PiVPN で WireGuard (VPN) を構築する
takeharak
Raspberry Pi 4 に PiVPN で省電力 WireGuard サーバーにする
今回の環境
TL;DR
1. PiVPN をインストール
curl -L https://install.pivpn.io | bash
:::
::: sudo will be used for the install.
::: Hostname length OK
::: Verifying free disk space...
:::
::: Package Cache update is needed, running apt-get update -y ... done!
:::
::: Checking apt-get for upgraded packages.... done!
:::
::: Your system is up to date! Continuing with PiVPN installation...
::: Checking for git... already installed!
::: Checking for tar... already installed!
::: Checking for curl... already installed!
::: Checking for grep... already installed!
::: Checking for dnsutils... already installed!
::: Checking for grepcidr... already installed!
::: Checking for whiptail... already installed!
::: Checking for net-tools... already installed!
::: Checking for bsdmainutils... already installed!
::: Checking for bash-completion... already installed!
::: Checking for dhcpcd5... already installed!
::: Checking for iptables-persistent... already installed!
::: Using User: pi
:::
::: Checking for existing base files...
::: Checking /usr/local/src/pivpn is a repo... OK!
::: Updating repo in /usr/local/src/pivpn from https://github.com/pivpn/pivpn.git ... done!
::: Using VPN: WireGuard
::: Installing WireGuard from Debian package...
::: Checking for wireguard-tools... already installed!
::: Checking for qrencode... already installed!
::: Backing up the wireguard folder to /etc/wireguard_2023-06-15-184008.tar.gz
::: Server Keys have been generated.
::: Server config generated.
::: Install Complete...
::: Restarting services...
::: Checking for unattended-upgrades... not installed!
::: Package unattended-upgrades successfully installed!
::: Setupfiles copied to /etc/pivpn/wireguard/setupVars.conf
::: Installing scripts to /opt/pivpn... done.
::: Flushing writes to disk...
::: done.
:::
2. パケット転送を有効化する
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sed -i '/net.ipv6.conf.all.forwarding=1/s/^#//g' /etc/sysctl.conf
sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
3. NAT 設定を追加
# /etc/wireguard/wg0.conf
[Interface]
...
ListenPort = 51820
+ PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
+ PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
...
systemctl restart wg-quick@wg0
4. 51820/udp ポートを解放する
ルーターのマニュアルを参照
5. クライアント設定を追加
pivpn add
Enter a Name for the Client: bugdroid
::: Client Keys generated
::: Client config generated
::: Updated server config
::: Updated hosts file for Pi-hole
::: WireGuard reloaded
======================================================================
::: Done! bugdroid.conf successfully created!
::: bugdroid.conf was copied to /home/pi/configs for easytransfer.
::: Please use this profile only on one device and create additional
::: profiles for other devices. You can also use pivpn -qr
::: to generate a QR Code you can scan with the mobile app.
======================================================================
pivpn -qr
:: Client list ::
1) bugdroid
Please enter the Index/Name of the Client to show: 1
::: Showing client bugdroid below
=====================================================================
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▄▀█▄▀█▀ ▀▄██▄▀█▀███▄ ▄▄▀▄▀▄▀▀▄█ ▀█▄▄▀▄█▀█ █ ▄▄▄▄▄ ████
████ █ █ █ █▄█▀██▀█▄ ▄▄▄ ▀▀▄▄▀ ▀▀▄▄█ █ ▀ ▄ ▀▄ ▀██ ▄ █ █ █ ████
████ █▄▄▄█ █▀▀▀▀▄███▄█▀▀▄▀▄█▄ ▀▄ ▄▄▄ █▄▀█ ▀█▀ ▀█▄▀ ▀▄ ▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀▄▀▄█ ▀▄█▄█ ▀▄█ █ █ █▄█ ▀▄█ ▀▄▀ ▀▄▀ █▄▀ █▄▀ █▄▄▄▄▄▄▄████
████▀▄▄██▀▄ ▄█▀ ▄█▄ █▀█▀ ▀█ ▄▄ ▄██ █ ▄ █ █▀ ███ ▄▀▀▀▀▀ ▄█▄ ▀█████
████ ▄▀██▄▄▀ ▀▄▄▄▀▄▄ █▀▄▀▀ ▄ █▀ ▄█▄ ▀▀▄▀▄█▀▄ █ ▀▀ █ ▄▄ ████
████▄▄▄ ▀▀▄█▀ ██▄▀▀█▄▄▄ ▀█ ▀▀▀▄▀▀██ ▀▀██ ▄▄ ▀▀█▀ ██▀ ▄█▄█ ▀▀██████
████ █▄▀ █▄▄▀ ▀▄█▀█▀▀ ▄ ▀█▄█▄▀ █ ▀ ▄▀ ▀▀▄▀▄▀█▀▄▀▀█▀▄ █ ▄▀█ █▄████
████▄█▀ ▀▀▄█▄██▀▄ ▄██▀ ▄▄▀▄▀▀ ▀█▄▀█ ▀▄▄█ ██▄█ ▀██ ▀██▄▀▀ ▀▀▄█████
████▄▀█ █▄ ▀▀▄▀▀▀▀ ▀██▀▀█▄ ▄▀█ █ ▀▄██▄ █ ▀█▄▀▀▀▄██ ▀ ▄▄▄▄ ▀████
████ ▀█▀██▄███▀ ▀▄ ▄██ ▀▀██▀█▀ █▄▀ ▀█ ▄ ▄ ▄ ▀▄▄▄▀█▀█ █▀ ▄█▄ ▀████
████▄ ▄▀▀▀▄█▀▄ ▄██▄█▀▄█ ▄▀▀▀▀▄ ▀█▄▄▀▄▄▄▄▀▀ ▀▀▀██▄▄▀▄█▀▀ ▀▀▄▄▀ █████
████ ▀▀▄█▀▄▀ █ ▀▄██▄▄▀▀ ▄▀█▄ ▀██▄▀ ▀█▄ ▀▀▄▀▀█ ▄█▄▄▄▀▀█ ▀▄█▄ ▀████
████ ▄ ▀▄▀ ▄▄ ██▄▀█▄█▄▀▄▄█ ▄▄ ███▄█ ▄█▀▀▀▄▄ ▄ ▄█ █ ▄▄ ▄█▀█ █▀████
██████▀█ ▄▄▄ ▄█▀▄ ▀ ▄▄▄▄▀▄ ▀ ▄▄▄ ▄▀▀█ ███ ██▄▄▀▀ █ ▄▄▄ ▀▄▀████
████▀▄▀█ █▄█ ▀▄▀▀█▀▀▀▀▀▀▄ ▄▀▀ ▄ █▄█ ▄ █▀ ▄███ ▄ ▀ ▀ █▄█ ▄▀ ▀████
████▄▄▄ ▄▄▄ █▄ ▀▀ ▀▀▄ ▄▄▀█▄ ▀ ▀▄▄▄▄▄▀ ▀ ▄██ ▀▄█▄ ▄▄█▄▄▄ ▄▀ ▄█████
████▀▄▄█▄▄▄▄▀ █ █ ▄█▄▄█▀ █ ▀▀▄ ██▀▀██ █▀▀ ██▀▀▄ ▀▀▄▄ ▀▄ ▄██ █▀████
█████▄▄█▀▄▀▀▄ █▄█▀▀██▄ █▄▄ ▄▀ ▄▄ █ ▀ ▄ ██ ▄ ▀▀ ▄▄█▀ █ ▀██ ▀████
████▀█▀▀█▄▄▀█▄█▀ █▀▀█▄▀ ▄▀▀ ▀ ▀█▄ ▄▄▄▄ ▄█▄▄▀▀ ▀ ▀ ▀▀▄ █ ▄▄████
████▄█ ▀█ ▄█▄█▀ ▀██▀ ▀ ▀▀█ ██▄▀ █ ▀ ▄▄▄█ ▄██▄██▄ ▄▄█▀█▀▄█▀█ ▄ ████
█████▄ ▀█▄▄ ▄▄ ██ ▄█ ▀ ▄▄█▄██▀▀▄ █▄▀▄ ██ ▄█ ▀▀ ███▄█ █▀█▄▄▀▄▄█ ████
████▀▀ ▄ ▄▄▀█▄▄█▀ ▀ █▄ ▀█▄ ▄█▄▀ █ ▄▄▀ ▀▀█ ▄ █▀▄▀▀ █▄█▀█ █▄█████
████▄█ ▀██▄█ ▀▄▀█▄▄█ ▀ ▀█▀█ ▄ ▄▀▄▀▀▄█▀▄▀█▄▄██▄▀ █ ▄▀▀▀▀ ██▀ ▄████
████ ▀▀▄▀█▄ ▀▄▀ ▀█ ▄ ▄▄ █▀▀ ▀▄████▀▄▄██ █▀ ██ ██▄██▀▀ █ ▀▄█▀ ▀█ ████
█████▄█ ▀ ▄█████▄▄ ▄█▄█ ▄▄▄▀▄ █▄▀█ █▀▀▄ ▄▀ █▄▀█ █ ▀ █ ▄█▀▀▀▄▀████
████▄▄ ▄██▀▀ ▀▀█▀▀▀ ▄▄▄▀▀▀ ▀▄▄▄█ ▄▄▄ ██▀█▄▀ █ ▄█ ██▀█▄▀ ▄▄▄ ▀█▄█████
████ ▄▄▄▄▄ █▀ ▄██▀▄█▀ ▄ ▀▀ ▀▀█ █▄█ ▄ ▀▀ ▀▀▀█▀▄▄ █▀▄▄ █▄█ ▄ ▄█████
████ █ █ █▄█▄ ▄▄█▄▄▀▀ ▄▄██▄ █▄▄▄ ▄▀▄▄▄ ██ ▄ ▀▄ ▄▀█▄ ▄ ▄▀ ▄▀████
████ █▄▄▄█ █▀█▄█ ▄▄▄▄ ▀▄█ █ ▀▄██▄ ▀█ ██▀▄█ ▀ █▄▄ ██ ▀ ▄█ █████
████▄▄▄▄▄▄▄█▄▄▄█▄█▄█▄▄▄▄▄█▄█▄█▄▄█▄██▄███▄▄▄██▄▄▄▄██▄▄█▄█▄██▄██▄▄▄████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
=====================================================================
6. 試してみる
クライアントをインストールして接続してみる
7. 接続を確認する
pivpn -c
::: Connected Clients List :::
Name Remote IP Virtual IP Bytes Received Bytes Sent Last Seen
bugdroid XXX.XXX.XXX.XXX:XXXXX XXX.XXX.XXX.XXX 6KiB 9KiB Jun 15 2023 - 16:30:10