A VPN protects your privacy. It separates your location from your data. It is basically a secure tunnel between you and the Internet, so all your traffic is encrypted.
This article is based on our articles Samba, Docker, Docker compose, Portainer, Shell In A Box, Webtop, and Nextcloud in the Pi and Dotfiles with Git + GNU Stow. Servers: Syncthing, Docker, Pi-hole, OpenVPN..
Go to the duckdns website, register your subdomain (justtothepoint.duckdns.org), and retrieve your token.
Second, let’s create a folder in the home directory (mkdir duckdns), go inside it, and create a folder (mkdir config) where all the duckdns configuration data will reside.
Finally, navigate to your “Portainer dashboard”, Pi’s address:9000, Stacks, Add a stack. Type “duckdns” in the Name field, copy and paste the following configuration into the Web editor and click on Deploy the stack.
--- version: "2.1" services: duckdns: image: lscr.io/linuxserver/duckdns:latest container_name: duckdns environment: - PUID=1001 # User PUID, just type in the terminal: id - PGID=1001 # Group PGID - TZ=Europe/Madrid # It sets the timezone for your location. - SUBDOMAINS=justtothepoint # The domain that you have just registered in Duck Dns. - TOKEN=YOUR-DUCK-DNS-TOKEN - LOG_FILE=false #optional volumes: - /home/pi/duckdns/config:/config #optional restart: unless-stopped
First, let’s create a folder in the home directory (mkdir wireguard), go inside it, and create a folder (mkdir config) where all the wireguard configuration data will reside.
Navigate to your “Portainer dashboard”, Pi’s address:9000, Stacks, Add a stack. Type “wireguard” in the Name field, copy and paste the following configuration into the Web editor and click on Deploy the stack.
--- version: "2.1" services: wireguard: image: lscr.io/linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1001 # User PUID, just type in the terminal: id - PGID=1001 # Group PGID - TZ=Europe/Madrid # It sets the timezone for your location. - SERVERURL=192.168.1.7
This is the most important one. If your clients are outside of your network, you should type your external IP or domain name for your docker host. If you set it to auto, the container will try to determine and set the external IP automatically. If your clients are outside your private network, this is the way to go.
On the other side, if your clients are inside your private network, this is the Pi’s IP address in the local network.
If you have a dynamic external IP address which changes quite often, you can use DuckDNS, e.g., SERVERURL=justtothepoint.duckdns.org
- SERVERPORT=51820 - PEERS=2 # It is the number of peers to create confs for, i.e., how many devices you want to use Wireguard on - PEERDNS=auto # It uses the wireguard pre-configured DNS.
You may want to use Google Public DNS Servers: PEERDNS=220.127.116.11,18.104.22.168
- INTERNAL_SUBNET=10.13.13.0 #optional - ALLOWEDIPS=0.0.0.0/0 #optional volumes: - /home/pi/wireguard/config:/config # This is the bridge between the path for your data storage on your host container (/home/pi/wireguard/config) and your container configuration folder. - /lib/modules:/lib/modules #do not change ports: - 51820:51820/udp # -p <external>:<internal>, it exposes the (internal) port 51820 to be accesible from the host's IP on (external) port 51820 outside the container. restart: always
You will need to port forward your port 51820 from your Router to your Raspberry Pi’s IP address. Typically, open your browser and go to your router’s IP address, e.g., 192.168.1.1, Ports (Puertos): you will need to give your forward a name (Nombre regla de puertos), set the Local IP as your PI’s IP Address (Dirección IP, 192.168.1.7), Protocol (UDP), Abrir Puerto/Rango Externo (WAN, 51820:51820), Abrir Puerto/Rango Interno (LAN, 51820:51820) -Set the Port Range and the Local Port as 51820-
Configure your clients.
[email protected]:~/wireguard/config$ sudo ls peer1 # We can see the public and private keys and a QR code png. peer1.conf peer1.png presharedkey-peer1 privatekey-peer1 publickey-peer1 [email protected]:~/wireguard/config$ docker exec -it wireguard /app/show-peer 1 # You could see the QR code for peer 1.
To configure your client, go to WireGuard, Installation. There are clients for Windows, macOS, Ubuntu, Android, iOS, etc., e.g., you can install the Wireguard application from the Play Store, then launch it and click on the + plus button, SCAN FROM QR CODE.
Let’s configure a WireGuard Peer client in Ubuntu. A. Ubuntu client. Install the necessary packages:
sudo apt install wireguard resolvconf
B. Raspberri Pi. Copy remotely the configuration file to the client.
scp ~/wireguard/config/peer1/peer1.conf [email protected]~/peer1.conf.
C. Ubuntu client. Copy the WireGuard Peer’s Configuration File to its proper location:
sudo cp peer1.conf /etc/wireguard/wg0.conf
D. Ubuntu client. Start the tunnel by running the following: wg-quick up wg0
PiVPN is designed for Raspberry Pi. Download a script and start the install process: curl -L https://install.pivpn.io | bash.
Interface: eth0/wlan, Do you want to use your current network settings as a static address? 192.168.1.7/24. Yes. Basically, it confirms your current IP address for your Raspberry Pi. Enter your desired IPv4 default gateway: 192.168.0.1 (Router’s IP address).
Choose a user: pi.
Unattended Upgrades (OK), Protocol (UDP), OpenVPN Port: 1194.
Public IP or DNS: type your static IP (If you don’t know it yet, you can use services like WhatIsMyIp.com ). Obviously, you need a static public IP. Otherwise, you will use a free dynamic DNS service, such as NoIP.com or Duck DNS, and port forward the VPN traffic to your Raspberry Pi in your router. In this case, select DNS Entry. What is the public DNS name of this Server? justtothepoint.ddns.net (a more detailed explanation will be given further in step 9).
DNS Provider for your VPN clients: Google.
Create a client ovpn profile: pivpn add (client). It will generate a client.ovpn for that client in /home/pi/ovpns. You’ll need this to log in on each client device.
Let’s configure the client. Copy the VPN client configuration file from the Raspberry PI:
scp [email protected]:~/ovpns/client.ovpn .
scp [source [email protected]]:/[source directory and file name] [destination directory]). Install TunnelBlink in the client computer and open client.ovpn in TunnelBlink. Test: ping 10.8.0.1 (VPN private IP).
If you don’t have a static IP, you need a dynamic DNS provider. Let’s see no-ip.com: Dynamic DNS, Create Hostname: Hostname (justtothepoint), Domain (ddns.net), Record Type (DNS Host(A)), IPv4 Address (your IP).
Dynamic DNS is a service for allowing an Internet domain name (e.g., justtothepoint.ddns.net) to be assigned to a computer with dynamic IP addresses.
Access your router: http://192.168.1.1. Advanced configuration, Advanced Setup, DNS, Dynamic DNS: D-DNS provider (No-IP), Hostname (justtothepoint.ddns.net), NOIP Setting (NoIP’s user and password).
Setting up port forwarding for dynamic dns. Port Forwarding (Puertos), Create a port forwarding rule. Name (Nombre Regla de Puertos: VPN), Private IP Address (Dirección IP: Raspberry’s IP), Public Port (Abrir Puerto/Rango externo: 1194), Private Port (Abrir Puerto/Rango interno: 1194), Protocol (UDP).
Go to your Android device, first install and then launch the OpenVPN Connect app. OPVN Profile, Import Profile (You need to copy the OpenVPN configuration file “client.ovpn” to your Android and navigate to the folder where you have saved the file).
Uninstall VPN: pivpn uninstall. List connected clients: pivpn clients.