Install PiVPN with Wireguard on a Raspberry Pi with PiHole

PiHole dashboard with client connected through WireGuard VPN

This is an add-on article after my previous article —Setting up PiHole and PiVPN for privacy and security in the IoT era — where I described how to install PiHole and PiVPN with OpenVPN server on a RaspBerry Pi. Since then, PiVPN has added support for WireGuard. WireGuard is a new kind of VPN that provides near-instantaneous connection speed, high performance, modern cryptography. It’s the recommended choice especially if you use mobile devices where WireGuard is easier on battery than OpenVPN. You can follow the instructions below if you are looking to install PiVPN with WireGuard.

Installing PiVPN with WireGuard

A VPN allows you to connect to local devices on your home network from external networks, while keeping your devices hidden from the internet. PiVPN developers were inspired by PiHole to create an easy to setup step-by-step installation of WireGuard and OpenVPN server on your Pi. To set up PiVPN with WireGuard on the same Pi as the PiHole —

1. Set up port forwarding on your router for a port that will be used for the VPN connection. The default WireGuard port is 51820, but for higher security, it’s recommended to forward a non-standard port.
2. Connect to your Pi using ssh pi@ip.add.re.ss. Then the following command will take you through a step-by-step installation of PiVPN—
   curl -L https://install.pivpn.io | bash
   During the setup, select the WireGuard option on the “Installation Mode” page.
3. Set up the WireGuard port to the port number that was forwarded on your router.
4. If you would like to use PiHole DNS for your VPN traffic, PiVPN automatically detects the PiHole installation and gives you the option to select PiHole DNS for your VPN traffic. Select the option if desired.
5. After the server installation is complete, reboot the Pi.
6. After the server is set up on your Pi, you’ll need to create VPN clients to use on devices that you would use to connect to the VPN server.
   Connect to your Pi using ssh pi@ip.add.re.ss..
   Then create a client using pivpn add which will create a .conf file.
7. To use VPN on a Windows/Mac/Linux client, download the .conf file using scp/sftp/Cyberduck. For example, on my Macbook, I used
   scp pi@ip.add.re.ss:configs/yourClientName.conf .
You can then connect to the VPN server using the WireGuard GUI client for your Windows/Mac.
   To use VPN on a mobile device, the process is even easier using QR codes. You can generate a QR code using pivpn -qr for the client, and add the client to the device on the WireGuard app using the QR code option in the app and the camera on your device.
8. That’s it, you are done! Just connect to VPN from your client and you will be able to access your local devices, like your NAS, backup disk, PiHole web dashboard or the Pi using SSH, from any external network.

To test if everything is working as intended, connect a device to an external network like your mobile internet and connect to the VPN server. Then try to open a page available only on your home network like your router admin page (192.168.1.254 for my AT&T router).

If you selected the option to use PiHole as the DNS, to test if VPN traffic is being routed through your PiHole, look for queries from your VPN connected devices on the PiHole web dashboard (generally shown as 10.0.6.x or clientname.pivpn), or go to a website like http://thepcspy.com/blockadblock .