44Net Connect Routed Subnet: Raspberry Pi
Prerequisites
Set up a single-device tunnel to your Raspberry Pi.
Note the IP and name of your WireGuard interface. The name of your WireGuard interface is the same as the name
of your config file. For example, if your config file is /etc/wireguard/wg0.conf, then your
interface name is wg0. The IP of your WireGuard interface can be obtained from running ifconfig <interface> and finding the IP listed under the interface in the inet field.
Below is some example output of ifconfig wg0.
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1380
inet 44.27.133.190 netmask 255.255.255.255 destination 44.27.133.190
inet6 fe80::f728:a0b0:3af5:b5c6 prefixlen 128 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 17331 bytes 5865364 (5.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13389 bytes 2146828 (2.0 MiB)
TX errors 0 dropped 1 overruns 0 carrier 0 collisions 0
Optional: Setting Up An Access Point
The recommended way to use a Raspberry Pi as the router for your subnet is with two ethernet interfaces. The second can be provided by a USB ethernet adapter or an ethernet hat. However, if you have wireless only clients or wish not to purchase additional hardware, the Raspberry Pi's WiFi interface can be configured as an access point.
Step 1: Set your wireless regulatory domain
Different countries have different rules about which frequencies and bandwidths devices are allowed to use for WiFi. Setting the regulatory domain ensures that your Pi will use the right ones, making it work best with nearby devices and ensuring regulatory compliance.
The Raspberry Pi OS imager asks you to set the wireless regulatory domain during setup, but does not require it.
If you didn't set the regulatory domain in the imager configuration, set it now by running
sudo raspi-config and going to Localisation Options > WLAN Country. Select your country, confirm, and exit. If you're not sure whether you set the
wireless regulatory domain, run the command iw reg get. Look at the country
set under global. If it says unset, you have not set the regulatory domain.
Step 2: Create a new WiFi connection in nmcli
nmcli is the CLI interface for NetworkManager, which is the high level network configuration tool included
in Raspberry Pi OS and many other Linux distributions. These configuration steps can be completed using the NetworkManager GUI, but many people operate their Raspberry Pis in "headless" mode (without a screen or keyboard) and use SSH to remotely configure it. Thus, this tutorial uses a CLI tool to accommodate that use case.
First, create the connection with the command
sudo nmcli con add con-name <connection name> ifname <interface name> type wifi ssid <BSSID>
In this command, <connection name> should be replaced with the name NetworkManager should use to reference this configuration. This name will be used to apply further configuration in later steps. <interface name> should be the wireless interface you're using to create the access point. By default, this is wlan0. <BSSID> is the name of your WiFi network that will appear to other devices. If it has spaces, you must enclose it in quotes.
Next, set the access point security and password.
sudo nmcli con modify <connection name> wifi-sec.key-mgmt wpa-psk
sudo nmcli con modify <connection name> wifi-sec.psk <password>
For security, leave only WPA2 enabled. By default, the older WPA protocol is enabled for compatibility, but it only supports the less secure TKIP encryption algorithm.
sudo nmcli con modify <connection name> wifi-sec.proto rsn
Even after disabling the older WPA protocol, WPA2 supports TKIP for compatibility. As an additional security measure, enable only the CCMP encryption algorithm, disabling TKIP.
sudo nmcli con modify <connection name> wifi-sec.pairwise ccmp