We can use PiKVM as a device that lets us or others connect to our home network as if they were within our network. Like this for example friends and family or we when travelling can use our media server. There is a Wireguard client for every major OS today, including IOs and Android.

PiKVM will be peer A, other clients will be peer B and so on.

This howto roughly follows the ArchWiki Wireguard documentation.

We need to install the wireguard-tools package on PiKVM. So access it via ssh/PuTTY as root:

rw
pacman -Syu
pacman -S wireguard-tools
# We need to allow PiKVM to pass network traffic to the VPN
echo net.ipv4.ip_forward = 1 > /etc/sysctl.d/99-allow-ip-forward.conf
echo net.ipv6.conf.all.forwarding = 1 > /etc/sysctl.d/99-allow-ip-forward.conf
# Load this now for the first time
sysctl -p -w /etc/sysctl.d/99-allow-ip-forward.conf

We will use the 10.0.0.x network for the VPN connections and port 51820 on our public IP. On the router we will need to:

• Port forward 51820 UDP traffic to our PiKVM
• We will need to add a route for the (publicly unroutable) network 10.0.0.0/24 with PiKVM as the gateway

1. Generate the private and public key
2. Generate a pre shared key per connection (optional but recommended)

mkdir -p /root/wireguard
# This directory will contain a lot of sensitive data so protected as good as possible
chmod 0640 /root/wireguard
cd /root/wireguard
wg genkey | (umask 0077 && tee peer_A.key) | wg pubkey > peer_A.pub
wg genpsk | (umask 0077 && tee peer_A-peer_B.psk)

/etc/systemd/network/99-wg0.netdev:

[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0
 
[WireGuard]
ListenPort=51820
PrivateKey=<contents of peer_A.key>
 
[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.2/32
 
[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.3/32
 
[WireGuardPeer]
PublicKey=...
PresharedKey=...
AllowedIPs=10.0.0.4/32

/etc/systemd/network/99-wg0.network:

[Match]
Name=wg0
 
[Network]
Address=10.0.0.1/24