Wireguard access to home network using PiKVM

We can use PiKVM as a device that lets us or others connect to our home network as if they were within our network. Like this for example friends and family or we when travelling can use our media server. There is a Wireguard client for every major OS today, including IOs and Android.

PiKVM will be peer A, other clients will be peer B and so on.

This howto roughly follows the ArchWiki Wireguard documentation.

We need to install the wireguard-tools package on PiKVM. So access it via ssh/PuTTY as root:

rw
pacman -Syu
pacman -S wireguard-tools
# We need to allow PiKVM to pass network traffic to the VPN
echo net.ipv4.ip_forward = 1 > /etc/sysctl.d/99-allow-ip-forward.conf
echo net.ipv6.conf.all.forwarding = 1 > /etc/sysctl.d/99-allow-ip-forward.conf
# Load this now for the first time
sysctl -p -w /etc/sysctl.d/99-allow-ip-forward.conf

We will use the 10.0.0.x network for the VPN connections and port 51820 on our public IP. On the router we will need to:

• Port forward 51820 UDP traffic to our PiKVM
• We will need to add a route for the (publicly unroutable) network 10.0.0.0/24 with PiKVM as the gateway

1. Generate the private and public key
2. Generate a pre shared key per connection (optional but recommended)

mkdir -p /root/wireguard
# This directory will contain a lot of sensitive data so protected as good as possible
chmod 0640 /root/wireguard
cd /root/wireguard
wg genkey | (umask 0077 && tee peer_A.key) | wg pubkey > peer_A.pub
wg genpsk | (umask 0077 && tee peer_A-peer_B.psk)

/etc/systemd/network/99-wg0.netdev:

[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0
 
[WireGuard]
ListenPort=51820
PrivateKey=<contents of peer_A.key>
 
[WireGuardPeer]
PublicKey=<generated on the client and pasted here or generated as a key pair like the one for peer A>
PresharedKey=<peer_A-peer_B.psk>
AllowedIPs=10.0.0.2/32
 
[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.3/32
 
[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.4/32

After adding peers use systemctl restart systemd-networkd to load the new configuration.

/etc/systemd/network/99-wg0.network:

[Match]
Name=wg0
 
[Network]
Address=10.0.0.1/24

E. g. for peer B:

[Interface]
Address = 10.0.0.2/24
DNS = 192.168.1.1
ListenPort = 38865
MTU = 1330
PrivateKey = <best generated on the client>
[Peer]
PublicKey = <contents of peer_A.pub>
PresharedKey = <contents of peer_A-peer_B.psk>
AllowedIps = 10.0.0.0/24,<in home private IPv4 network: e.g 192.168.x.0/24>,<more in home networks if needed> 
Endpoint = <DNS resolveable hostname of public IP>:38865(51820)

With the information filled in the conf file can be transferred to the client. For IOs and Android QR codes can be used:

qr < peer_B.conf