Super Pi Part 2: WireGuard

Posted on April 9, 2021

I wanted a WireGuard VPN to have Pi-Hole on the go. Before getting to that point, though, I registered a domain with DuckDNS since the IP address of my router changes periodically or when I reset it. I'll have to do a little more work to make sure DuckDNS gets notified when my IP address changes, but that's for a later post. For now, I just have to remember that if WireGuard doesn't work, it's probably because my IP changed, and I need to log back into DuckDNS and update my IP address manually. To get WireGuard on my Pi, I decided to use PiVPN, which is a pretty reputable way to set up a VPN with minimal fuss and good defaults. Per their homepage, I ran the following script:

curl -L | bash

I also needed to forward the proper port from the Pi to my router. By default, WireGuard does its stuff on port 51820 using UDP protocol. I put OpenWRT on my router and my configuration looks like this:

OpenWRT Port Forward Configuration

The script runs you through the setup. I used pivpn add to add a client for my phone and pivpn -qr to generate a QR code, which I then scanned with my phone. The one caveat to this is that the DNS is set to, but because I'm using Pi-Hole to resolve DNS records to IP addresses and I want the same thing on my phone, this DNS won't work. We need to point the DNS to the IP of Pi-Hole specifically.

WireGuard Client on PC

Getting going on a laptop or device that can't scan QR codes is slightly more challenging, but it's still not too bad if you're not afraid of using the command line. The apt repository happens to have a package for WireGuard, so all you need is:

sudo apt install wireguard

From the Pi, I again ran pivpn add, providing a descriptive name to identify my PC (Lappy). After that, PiVPN gave me a nice notification that my config file was created at ~/configs/Lappy.conf. Now to get the config to my laptop. Since I love SSH so much, I just used the scp command to get it on my PC:

scp pi@ ~/Lappy.conf

I just put the config file in my home directory because I'm going to be moving it. You don't have to do it this way, though. I'll illustrate my motivation for moving it with an example. Say I left my config in my home directory, my shell command to boot WireGuard would be this:

sudo wg-quick up ~/Lappy.conf

However, I'm moving my config file to /etc/wireguard. Because the directory is protected (you can't even see what's in it, weirdly), I had to use sudo. In doing so, my shell command becomes:

sudo wg-quick up Lappy

The benefits are two-fold (albeit a small twofold): There is no need to provide a path to the file, WireGuard looks in /etc/wireguard by default. Additionally, there is no need to provide the file extension, as WireGuard infers it when a config file is referenced from the default directory. I can now access my home network by using the above command, but I can't make HTTP requests. It turns out this is actually a bug in Pop!_os. Running this command solved my problem:

sudo dpkg-reconfigure resolvconf

With that completed, I was able to make requests to websites and SSH still worked. If it weren't for the good people at the Wireguard IRC, I don't know if I ever would have figured this out. After heaving a sigh of relief, I'm calling this one done.