WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be considerably more performant than OpenVPN, and is generally regarded as the most secure, easiest to use, and simplest VPN solution for modern Linux distributions.
WireGuard may be optionally installed by the Quick Installer. Once this is done, you can manage both local and remote server settings, create a peer configuration and control the
wg-quick service with RaspAP.
Securing your wireless network
RaspAP gives you two ways to create a secure WireGuard tunnel: 1) by uploading a
.conf file from your VPN provider, or 2) by creating a manual configuration. Each method is described and demonstrated with a short video below.
This method may be used if you are using a commerical WireGuard VPN provider, a self-hosted or other remote WG server. In these cases, it's assumed you have an existing WireGuard
.conf file and wish
to upload this to RaspAP.
The term "server" is used here as a convenience. WireGuard does not make a distinction between client and server roles. Instead, each node is considered a "peer" in a WireGuard network.
To do this, select the Upload file option under Configuration Method, select a valid WireGuard configuration file and choose Save settings. If your
file does not contain
PostDown rules and you wish to route traffic through the active AP interface, select the Apply iptables rules for AP interface option before uploading your
For security reasons, your WireGuard
.conf file must have a Linux MIME type of
text/plain. Windows ignores MIME types, relying instead on extensions. To avoid errors, be sure your file has a
text/plain MIME type embedded in it before uploading.
The complete process of creating a WireGuard configuration with Mullvad and activating it with RaspAP is demonstrated in the video below.
It should be noted that RaspAP has no affiliation whatsoever with Mullvad. In fact, Mullvad does not use affiliates or pay for reviews. Members of RaspAP's Insiders community have requested support for this VPN provider.
RaspAP will handle uploading your
.conf file and, optionally, applying any
iptables rules. To enable the tunnel, choose Start WireGuard. The WireGuard protocol is extremely fast, so in most cases
your new public IPv4 address will be indicated almost immediately. Click or tap the icon to open a new window with details about your public IP.
Verifying client connections
If you have chosen to route traffic from the
wg0 interface to the AP interface, you may verify that your clients are secured by the WireGuard VPN. Start by connecting a client to your AP while
WireGuard is enabled. Again, using Mullvad as an example, visit their connection check page on your client device. If the tunnel is working correctly, you should see
a result like the following:
If any of the above checks fail, enable WireGuard service logging in RaspAP and check the output. You may also consult your VPN provider's support.
RaspAP currently handles routing of IPv4 traffic only. For this reason, WireGuard server connections and traffic tunneled on IPv6 are incompatible. The solution is to specify IPv4 in your WireGuard VPN provider's advanced options (Mullvad is shown below):
Alternatively, open your
.conf file in a text editor and ensure that the
AllowedIPs settings use IPv4 addresses only, like so:
When this is done, you are ready to upload your configuration to RaspAP.
Alternatively, RaspAP gives you full control over creating a manual WireGuard configuration. This method is useful if you wish to secure your local wireless networkthat is, between your device running RaspAP and the clients connected to it.
WireGuard requires a public and private keypair for each device you wish to have access to the VPN tunnel. RaspAP simplifies this process with a magic button associated with each public key input field. Simply click or tap this button to securely generate a cryptographic keypair for both the server and peer.
Several default values are provided for you as a starting point. These are intended to get a VPN tunnel up and running quickly. They may be modified to suit your needs.
After the keypairs are generated, simply choose Save settings followed by Start WireGuard.
The video walkthrough below illustrates the steps of configuring a WireGuard tunnel from start to finish.
Due to WireGuard’s design, both computers on either end of the VPN tunnel will need to have each other's public key. This is discussed below.
For security reasons, the local (server) private key is not displayed in the UI. The peer private key is encoded in the QR code and available to download in the
If you wish to regenerate local or peer keypairs (or both), simply tap or click the magic button and choose Save settings. Alternatively, to remove a server or peer configuration entirely, disable the desired toggle and Save settings. This will delete the public/private keypair and the associated configuration.
RaspAP processes the values in the WireGuard Settings and Peer tabs and creates two configurations for you:
The former is used to configure the local (server) side of the VPN tunnel. The latter peer configuration is generated as a QR code on the Peer tab. Clients such as mobile devices
may scan the QR code to transfer
client.conf and import it into an associated WireGuard client application.
For this experimental release, a single peer configuration may be created. The ability to manage multiple peer configurations is on the project roadmap.
Your peer will need to have WireGuard installed as well. For installing WireGuard on other systems, please see Wireguard's website.
RaspAP uses WireGuard's
PostDown firewall rules to forward traffic from the
wg0 interface to your configured wireless interface.
In the example below, the default AP interface
wlan0 is used:
iptables rules are defined in WireGuard's default settings and may be modified if you wish.
If your VPN server is behind a NAT, you will need to open a UDP port of your choosing (51820 is the default).
Experimental · Insiders only
In the event that the WireGuard tunnel accidentally goes down, unencrypted traffic may reveal your real IP address. To prevent this from happening, additional
PreDown rules may be
added to the firewall. Simply choose the Enable kill switch option when uploading your WireGuard configuration:
These rules are automatically appended to your configuration.
Some VPN providers give you the option of adding these rules to their Linux configurations. Skip this option as RaspAP needs to add an exclusion rule for your AP interface.
Experimental · Insiders only
RaspAP lets you manage multiple WireGuard configurations. This includes the ability to upload, activate and delete any number of valid wg .conf files. Select the Apply iptables rules for AP interface option when uploading your .conf file to automatically route traffic to connected peers on the AP interface.
Thereafter, switching between your saved configurations is done by simply activating the desired profile. Activating a profile will restart the
wg-quick service automatically. Additionally, WireGuard service activity may be tracked on the Logging tab.
Due to its low overhead compared with OpenVPN, WireGuard is well-suited for applications where battery longevity is a concern. As described by its developer, WireGuard isn't a chatty protocol. For the most part, it only transmits data when a peer wishes to send packets. When it's not being asked to send packets, it stops sending packets until it is asked again.
As a result, your wireless adapter has a higher likelihood of being able to idle down, which leads to better battery life.
See the FAQ section for WireGuard.
Questions or comments about using WireGuard? Join the discussion here.