERURL=justtothepoint.duckdns.org

          - SERVERPORT=51820
          - PEERS=2 # It is the number of peers to create confs for, i.e., how many devices you want to use Wireguard on
          - PEERDNS=auto # It uses the wireguard pre-configured DNS.
    

    You may want to use Google Public DNS Servers: PEERDNS=8.8.8.8,8.8.4.4

          - INTERNAL_SUBNET=10.13.13.0 #optional
          - ALLOWEDIPS=0.0.0.0/0 #optional
        volumes:
          - /home/pi/wireguard/config:/config # This is the bridge between the path for your data storage on your host container (/home/pi/wireguard/config) and your container configuration folder.
          - /lib/modules:/lib/modules #do not change
        ports:
          - 51820:51820/udp # -p <external>:<internal>, it exposes the (internal) port 51820 to be accesible from the host's IP on (external) port 51820 outside the container.
        restart: always
    
  3. You will need to port forward your port 51820 from your Router to your Raspberry Pi’s IP address. Typically, open your browser and go to your router’s IP address, e.g., 192.168.1.1, Ports (Puertos): you will need to give your forward a name (Nombre regla de puertos), set the Local IP as your PI’s IP Address (Dirección IP, 192.168.1.7), Protocol (UDP), Abrir Puerto/Rango Externo (WAN, 51820:51820), Abrir Puerto/Rango Interno (LAN, 51820:51820) -Set the Port Range and the Local Port as 51820-

  4. Configure your clients.

    [email protected]:~/wireguard/config$ sudo ls peer1
    #  We can see the public and private keys and a QR code png. 
    peer1.conf  peer1.png  presharedkey-peer1  privatekey-peer1  publickey-peer1
    
    [email protected]:~/wireguard/config$ docker exec -it wireguard /app/show-peer 1 
    # You could see the QR code for peer 1.
    

    To configure your client, go to WireGuard, Installation. There are clients for Windows, macOS, Ubuntu, Android, iOS, etc., e.g., you can install the Wireguard application from the Play Store, then launch it and click on the + plus button, SCAN FROM QR CODE.

    Let’s configure a WireGuard Peer client in Ubuntu. A. Ubuntu client. Install the necessary packages:

       sudo apt install wireguard resolvconf
    

    B. Raspberri Pi. Copy remotely the configuration file to the client.

      scp ~/wireguard/config/peer1/peer1.conf [email protected]~/peer1.conf. 
    

    C. Ubuntu client. Copy the WireGuard Peer’s Configuration File to its proper location:

      sudo cp peer1.conf /etc/wireguard/wg0.conf 
    

    D. Ubuntu client. Start the tunnel by running the following: wg-quick up wg0

  1. Download openvpn-install.sh script to set up your OpenVPN server: wget https://git.io/vpn -O openvpn-install.sh.
  2. Make it executable and run it: sudo chmod +x openvpn-install.sh, sudo bash openvpn-install.sh.
  3. IPv4: Server IP’s address, e.g., 192.168.1.48. Protocol: UDP. Port: 1194. DNS server for the clients: Google is usually a good choice. A name for the first client: client.
  4. Restart the OpenVPN service: sudo systemctl restart openvpn. Check its status: sudo systemctl status openvpn.
  5. If you have UFW enabled, you will need to add a rule to the firewall to allow the port 1194 to make the connection: sudo ufw allow 1194/udp.
  6. Is the server listening in this port? sudo netstat -anp | grep openvpn.
  7. Get the client configuration file: sudo passwd root; su -; cp client.ovpn /home/myUser and transfer it to the client’s machine.
  8. On the client side, install TunnelBlink and open client.ovpn in TunnelBlink.
  1. PiVPN is designed for Raspberry Pi. Download a script and start the install process: curl -L https://install.pivpn.io | bash.

  2. Interface: eth0/wlan, Do you want to use your current network settings as a static address? 192.168.1.7/24. Yes. Basically, it confirms your current IP address for your Raspberry Pi. Enter your desired IPv4 default gateway: 192.168.0.1 (Router’s IP address).

  3. Choose a user: pi.

  4. Unattended Upgrades (OK), Protocol (UDP), OpenVPN Port: 1194.

  5. Public IP or DNS: type your static IP (If you don’t know it yet, you can use services like WhatIsMyIp.com ). Obviously, you need a static public IP. Otherwise, you will use a free dynamic DNS service, such as NoIP.com or Duck DNS, and port forward the VPN traffic to your Raspberry Pi in your router. In this case, select DNS Entry. What is the public DNS name of this Server? justtothepoint.ddns.net (a more detailed explanation will be given further in step 9).

  6. DNS Provider for your VPN clients: Google.

  7. Create a client ovpn profile: pivpn add (client). It will generate a client.ovpn for that client in /home/pi/ovpns. You’ll need this to log in on each client device.

  8. Let’s configure the client. Copy the VPN client configuration file from the Raspberry PI:

    scp [email protected]:~/ovpns/client.ovpn . 
    

    scp [source [email protected]]:/[source directory and file name] [destination directory]). Install TunnelBlink in the client computer and open client.ovpn in TunnelBlink. Test: ping 10.8.0.1 (VPN private IP).

  9. If you don’t have a static IP, you need a dynamic DNS provider. Let’s see no-ip.com: Dynamic DNS, Create Hostname: Hostname (justtothepoint), Domain (ddns.net), Record Type (DNS Host(A)), IPv4 Address (your IP).

    Dynamic DNS is a service for allowing an Internet domain name (e.g., justtothepoint.ddns.net) to be assigned to a computer with dynamic IP addresses.

  10. Access your router: http://192.168.1.1. Advanced configuration, Advanced Setup, DNS, Dynamic DNS: D-DNS provider (No-IP), Hostname (justtothepoint.ddns.net), NOIP Setting (NoIP’s user and password).

  11. Setting up port forwarding for dynamic dns. Port Forwarding (Puertos), Create a port forwarding rule. Name (Nombre Regla de Puertos: VPN), Private IP Address (Dirección IP: Raspberry’s IP), Public Port (Abrir Puerto/Rango externo: 1194), Private Port (Abrir Puerto/Rango interno: 1194), Protocol (UDP). Router Configuration

    Router Configuration

  12. Go to your Android device, first install and then launch the OpenVPN Connect app. OPVN Profile, Import Profile (You need to copy the OpenVPN configuration file “client.ovpn” to your Android and navigate to the folder where you have saved the file).

Uninstall VPN: pivpn uninstall. List connected clients: pivpn clients.

Credits:

  1. geetkland, Instalar y configurar el servicio DNS dinámico Duck DNS con Docker, Instalar y configurar el servidor VPN Wireguard con Docker
  2. ADDICTED2TECH, HOME VPN USING WIREGUARD DOCKER ON A RASPBERRY PI 4
Bitcoin donation

JustToThePoint Copyright © 2011 - 2022 Anawim. ALL RIGHTS RESERVED. Bilingual e-books, articles, and videos to help your child and your entire family succeed, develop a healthy lifestyle, and have a lot of fun.

This website uses cookies to improve your navigation experience.
By continuing, you are consenting to our use of cookies, in accordance with our Cookies Policy and Website Terms and Conditions of use.