ZeroSentinel Part 1 shows you how to turn a Raspberry Pi Zero into a hardened WireGuard server for secure off site access. This guide walks through Pi OS Lite install, swap configuration, key generation, peer setup, and router port forwarding so you can reach your home network from anywhere without relying on commercial VPNs or cloud providers. Every step includes real world fixes for Pi Zero quirks, missing packages, NAT issues, time drift, and peer collisions so the build works on the first try.
ZeroSentinel Part One
Pi Zero OS Setup + Swap + WireGuard Server + Router Port Forwarding
Full project introduction: The ZeroSentinel Project: The Privacy Node You Build Yourself
What You’re Building
ZeroSentinel is a tiny off site server endpoint you fully control. A Raspberry Pi Zero acting as your WireGuard server, reachable from anywhere.
By the end of Part One, you have:
- Clean Pi OS Lite install
- Swap enabled so the Pi Zero stays stable
- WireGuard server configured and persistent
- Phone client peer added
- Laptop client peer added
- LAN side test working
- Full external access
When you finish the Part 1 guide, you will have built a clean WireGuard access point that gives you a private doorway back into your home network from anywhere. You can log into your machines, reach your NAS, pull photos or documents, manage servers, run updates, hit local dashboards, or tunnel traffic through your home connection when you’re on hostile networks. It becomes your off site access box.
All the real world fixes I found during testing have been included in this guide:
- missing iptables
- missing qrencode
- IP forwarding issues
- peer IP collisions
- router DHCP quirks
This is the build that actually works.
1. Network Topology (Generic)
This is the abstract model for your physical setup: Upstream Router -> Pi Zero Sentinel
Connect a ethernet cable to your Pi Zero directly from your router’s LAN port using a ethernet to micro USB adapter. Connecting directly from your router will avoid any network weirdness during setup you can get from connecting from a switch. Alternatively you can connect through a WIFI repeater that is connected to your router as well.
As long as the Pi gets an IP and can reach the internet, the setup works. You just need it connected to your home network or the network you are wanting to remotely dial into.
2. Flash Pi OS Lite 32-bit
On your computer use Raspberry Pi Imager to flash your MicroSD card with the image: Raspberry Pi OS Lite 32-bit
Before writing the image, click on Advanced Settings and set:
- Hostname:
zero-sentinel - Enable SSH
- Set username as:
zero - Set a strong password.
- Set local time zone
- WiFi optional (Ethernet recommended for stability)
Flash the image -> insert MicroSD into the slot on the Pi Zero -> boot the Pi by plugging in the power cord and wait a few minutes for it to boot and the router hand out an IP.
SSH in by bring up a terminal and typing:
ssh zero@zero-sentinel.localSign in using the password you set when you flashed the image. If zero-sentinel.local isn’t working for some reason, try ssh zero@<Pi’s IP address> which can be found in the router’s dashboard under device list. Again, if you are physically connected to the network on the router itself or a repeater this shouldn’t be a issue.
3. Baseline Network Checks
Once you are in, check the network connections.
Check that it has a IP address:
ip aWrite down the eth0 or usb0 address. That is the Pi’s assigned IP address and we will need it in a later step.
In my build it displayed as eth0 but Pi Zero often comes up as usb0 instead when using a micro USB Ethernet adapter. Note which one yours is listed as. If it is listed as usb0 you will have to make adjustments to a config files in Step #8
Check it has a internet connection:
ping -c 4 8.8.8.8Should see successful pings
Check that DNS is working:
ping -c 4 debian.orgShould see successful pings
The Pi must have:
- valid IP
- working DNS
- full internet access
If any of these checks fail, stop. Fix LAN issues first.
4. Update and Clean the OS
sudo apt update
sudo apt full-upgrade -y
sudo apt autoremove -y
sudo apt cleanReboot:
sudo rebootYou want a clean base before adding services.
5. Add Swap So the Zero Doesn’t Crash
Pi Zero only has 512 MB RAM. Under pressure, it dies. Swap prevents that.
sudo fallocate -l 512M /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfileMake it persistent:
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstabVerify:
free -hSwap does add more wear on hardware but saves you from random hangs.
6. Install WireGuard and Required Tools
Install everything WireGuard needs:
sudo apt update
sudo apt install wireguard wireguard-tools -yEnable forwarding:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard-forward.conf
sudo sysctl --systemTime Fix
If the time is wrong then the WireGuard handshakes fail. The Pi Zero sometimes boots with incorrect time until NTP syncs.
timedatectl status
sudo timedatectl set-ntp trueInstall iptables for NAT:
sudo apt install iptables -yInstall qrencode for phone setup:
sudo apt install qrencode -y7. Generate WireGuard Server Keys
wg genkey | tee server_private.key | wg pubkey > server_public.keyShow the keys you generated:
echo "WireGuard Server private key:"
cat server_private.key
echo "WireGuard Server public key:"
cat server_public.keyKeep these safe. Put them into your password manager.
8. Create the WireGuard Server Config
sudo nano /etc/wireguard/wg0.confCopy and Paste:
[Interface]
Address = 10.8.0.1/32
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Replace <SERVER_PRIVATE_KEY> with the key we generated.
NOTE: Replace eth0 with usb0 if your network showed usb0 in Step #3
Save and exit.
9. Start the Server and Set to Run On Boot
sudo systemctl enable --now wg-quick@wg0Check:
sudo wg
ip a show wg0You want to see:
- wg0 interface: wg0
- inlet 10.8.0.1/32 on wg0
- Listening on port 51820
10. Add Your Peers (Phone and Laptop)
Your “Peers” are the devices you are wanting to connect to your home network when you are away. In this example I have you set up a phone and a laptop. You can setup as many as you want, just repeat the pattern below for each one.
Generate keys for your phone:
wg genkey | tee phone_private.key | wg pubkey > phone_public.key
echo "Phone private key:"
cat phone_private.key
echo "Phone public key:"
cat phone_public.keySave these in your password manager.
Generate keys for your laptop:
wg genkey | tee laptop_private.key | wg pubkey > laptop_public.key
echo "Laptop private key:"
cat laptop_private.key
echo "Laptop public key:"
cat laptop_public.keySave these in your password manager.
Edit server config:
sudo nano /etc/wireguard/wg0.confCopy and Past to the bottom of the file:
[Peer]
# phone
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32
[Peer]
# laptop
PublicKey = <LAPTOP_PUBLIC_KEY>
AllowedIPs = 10.8.0.3/32Replace <PHONE_PUBLIC_KEY> and <LAPTOP_PUBLIC_KEY> with their public keys you generated.
Important:
Each peer needs its own IP. Notice how the phone IP is 10.8.0.2 and the laptop is 10.8.0.3 Reuse causes breakage. If you add another peer like another phone use 10.8.0.4 etc.
Restart so it loads the config:
sudo systemctl restart wg-quick@wg0
sudo wgYou should see a [Peer] section with their allowed ips and no handshake yet.
11. Download the WireGuard App
On your phone and laptop download and install WireGuard
12. Create Your Phone Config for the app
nano phone.confCopy and Paste:
[Interface]
PrivateKey = <PHONE_PRIVATE_KEY>
Address = 10.8.0.2/32
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <PI-LAN-IP>:51820
PersistentKeepalive = 25Replace <PHONE_PRIVATE_KEY> and <SERVER_PUBLIC_KEY> with the ones we generated and saved. Replace <PI-LAN-IP> with the IP address you saved from step #3.
Generate QR:
qrencode -t ansiutf8 < phone.confYour terminal will show a QR code block.
On your phone:
- Install WireGuard app (if not already).
- Add tunnel -> “Create from QR code”.
- Scan the terminal QR.
- Save as ZeroSentinel
13. Local test of ZeroSentinel
On your phone turn WireGuard on while connected to your home WIFI.
On the Pi run:
sudo wgYou want to see:
- latest handshake: X seconds ago
- transfer: some bytes received/sent for the peer.
If you don’t see a handshake you will have to troubleshoot:
- Wrong private key on client
- Wrong public key in peer entry
- Wrong endpoint
- Phone not on WiFi
- Tunnel not enabled
- Time drift (rare)
On the phone, open a browser and type in:
https://ifconfig.meThe IP address displayed should be your router’s WAN IP, not your phone carrier or home WiFi.
If both are working then WireGuard is correctly setup and tunnel is running while on home network (LAN). Now all we have to do is portforward from the router when we are not on the home network.
14. Enable External Access
From your browser log into your router. Look for Port forwarding under Firewall. Some routers label this as “custom service” or require creating a “service” first.
Add a Port forwarding Rule:
Name: ZeroSentinel
Protocol: UDP
External port: 51820
Internal IP: <PI-LAN-IP>
Internal port: 51820Replace <PI-LAN-IP> with the actual address
15. Update Phone App External Access
Open the WireGuard App on your phone and open the ZeroSentinel Tunnel Settings
Replace the LAN endpoint:
Endpoint = <PI-LAN-IP>:51820with:
Endpoint = <ROUTER_WAN_IP>:51820<ROUTER_WAN_IP> is the IP address you found earlier from using https://ifconfig.me You are telling WireGuard that is where you want your tunnel to come from.
16. Test LTE / External Access
On your phone turn off WiFi and be connected to LTE only. Turn on your WireGuard tunnel.
On the Pi run:
sudo wgYou want to see:
- endpoint shows cellular IP
- handshake recent
- counters increasing
On your Phone open the browser and go to any website. You should have internet access. If both of these work then external access confirmed.
17. Add Other Peers (Laptop)
Repeat Step #12 for your laptop and any other Peers you setup. On a laptop a manual setup will probably be easier than a QR code like the phone. See the tunnel settings in the WireGuard app on your phone if you are not sure what to use. Just remember the laptop uses a different LAN IP i.e. Address = 10.8.0.3/32
The project is now a success!
ZeroSentinel is:
- Part 1 WireGuard is fully installed
- Fully reachable externally
- Routing all traffic through itself
Congratulations! This was the hardest part of the entire setup. The later steps will be much easier. Now whenever you are not home you can turn on your WireGuard tunnel and be connected to your home network to have access to your own files, systems, and router level VPN.
Reality Check: Performance
The Pi Zero runs WireGuard fine, but your upstream network absolutely matters. Repeater WiFi or double NAT paths (like a GL.iNet Mango in repeater mode) will cause slow or unstable traffic. Keep the Zero on clean Ethernet whenever possible. Also keep in mind that this project is all about proof of concept. I have built it. I have tested it. It does work but don’t expect blazing fast performance. Full performance notes are covered in Part 3.
-GHOST
Written by GHOST, creator of the Untraceable Digital Dissident project.
This is part of the Untraceable Digital Dissident series — tactical privacy for creators and rebels.
Explore more privacy tactics at untraceabledigitaldissident.com.
- ZeroSentinel Hub – Your DIY privacy node