Build a Raspberry Pi Travel Gateway with WireGuard for Safe Remote Access to Your Home Lab
A Raspberry Pi travel gateway pattern for secure WireGuard access back to a home lab while away from the trusted network.
Expected Outcome
A working Raspberry Pi travel gateway that provides secure remote access to your home lab using WireGuard.
Assumptions
- A Raspberry Pi (Model 3 or later)
- MicroSD card (at least 16GB)
- Power supply for Raspberry Pi
- Internet connection
- Basic knowledge of Linux command line
- Access to your home network router for port forwarding
Bill of Materials
- Raspberry Pi OS installed on the microSD card
- WireGuard software
- SSH client (e.g., PuTTY or Terminal)
Build Steps
- Prepare the Raspberry Pi
Set up the Raspberry Pi with the Raspberry Pi OS and ensure it is connected to the internet.
Safe to run: read-only
sudo apt update sudo apt upgrade -y sudo raspi-config
- Install WireGuard
Install WireGuard on your Raspberry Pi to enable VPN capabilities.
Changes system state: review before running
sudo apt install wireguard -y
- Configure WireGuard
Generate the WireGuard keys and configure the server settings.
Security-sensitive: review before running
wg genkey | tee privatekey | wg pubkey > publickey sudo nano /etc/wireguard/wg0.conf
- Edit WireGuard Configuration
Add the server configuration to the wg0.conf file.
Example pattern only. Adjust for your environment before running.
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = $(cat privatekey) [Peer] PublicKey = <client_public_key> AllowedIPs = 10.0.0.2/32
- Enable IP Forwarding
Allow the Raspberry Pi to forward IP packets.
Safe to run: read-only
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p
- Start WireGuard
Start the WireGuard service and enable it to run on boot.
Changes system state: review before running
sudo wg-quick up wg0 sudo systemctl enable wg-quick@wg0
- Configure Port Forwarding on Router
Set up port forwarding on your home router to direct traffic to the Raspberry Pi.
Example pattern only. Adjust for your environment before running.
Access your router settings and forward UDP port 51820 to the Raspberry Pi's local IP address.
- Set Up Client Configuration
Create a client configuration file for connecting to the WireGuard server.
Safe to run: read-only
wg genkey | tee client_privatekey | wg pubkey > client_publickey sudo nano /etc/wireguard/client.conf
- Edit Client Configuration
Add the client configuration to the client.conf file.
Example pattern only. Adjust for your environment before running.
[Interface] Address = 10.0.0.2/24 PrivateKey = $(cat client_privatekey) [Peer] PublicKey = $(cat /etc/wireguard/publickey) Endpoint = <your_public_ip>:51820 AllowedIPs = 0.0.0.0/0
Validation
- Connect to the WireGuard server from the client device using the client configuration.
- Test access to your home lab resources.
Troubleshooting
- If a step fails, capture the exact command, exit code, and log line before retrying or changing the design.
- Check route tables, DNS resolution, firewall rules, and peer status from both sides of the connection.
Cleanup or Rollback
- Keep a copy of working configuration, compose files, scripts, and service credentials before removing containers, packages, or data directories.
- Export current network, DNS, VPN, and firewall settings before changing routes, peers, or resolver configuration.
- Rollback by restoring the prior route, peer, DNS, or firewall configuration and restarting only the affected service.
Next Improvements
- Secure your Raspberry Pi with additional firewall rules.
- Explore advanced WireGuard configurations for multiple clients.