Wireguard on Raspberry Pi OS
Recently I fell victim to an attack on a security vulnerability in SaltStack that left much of my homelab infected with cryptominers. When I rebuilt the environment I found myself in the market for a VPN solution.
I have used OpenVPN for a little while, but I found it inconvenient enough to set up and use that I only used it when absolutely necessary to bridge between otherwise private networks.
But I had been hearing good things about WireGuard, so I performed a test deployment. First between two disparate servers. Then on a workstation. Then another. Each time the software deployed easily and remained reliably available, particularly in contrast to the unreliability I had become accustomed to with the Cisco VPN I use for work.
So I came to the last system in my network: a first-generation Raspberry Pi B+. WireGuard isn't available in the Raspberry Pi OS (née Raspbian) repository, but I found articles describing how to install the packages from either Debian backports or unstable. I generally avoid mixing distributions, but I followed the directions as proof of concept.
wireguard package installed successfully, and little
surprise: it is a DKMS package, after all. However, binaries from
wireguard-tools immediately segfaulted. (I expect this is because
the CPU in the first-generation B+ isn't supported by Debian.)
But then I realized that APT makes source repositories as accessible as binary repositories. Compiling my own WireGuard packages would worry me less as well:
First add the Debian Buster backports repository, including its signing key. (You can verify the key fingerprint at debian.org.)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE echo 'deb-src http://deb.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/backports.list sudo apt update
devscripts package (so we can use
debuild to build
the WireGuard packages) and any build dependencies for WireGuard
Finally, download, build, and install WireGuard.
apt source wireguard (cd wireguard-*; debuild -us -uc) sudo apt install ./wireguard_*.deb ./wireguard-tools_*.deb
At this point you should have a fully functional WireGuard deployment,