I found this page to be helpful when I first setup Wireguard.
6 Likes
I used this one cause I suck at creating clients with command 
I need QR code.
https://www.sigmdel.ca/michel/ha/wireguard/wireguard_02_en.html
2 Likes
For those that installed PiVPN in same device as PiHole, did you have to edit a conf file to allow browsing local network?
I used to have OpenVPN installed on the same Odroid as PiHole - didn't have to edit any config files.
Hmm, I need to try it on a spare pi before I wreak havoc on my existing PiHole setup. I was able to install PiVPN and connect to it and get on the internet but local access is not allowed.
Maybe you are missing push route in your server config?
Push "route YoutSubnet 255.255.255.0"
Went with PiVPN and Wireguard. Quick tests seem to show that it works well enough with my cell, so fingers crossed it works well with my laptop.
Thanks everyone.
1 Like
I used both openVPN and wireguard on my laptop and both worked fine.
I figure it would work fine with normal laptops, just concerned my corporation-managed laptop would potentially have issue given the barracuda vpn software currently installed on it.
At worst, I can program with my phone. Not the best, but good enough.
1 Like
Batting 0/2. I scrapped the PiVPN and went straight to manual Wireguard install and I still can't make it work (see the local network).
Going to take a break for now and try to figure it out later, maybe post on reddit.
So, presumably you can connect to the piVPN externally; that basically means the dynamic/static IP on the RPI is working, as is the forwarding you're doing from the router to the piVPN. That's good, because that's most of the trouble IMO.
Is your internal network using a private IP range? 192.168.x.x or 10.x.x.x? If you're not, I've had issues where networking will not route to a non-private LAN range. Easy enough, update it to use one.
When you're on the piVPN (logged into the device itself), can you ping a random IP? So, ping 192.168.1.101 (replace with some internal non-gateway device you have), or www.google.com comes back with responses? If that works, when you connect to the piVPN externally, can you ping that same IP? If not, sounds like something odd with IPTables.
Did you install a firewall on the RPI? If so, turn it off and retest. Is the computer you're connecting to using a firewall (all windows PCs do by default)? If so, disable that and re-test.
What DNS server did you use when you setup the piVPN? I personally used Google, because it always works. A lot of the online tutorials say to use Cloudflare, but I don't see the value, especially using Wireguard.
Just as a general thing, accessing Windows shares is a bear. Microsoft really hasn't figured out networking since they started trying in like Windows 1.0. I'd make sure I'm testing access to a non-windows machine, to eliminate spaghetti code from 35 years ago being the cause.
Your WG server config should include your network subnet ip and WG server ip in the allowed ip.
This is how I have it configured...
Server conf...
_INTERFACE=wg0
_VPN_NET=192.168.99.0/24
_SERVER_PORT=55555
_SERVER_LISTEN=wan_ip_addresss:$_SERVER_PORT
_SERVER_PUBLIC_KEY=XtCGhAVAcXzLX+E...
_SERVER_PRIVATE_KEY=oN6jzz3HaVLQVD...
Client conf...
[Interface]
Address = $_VPN_IP
PrivateKey = $_PRIVATE_KEY
[Peer]
PublicKey = $_SERVER_PUBLIC_KEY
AllowedIPs = 192.168.99.1/32,192.168.0.0/24
Endpoint = $_SERVER_LISTEN
Edit: Hot dang! I figured it out, WG settings were correct, EdgeRouter is what screwed me over. Port forwarding setting is messed up, I had eth0 selected instead of pppoe0. That one always throws me off!
2 Likes
Well, my rPI is barely able to keep up with a single user; very annoying. Curiously, seems ok with my phone, but a laptop is too much for it. 2 users is also too much.
Going to pick up a better rPI. When it works, it's super nice.
1 Like
I have a fixed router in my home installed by the network provider which I cannot change. I solved that by buying a second router (ASUS RT-AC88U) and connect that to the provided router. By using this I could solve several issues, such as WiFi speed limitations and availablitiy of VPN functionality in the router.
1 Like
That is very strange - I am using the RPi 4 w/4 Gb and running Wireguard. Have had several people connected including a laptop etc. and had no issues. Not that those connections were streaming video or anything.
Interestingly I have a non-HE client with a home-office (lawyer) that I set up an RPi3 running OpenVPN and he and his family have been using that for a few years. Up until the pandemic they had been doing a lot of travelling and it has worked well for them.
I believe WG faster, more lightweight so if you are not using you might want to check it out. Also I think the older PI's like V3 ran at the usb 2.0 bus speed so were limited in their throughput.
2 Likes
Anyone who is using firewalla using the Gold one? It appears that the simple mode is different somehow, and not ready to change routers just yet. From what I am reading, the Gold wants to be the router, and I have SEVERAL reserved IP's and do not want to unnecessarily reconfigure everything just yet. The other thing I am reading is the Gold doesn't overlay the network, so worried I might not get the access to HE without letting it be the router.
Just wondering if the VPN for HE works in Simple mode on the gold as I like the idea of 3g of bandwidth (at least a little future proofing).
Warning - NOOB, my last significant programming was 80030 coding in college, and I can normally work my way through step by step instructions enough to figure out and get something working after searching online.
I have the firewalla gold and blue, was intending to set them up with gold at my home and blue at my remote home. I have a couple of tenant properties which I have automation set up with HE to monitor and mange while they are empty. Started with the W*** platform and switched to HE after the subscription debacle...
Haven't tried the firewalla yet, I'm also not keen on changing over my current router configuration. Meanwhile I set up with rPi piVPN with WG, using duckdns for the DNS provider (just select one of the DNS providers during the piVPN setup, and enter your custom duckdns domain name other than static IP). Used the directions here:
Easy to set up and works great once you get past the router port configuration. DuckDNS has simple instructions with cut/paste to set up the DNS updater for rPI. VPN from my mobile is easy setting up in the WG app with the QR code. VPN from my Laptop also works (MacBook), except you need to access by the local network IP ( to access the rPI in screen sharing, or the HE web interface) vice local host name (pi.local) when in VPN. Also there was some challenge getting the vpn.conf files from rPi into my MacBook to load into the WG app - easiest was cut/paste from a VNC screen sharing connection into a text file, then had to convert from rtf format (TextEdit standard) to plain text, and remove the (hidden) .txt extension (from get info), then the file imports fine.
Also - to use OS-X to screen share into your rPi, enable VNC in the rP configuration, then set VNC security to VNC password in VNC OPTIONS (it will then ask you to set a password). The user security doesn't seem to interface with OS X user management.
Here are some key paths if WG settings are changed after installation. I use NANO for text editing in terminal, it gives me simple instructions and I forgot VI editing long ago.
WireGuard server configuration file
/etc/wireguard/wg0.conf
To update this file:
sudo nano /etc/wireguard/wg0.conf
this contains your WG keys and the port you are using to connect. Once generated, there shouldn't be any reason to change it unless you update and use a different port.
pivpn configuration file:
/etc/pivpn/wireguard/setupVars.conf
To edit this file:
sudo nano /etc/pivpn/wireguard/setupVars.conf
If you are using WG with piVPN, this is the more useful conf file. It contains the static/reserved IP of the rPI, gateway, DNS, and the host path (xxxxx.duckdns.org) of your DNS provider. This provides the template for using pivpn to generate the individual user conf files.
piVPN has some other features including a (correction - Apache) web interface to install for user management and generation. Appears to be an older build, tried it, but it doesn't appear to work.
Directions for the piVPN GUI are here: another good reference for setting up piVPN, just recognize they are setting up OpenVPN vice WG. Most of the rPi and piVPN related items are the same (hosts/static IPs/etc).
Also in WG I haven't been able to implement a preshared key as recommended here:
https://www.raspberrypi.org/forums/viewtopic.php?t=277111#p1678611
If I'm reading that right - I believe the purpose is to generate a new psk for each VPN session, rather than just at the time the VPN user is generated by pivpn (unless pivpn already does that using the PSK generated when the user is created). That would make each VPN session encryption unique. Unlike OPENVPN (which I haven't tried) you can't set an encryption level in WG. I presume it is using standard 2048, I haven't checked further.
If I go back and try the firewalla, I'll update here. Seems a waste of nearly $600 not to at least check it out, however I agree rPi with WG is a much less expensive option - works great, especially if you only need HE remote management.
I have two WG rPIs running now, one at home and one at a remote house, so I can vpn in for local HE management from any location.
1 Like
Posting as if I actually understand anything of below... 
WireGuard uses ChaCha20 for symmetric encryption with Poly1305 for message authentication, a combination that’s more performant than AES on embedded CPU architectures that don’t have cryptographic hardware acceleration; Curve25519 for elliptic-curve Diffie-Hellman (ECDH) key agreement; BLAKE2s for hashing, which is faster than SHA-3; and a 1.5 Round Trip Time (1.5-RTT) handshake that’s based on the Noise framework and provides forward secrecy. It also includes built-in protection against key impersonation, denial-of-service and replay attacks, as well as some post-quantum cryptographic resistance.
No more than I understand it either 
but it did answer the question. Effectively a completely different encryption algorithm.
This part was interesting:
Furthermore, the connection between peers, which can act as both clients and servers at the same time, go silent when there’s no exchange of data.
Currently I'm using it to VPN into the network from a mobile or laptop client.
It appears there is a way to have the rPi establish their own VPN tunnel between the two networks and connect them at the network level. So if I'm on my home wifi, then the remote network would be a part of the same network without having to VPN from a client. If I'm in public or outside my home network, I could still VPN into one or the other.
This is one thing that Firewalla is supposed to do rather simply through their interface. You also don't need a FW Gold to do it, FW Blue is capable from what I can gather.
1 Like
