© 2025. All rights reserved.
© 2025. All rights reserved.
PiVPN is a package that enables a Raspberry Pi to work as a VPN server, using two free open-source protocols: WireGuard or OpenVPN.
In order to download and start the installation of PiVPN, run
curl -L https://install.pivpn.io | bash
The guided installation will start right away. When asked for the VPN provider, choose WireGuard. During the process, it will ask to select a static IP: I chose the one set by the router. After that, choose the forward VPN port on the router, or stay with the default port 51820. Finally, when asked for a DNS provider, choose "Custom" and enter the Raspberry Pi IP.
Before start using it, remember to start the systemd service with
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
In the following I will give a small overview on how to use PiVPN.
A profile can be added running
pivpn add -n PROFILE-NAME
on the Raspberry Pi. Once a profile for a new device is added, it has to be transferred to said device.
Download the WireGuard App, and scan the QR code of the respective profile, generated with
pivpn -qr
On a PC, install WireGuard with
sudo apt install wireguard
Once that's done, copy the config file generated on the server to /etc/wireguard/ (root privileges needed to work on that directory).
In order to connect to the VPN, run
sudo wg-quick up PROFILE-NAME
Once you run this command you are securely connected to your home network over VPN. This means that you can ssh to databerry!
You can disconnect with
sudo wg-quick down PROFILE-NAME
Pro-tip: If you want to make VPN connection automatic at boot or login add wg-quick up PROFILE-NAME to
.bashrc, .profle or a systemd service.
It is possible to change the configuration file in order to automatically mount some directory when you connect to the VPN.
In the file /etc/woreguard/PROFILE-NAME.conf add
First, it can be useful to wrap the commands in a bash script /usr/local/bin/mount_pi.sh
mkdir -p /mnt/pi
sudo -u user sshfs -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,IdentityFile=/home/YOU/.ssh/id_rsa,uid=1000,gid=1000,umask=022 user@ip_address:/dir/to/mount /mnt/pi
Then, modify the configuation file, adding the following command under the [Interface] options
PostUp = /usr/local/bin/mount-pi.sh
PostDown = fusermount -u /mnt/pi
This will tell to create, if it not present already, and mount (unmount) the directory when the VPN is turned on (off).
It is advisable (mostly because I'm lazy) to add the possibility to turn on and off the VPN from the NetworkManager GUI. Let's see how to do it in Kubuntu.
Doing this is very simple. Open a terminal and type
nmcli connection import type wireguard file /path/to/your.conf
where /path/to/your.conf is where the configuration file is stored.
After importing, the connection should appear in Network Settings / Plasma’s network widget.
NetworkManager can run scripts on “connection up/down”. So let's write a simple script to be executed whenever the VPN is activated (deactivated) to automatically mount (unmount) the remote folder.
Create /etc/NetworkManager/dispatcher.d/99-mount-naspi
#!/bin/bash
IFACE="$1"
STATE="$2"
if [ "$IFACE" = "conf_name" ] && [ "$STATE" = "up" ]; then
sudo -u user /usr/local/bin/mount_pi.sh
fi
if [ "$IFACE" = "conf_name" ] && [ "$STATE" = "down" ]; then
fusermount -u /mnt/naspi
fi
Note: To find the configuration name the command is nmcli connection show | grep wireguard.
Then give them executing permission with sudo chmod +x /etc/NetworkManager/dispatcher.d/99-mount-naspi.
Having connection problems is really common. In order to understand what's going on, the debug command is very useful:
pivpn -d
It can happen that the router does not forward the correct port. In this case, go to your router page (usually by just putting the IP address in the research bar); at this point goes under the configuration for NAT/PAT and add here the port you want to open. A summary example can be like
| Field | Value |
|---|---|
| Service Name | WireGuardVPN |
| Device IPv4 | Your IP address |
| External port | the needed port |
| Internal port | the same as before |
| Protocol | UDP |