# Wireguard access to home network using PiKVM

We can use PiKVM as a device that lets us or others connect to our home network as if they were within our network.  
Like this for example friends and family or we when travelling can use our media server.
There is a [Wireguard client for every major OS today](https://www.wireguard.com/install/), including IOs and Android.

PiKVM will be peer A, other clients will be peer B and so on.

This howto roughly follows [the ArchWiki Wireguard documentation](https://wiki.archlinux.org/title/WireGuard).

## Prerequisites

We need to install the `wireguard-tools` package on PiKVM. So access it via ssh/PuTTY as `root`:
```bash
rw
pacman -Syu
pacman -S wireguard-tools
# We need to allow PiKVM to pass network traffic to the VPN
echo net.ipv4.ip_forward = 1 > /etc/sysctl.d/99-allow-ip-forward.conf
echo net.ipv6.conf.all.forwarding = 1 > /etc/sysctl.d/99-allow-ip-forward.conf
# Load this now for the first time
sysctl -p -w /etc/sysctl.d/99-allow-ip-forward.conf
```

We will use the `10.0.0.x` network for the VPN connections and port `51820` on our public IP.  
On the router we will need to:
* Port forward `51820` `UDP` traffic to our PiKVM
* We will need to add a route for the (publicly unroutable) network `10.0.0.0/24` with PiKVM as the gateway

## Setting up PiKVM as peer A

1. Generate the private and public key
2. Generate a pre shared key per connection (optional but recommended)

```bash
mkdir -p /root/wireguard
# This directory will contain a lot of sensitive data so protected as good as possible
chmod 0640 /root/wireguard
cd /root/wireguard
wg genkey | (umask 0077 && tee peer_A.key) | wg pubkey > peer_A.pub
wg genpsk | (umask 0077 && tee peer_A-peer_B.psk)
```

`/etc/systemd/network/99-wg0.netdev`:

```ini
[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0

[WireGuard]
ListenPort=51820
PrivateKey=<contents of peer_A.key>

[WireGuardPeer]
PublicKey=<generated on the client and pasted here or generated as a key pair like the one for peer A>
PresharedKey=<peer_A-peer_B.psk>
AllowedIPs=10.0.0.2/32

[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.3/32

[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.4/32
```

After adding peers use `systemctl restart systemd-networkd` to load the new configuration.

`/etc/systemd/network/99-wg0.network`:

```ini
[Match]
Name=wg0

[Network]
Address=10.0.0.1/24
```

## A typical client conf file (peer_B and so on)

E. g. for peer B:

```ini
[Interface]
Address = 10.0.0.2/24
DNS = 192.168.1.1
ListenPort = 38865
MTU = 1330
PrivateKey = <best generated on the client>
[Peer]
PublicKey = <contents of peer_A.pub>
PresharedKey = <contents of peer_A-peer_B.psk>
AllowedIps = 10.0.0.0/24,<in home private IPv4 network: e.g 192.168.x.0/24>,<more in home networks if needed> 
Endpoint = <DNS resolveable hostname of public IP>:38865(51820)
```

With the information filled in the conf file can be transferred to the client. For IOs and Android QR codes can be used:

```bash
qr < peer_B.conf
```