**This is an old revision of the document!**
Table of Contents
Wireguard access to home network using PiKVM
We can use PiKVM as a device that lets us or others connect to our home network as if they were within our network. Like this for example friends and family or we when travelling can use our media server. There is a Wireguard client for every major OS today, including IOs and Android.
PiKVM will be peer A, other clients will be peer B and so on.
This howto roughly follows the ArchWiki Wireguard documentation.
Prerequisites
We need to install the wireguard-tools package on PiKVM. So access it via ssh/PuTTY as root:
rw pacman -Syu pacman -S wireguard-tools # We need to allow PiKVM to pass network traffic to the VPN echo net.ipv4.ip_forward = 1 > /etc/sysctl.d/99-allow-ip-forward.conf echo net.ipv6.conf.all.forwarding = 1 > /etc/sysctl.d/99-allow-ip-forward.conf # Load this now for the first time sysctl -p -w /etc/sysctl.d/99-allow-ip-forward.conf
We will use the 10.0.0.x network for the VPN connections and port 51820 on our public IP. On the router we will need to:
- Port forward
51820UDPtraffic to our PiKVM - We will need to add a route for the (publicly unroutable) network
10.0.0.0/24with PiKVM as the gateway
Setting up PiKVM as peer A
- Generate the private and public key
- Generate a pre shared key per connection (optional but recommended)
mkdir -p /root/wireguard # This directory will contain a lot of sensitive data so protected as good as possible chmod 0640 /root/wireguard cd /root/wireguard wg genkey | (umask 0077 && tee peer_A.key) | wg pubkey > peer_A.pub wg genpsk | (umask 0077 && tee peer_A-peer_B.psk)
/etc/systemd/network/99-wg0.netdev:
[NetDev] Name=wg0 Kind=wireguard Description=WireGuard tunnel wg0 [WireGuard] ListenPort=51820 PrivateKey=<contents of peer_A.key> [WireGuardPeer] PublicKey=<generated on the client and pasted here or generated as a key pair like the one for peer A> PresharedKey=<peer_A-peer_B.psk> AllowedIPs=10.0.0.2/32 [WireGuardPeer] PublicKey=... PresharedKey=... AllowedIPs=10.0.0.3/32 [WireGuardPeer] PublicKey=... PresharedKey=... AllowedIPs=10.0.0.4/32
/etc/systemd/network/99-wg0.network:
[Match] Name=wg0 [Network] Address=10.0.0.1/24
A typical client conf file (peer_B and so on)
E. g. for peer B:
[Interface] Address = 10.0.0.2/24 DNS = 192.168.1.1 ListenPort = 38865 MTU = 1330 PrivateKey = <best generated on the client> [Peer] PublicKey = <contents of peer_A.pub> PresharedKey = <contents of peer_A-peer_B.psk> AllowedIps = 10.0.0.0/24,<in home private IPv4 network: e.g 192.168.x.0/24>,<more in home networks if needed> Endpoint = <DNS resolveable hostname of public IP>:38865(51820)
With the information filled in the conf file can be transferred to the client. For IOs and Android QR codes can be used:
qr < peer_B.conf