In the journey of creating a Hub before we start programming or building website lets setup Pi in a way where we can access it on mobile internet.
For that we can use Cloudflare Tunnel or Tail Scale, but the problem is both are overpowered for this setup I don't want to use Cloudflare as an intercept between Me and my data. I can't trust any 3rd Party. So, not going to use that. I will not use Tail Scale because some features are awesome. But, it to use it I need to make accounts and every new person joins the network need to create an account on Tail Scale and I don't think. I will create an account on 3rd party to access my self-hosted server.
Now, This leads to setup my own VPN on Pi and connect to devices when I want to connect with Mobile network.
For That, I will be going to use WireGuard.
Why? Because it is open-source light and free.
Let's set it up.
Installing WireGuard on Pi.
sudo apt update
sudo apt install wireguard -y
And verify by printing it's version
wg --version
Now, for this to work, we need to create Pi's Private and Public Keys. To create, follow this.
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key
Now, you will find,
-rw------- 1 root root 45 server_private.key
-rw------- 1 root root 45 server_public.key
inside /etc/wireguard if not, then regenerate the keys.
For me, it worked. Now let's add some config.
sudo nano /etc/wireguard/wg0.conf
This config
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PASTE server_private.key CONTENT>
SaveConfig = true
I am using 10.10.0.1/24 for subnet, as It is easy to remember for me and will not conflict with anything.
Now I will enable IP forwarding
by adding net.ipv4.ip_forward=1 inside /etc/sysctl.conf and apply the changes with.
sudo sysctl -p
It should output 1
Now, let's enable wireguard
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
and verify with sudo wg
Now it is time to install WireGuard Official Android app on mobile and add it as a Peer.
Will create a new tunnel generate public and private keys then on Pi in /etc/wireguard/wg0.conf will add peer in bottom.
[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32
and reload wg
sudo wg-quick down wg0
sudo wg-quick up wg0
finally on mobile WireGuard will add
Address = 10.10.0.2/32
DNS = 192.168.1.1 # your gateway IP
and add a Peer over there
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <YOUR_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Now at this point I don't have a static Public IP as my ISP don't know me doing homelabing. If you are able to get static IP then use it otherwise there is one workaround.
I will use DuckDNS, this will help me to mimic my dynamic IP to look like static and on top of it. It is free, Lightweight and No vendor lock-in also it is not a proxy but a DNS record. To hook it go to https://www.duckdns.org
create an account and add a domain name it whatever you want, it is not a public address just a link to your public IP.
and use that subdomain as an endpoint.
We need to make a cron job to update the latest IP on DDNS. For that on Pi will create a Script to do that.
sudo apt install curl -y
mkdir -p ~/duckdns
nano ~/duckdns/update.sh
using this
#!/bin/bash
echo url="https://www.duckdns.org/update?domains={YOUR_SUBDOMAIN}&token={YOUR_TOKEN}&ip=" | curl -k -o ~/duckdns/duck.log -K -
Update YOUR_TOKEN from DDNS token and YOUR_SUBDOMAIN with your own subdomain.
Now give some permissions and test it.
chmod +x ~/duckdns/update.sh
./duckdns/update.sh
cat ~/duckdns/duck.log
It should give OK. NOT KO if it says KO then you are KO setup failed check your token and subdomain.
Now let's add a cron
crontab -e
and adding this to run every 5 minutes
*/5 * * * * ~/duckdns/update.sh >/dev/null 2>&1
Now, let's try to connect turn VPN on in mobile it should connect and by running
sudo wg
You will see a device connected saying
latest handshake: X seconds ago
If not then Hello my friend me too. Our ISP uses CGNAT (Carrier-Grade Network Address Translation) so they can control the router and as a user we cannot forward and port on IPv4.
Then, What to do??
You know what, after hours of research, I found that I cannot forward port by any mean, so the last option is to use Tail Scale, and so far one of the requirements broke. But, it is not my mistake, I cannot control my ISB behavior so. I have to use Tail Scale.
So, we don't need DuckDNS now let's remove the cron and wireguard.
If you followed along, then you will feel what wasting time looks like.
crontab -l
rm -rf ~/duckdns
sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0
sudo apt purge wireguard wireguard-tools -y
sudo apt autoremove -y
sudo rm -rf /etc/wireguard
Then remove that port forward line from sudo nano /etc/sysctl.conf
Now, create an account at https://login.tailscale.com
Then add the devices and install it on Pi,
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
and done online.
You can check it on tailscale dashboard.
Now, we can focus on building online Pi is on local and online.
Just run a server running and good to go.
Top comments (0)