Wireguard on Raspberry Pi OS

Jonathon Anderson

2020-07-19 00:00

Recently I fell victim to an attack on a security vulnerability in SaltStack that left much of my homelab infected with cryptominers. When I rebuilt the environment I found myself in the market for a VPN solution.

I have used OpenVPN for a little while, but I found it inconvenient enough to set up and use that I only used it when absolutely necessary to bridge between otherwise private networks.

But I had been hearing good things about WireGuard, so I performed a test deployment. First between two disparate servers. Then on a workstation. Then another. Each time the software deployed easily and remained reliably available, particularly in contrast to the unreliability I had become accustomed to with the Cisco VPN I use for work.

So I came to the last system in my network: a first-generation Raspberry Pi B+. WireGuard isn't available in the Raspberry Pi OS (née Raspbian) repository, but I found articles describing how to install the packages from either Debian backports or unstable. I generally avoid mixing distributions, but I followed the directions as proof of concept.

The base wireguard package installed successfully, and little surprise: it is a DKMS package, after all. However, binaries from wireguard-tools immediately segfaulted. (I expect this is because the CPU in the first-generation B+ isn't supported by Debian.)

But then I realized that APT makes source repositories as accessible as binary repositories. Compiling my own WireGuard packages would worry me less as well:

First add the Debian Buster backports repository, including its signing key. (You can verify the key fingerprint at debian.org.)

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE
echo 'deb-src http://deb.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt update

Install the devscripts package (so we can use debuild to build the WireGuard packages) and any build dependencies for WireGuard itself.

sudo apt install devscripts
sudo apt build-dep wireguard

Finally, download, build, and install WireGuard.

apt source wireguard
(cd wireguard-*; debuild -us -uc)
sudo apt install ./wireguard_*.deb ./wireguard-tools_*.deb

At this point you should have a fully functional WireGuard deployment, with working wireguard-tools binaries.