====== Setting up Raspberry Pi as a Wireguard Gateway ======

===== Requirements =====
  * Existing wireguard server accessible from the Internet (''example.com:12345'')
  * Raspberry Pi 1 Model B
  * USB Ethernet adapter

===== Step by step =====
  - download Raspberry OS Lite and write to SD \\ ''sudo dd if=2021-01-11-raspios-buster-armhf-lite.img of=??? bs=4M''
  - Boot (we don’t need the USB adapter yet)
  - Set a new password for the user pi: \\ ''passwd''
  - Authenticate as root: \\ ''sudo su''
  - ''apt update;apt dist-upgrade''
  - ''%%systemctl enable --now ssh%%''
  - ''raspi-config'' \\  - change hostname \\  - reduce GPU memory \\  - wait for network before booting
  - Add testing repository and install wireguard \\ ''echo "deb http://archive.raspbian.org/raspbian testing main" > /etc/apt/sources.list.d/testing.list'' \\ ''printf 'Package: *\nPin: release a=testing\nPin-Priority: 50\n' | tee --append /etc/apt/preferences.d/limit-testing'' \\ ''apt update'' \\ ''apt install wireguard''
  - Enable IPv4 Forwarding \\ ''echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf''
  - Create a private key for the client \\ ''wg genkey''
  - Calculate the corresponding public key \\ ''echo '(INSERT PRIVATE KEY)' | wg pubkey''
  - Create client config <code ini>[Interface]
PrivateKey = RASPBERRYPRIVATEKEY
Address = 192.168.4.70/24
DNS = 192.168.0.1, 8.8.8.8

[Peer]
PublicKey = SERVERPUBLICKEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = example.com:12345</code>
  - Append a segment to the server's wireguard config \\ <code ini>[Peer] # raspberry
PublicKey = RASPBERRYPUBLICKEY
AllowedIPs = 192.168.4.70/32</code>
  - Restart wireguard interface on the server \\ ''systemctl restart wg-quick@wg0.service''
  - Back on the raspberry, move the client config to /etc/wireguard, e.g. /etc/wireguard/raspberry.conf
  - ''systemctl start wg-quick@raspberry''
  - Verify that the interface is used, eg. ''traceroute google.com''
  - Enable the service to make it permanent \\ ''systemctl enable wg-quick@raspberry''
  - Install the DHCP server \\ ''apt install isc-dhcp-server''
  - Plug in the USB adapter and check out it's interface name (should be ''eth1'')
  - Edit interface config ''/etc/network/interfaces.d/eth1'' \\ <code>auto eth1
iface eth1 inet static
    address 192.168.100.1
    netmask 255.255.255.0</code>
  - Edit this line in ''/etc/default/isc-dhcp-server'': \\ ''INTERFACESv4="eth1"''
  - Edit ''/etc/dhcp/dhcpd.conf'': \\ <code>option domain-name-servers 8.8.8.8, 8.8.8.4;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.20 192.168.100.100;
option routers 192.168.100.1;
} </code>
  - ''systemctl restart isc-dhcp-server''
  - allow NAT forwarding iptables rule: \\ ''iptables -t nat -A POSTROUTING -o raspberry -j MASQUERADE''
  - Save the iptables config: \\ ''apt install iptables-persistent'' \\ ''iptables-save > /etc/iptables/rules.v4''
  - Make sure the iptables config is loaded at boot: \\ ''echo '/sbin/iptables-restore < /etc/iptables/rules.v4' >> /etc/rc.local''