Setup PiVPN Endpoint Device
- Part 1: Enable SSH
- Part 2: Install Pi-Hole
- Part 3: Install PiVPN
- Part 4: Add users to PiVPN
- Part 5: Create a Split-tunnel user in PiVPN
- Part 6: Setup PiVPN Endpoint Device
- Part 7: Remove PiVPN user/client
So PiVPN is setup. We’ve added the user/client into PiVPN. Now we need to setup the endpoint so they can connect back to PiVPN.
When we set up PiVPN we had to make a choice. We had to choose whether we wanted to use WireGuard or OpenVPN for the “magic” behind our VPN. In my article, we set up PiVPN using WireGuard, which was the PiVPN default.
So… we are going to want to download and install the WireGuard client on our endpoint device(s). Go ahead and get the latest/greatest version of the WireGuard client for your Operating System directly from WireGuard.
https://www.wireguard.com/install/
I’ll go over how to add it via QR code on your mobile iOS device. As well as how to add it from a config file onto a Desktop PC.
Note: If you created both a full and split-tunnel VPN client/user, then you will need to repeat the steps below to add the second profile.
Mobile Devices
Using a mobile OS like Apple’s iOS or Google’s Android, or other system that can read a QR code is probably going to be the easiest way to setup the endpoint device with it’s PiVPN configuration and encryption keys.
On the RPi, it’s possible to use PiVPN to generate a QR code for each client/device that you setup. That QR code will hold all the info that WireGuard needs on the endpoint to properly configure it. Just remember to guard that QR code and keep it safe… as it is literally the keys to your Castle/Home Network.
On the RPi, enter the following command below:
pivpn -qr
PiVPN will then list the users you have created, and you can choose which user you want a QR code to be generated for.
In my example, I get the QR code for the user “P-W-W-F”
On your mobile iOS device, open the WireGuard app.
Tap “+” to add a new tunnel.
Then tap “Create from QR code”.
Your phone’s camera will open and allow you to scan the QR code.
Give the VPN connection a name when prompted. I used the name “PiVPN”.
Click “Allow” when prompted to allow WireGuard to “Add VPN Confiurations” to your device.
It will then proceed to auto-magically set everything up for you.
You’ll have a simple toggle available in the WireGuard app that you can use to enable/disable your VPN.
Desktop Devices
Setting up the WireGuard app on a desktop is not hard, but it’s not as easy as simply scanning a QR code. PiVPN will automatically generate a file that will contain the configuration and encryption keys for each user/client, as you create each of your users/clients. We just have to copy that file from the RPi on to our desktop.
When we create the user/client in PiVPN, it generated a file named “User/Client.conf” and placed in the RPi’s users’ home folder.
In my example below, when I created the user “P-W-W-F” it generated the file “P-W-W-F.conf” and placed in the folder “/home/pi/configs”.
From your Desktop, open WinSCP, and connect to your RPi.
On the RPi side, navigate to the folder that was listed when you created your user/client in PiVPN.
Copy that “User/Client.conf” file over to your desktop.
On your Desktop, open the WireGuard app.
Click on button to “Import tunnels(s) from file”.
Browse to the file you copied off of your RPi, and click ‘Open’.
It will load all of your settings. Click the ‘Activate’ button to turn on your VPN.
Your PiVPN VPN using Wiregaurd is now active. You are now connected to it and can access all of your resources safely and securely.
To disconnect, just click the “Deactivate” button.
Next Article in this series: Remove PiVPN user/client
So, I went through all the steps and I added the vpn (Wireguard) to my phone. After I connect to it, I’m no longer able to access the internet. I dont know where I went wrong. Help please!
It sounds like you need to configure a split-tunnel. Checkout part 5 of this series.
This looks like exactly the steps I need to finish (setting up vpn client via ethernet). I’m just a little uncomfortable with the backports commands in Debian (looks like I need this to enable wireguard).
Any tips or guidance would be welcome. Much appreciated.
Neil.
This may be a silly question 🙂 but i have been struggling with it,
Do i need to use wireguard client on my home LAN machine in order for this to work properly and encrypt my dns query’s ?
How can i test this setup ?