Wireguard on Raspberry Pi OS
Recently I fell victim to an attack on a security vulnerability in SaltStack that left much of my homelab infected with cryptominers. When I rebuilt the environment I found myself in the market for a VPN solution.
I have used OpenVPN for a little while, but I found it inconvenient enough to set up and use that I only used it when absolutely necessary to bridge between otherwise private networks.
But I had been hearing good things about WireGuard, so I performed a test deployment. First between two disparate servers. Then on a workstation. Then another. Each time the software deployed easily and remained reliably available, particularly in contrast to the unreliability I had become accustomed to with the Cisco VPN I use for work.
So I came to the last system in my network: a first-generation Raspberry Pi B+. WireGuard isn't available in the Raspberry Pi OS (née Raspbian) repository, but I found articles describing how to install the packages from either Debian backports or unstable. I generally avoid mixing distributions, but I followed the directions as proof of concept.
The base wireguard
package installed successfully, and little
surprise: it is a DKMS package, after all. However, binaries from
wireguard-tools
immediately segfaulted. (I expect this is because
the CPU in the first-generation B+ isn't supported by Debian.)
But then I realized that APT makes source repositories as accessible as binary repositories. Compiling my own WireGuard packages would worry me less as well:
First add the Debian Buster backports repository, including its signing key. (You can verify the key fingerprint at debian.org.)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE echo 'deb-src http://deb.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/backports.list sudo apt update
Install the devscripts
package (so we can use debuild
to build
the WireGuard packages) and any build dependencies for WireGuard
itself.
Finally, download, build, and install WireGuard.
apt source wireguard (cd wireguard-*; debuild -us -uc) sudo apt install ./wireguard_*.deb ./wireguard-tools_*.deb
At this point you should have a fully functional WireGuard deployment,
with working wireguard-tools
binaries.