Wireguard

ZeroSentinel: WireGuard Setup Guide

ZeroSentinel guide shows you how to turn a Raspberry Pi or mini pc into a hardened WireGuard server for secure off site access. This guide walks through Pi OS Lite install, key generation, peer setup, and router port forwarding so you can reach your home network from anywhere without relying on commercial VPNs or cloud providers. Every step includes real world fixes for Pi quirks, missing packages, NAT issues, time drift, and peer collisions so the build works on the first try.

Revised: Dec 2025

Full project introduction: The ZeroSentinel Project: The Privacy Node You Build Yourself

ZeroSentinel: WireGuard Setup Guide now shows you how to build a hardened WireGuard server on a Pi 4, Pi 5, or a mini PC. The older Pi Zero method technically worked but turned the board into a sluggish, unstable brick. This version is the correct modern approach. You install WireGuard on hardware that can handle the load and keep your privacy stack fast, predictable, and reliable.

This guide walks you through Pi OS Lite or Ubuntu Server install, baseline hardening, key generation, peer setup, and router port forwarding so you can reach your home network from anywhere without paying for a VPN service or trusting a cloud gateway.

Every step includes the real fixes you actually need for a stable WireGuard server: forwarding rules, key collisions, router quirks, NAT issues, and the time sync problems that break handshakes silently.

When you finish this guide, you will have a clean WireGuard access point that becomes your doorway back into your home network no matter where you are.

Quick Note: Why This Isn’t on a Pi Zero Anymore

Pi Zero V1 was a useful experiment. It proved WireGuard worked. It also proved the Zero had no business running a tunnel, a resolver, and even attempt a canary. CPU spikes. Memory exhaustion. Slow routing. Occasional lockups. Every limitation showed itself the moment the device had to do anything under load.

The Zero is now a DNS and time node only. WireGuard belongs on hardware that doesn’t collapse at the first hint of real traffic.

Compact Core
Pi 4 or Pi 5 runs WireGuard.

Core
Pi 4 or Pi 5 runs WireGuard. Pi Zero acts as independent DNS witness.

Ultra
Mini PC runs WireGuard. Pi Zero remains the clean DNS truth source.

This guide is for all three of those builds.

1. Network Topology (Generic)

The structure is simple: Upstream Router -> WireGuard Box (Pi 4 / Pi 5 / Mini PC)

Use Ethernet if possible. WiFi introduces variables you do not want when testing routing. If you must use WiFi, use a stable AP, not repeater mode.

Your device needs:

  • A valid LAN IP
  • Working DNS
  • Full outbound access

If any of these fail, fix them before moving on.

2. Flash OS

Pi 4 or Pi 5

Use Raspberry Pi OS Lite (64 bit). On your computer use Raspberry Pi Imager to flash your MicroSD card with the image

Mini PC

Use Ubuntu Server 22.04/24.04.

Before flashing (Pi only):

  • Enable SSH
  • Create user
  • Set hostname
  • Set timezone
  • Skip WiFi if you’re using Ethernet

Boot the device.
Find its IP in your router.
SSH in:

ssh <username>@<device-ip>

3. Baseline Network Checks

Once you are in, check the network connections.

Check that it has a IP address: 

ip a

Write down the eth0 or usb0 address. That is the assigned IP address and we will need it in a later step.

In my build it displayed as eth0 but devices like raspberry pi’s often come up as usb0 instead when using a micro USB Ethernet adapter. Note which one yours is listed as. If it is listed as usb0 you will have to make adjustments to a config files in Step #8

Check it has a internet connection:

ping -c 4 8.8.8.8

Should see successful pings

Check that DNS is working:

ping -c 4 debian.org

Should see successful pings

The Pi must have:

  • valid IP
  • working DNS
  • full internet access

If any of these checks fail, stop. Fix LAN issues first.

4. Update and Clean the OS

sudo apt update
sudo apt full-upgrade -y
sudo apt autoremove -y
sudo apt clean

Reboot:

sudo reboot

You want a clean base before adding services.

5. Install WireGuard and Required Tools

Install everything WireGuard needs:

sudo apt update
sudo apt install wireguard wireguard-tools -y

Enable forwarding:

echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard-forward.conf
sudo sysctl --system

Time Fix

If the time is wrong then the WireGuard handshakes fail. 

timedatectl status
sudo timedatectl set-ntp true

Install Firewall tools:

sudo apt install iptables -y

Install qrencode for phone setup:

sudo apt install qrencode -y

7. Generate WireGuard Server Keys

wg genkey | tee server_private.key | wg pubkey > server_public.key

Show the keys you generated:

echo "WireGuard Server private key:"
cat server_private.key

echo "WireGuard Server public key:"
cat server_public.key

Keep these safe. Put them into your password manager.

8. Create the WireGuard Server Config

sudo nano /etc/wireguard/wg0.conf

Copy and Paste:

[Interface]
Address = 10.8.0.1/32
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Replace <SERVER_PRIVATE_KEY> with the key we generated.

NOTE: Replace eth0 with usb0 if your network showed usb0 in Step #3

Save and exit.

9. Start the Server and Set to Run On Boot

sudo systemctl enable --now wg-quick@wg0

Check:

sudo wg
ip a show wg0

You want to see:

  • wg0 interface: wg0
  • inlet 10.8.0.1/32 on wg0
  • Listening on port 51820

10. Add Your Peers (Phone and Laptop)

Your “Peers” are the devices you are wanting to connect to your home network when you are away. In this example I have you set up a phone and a laptop. You can setup as many as you want, just repeat the pattern below for each one.

Generate keys for your phone:

wg genkey | tee phone_private.key | wg pubkey > phone_public.key

echo "Phone private key:"
cat phone_private.key

echo "Phone public key:"
cat phone_public.key

Save these in your password manager.

Generate keys for your laptop:

wg genkey | tee laptop_private.key | wg pubkey > laptop_public.key

echo "Laptop private key:"
cat laptop_private.key

echo "Laptop public key:"
cat laptop_public.key

Save these in your password manager.

Edit server config:

sudo nano /etc/wireguard/wg0.conf

Copy and Past to the bottom of the file:

[Peer]
# phone
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32

[Peer]
# laptop
PublicKey = <LAPTOP_PUBLIC_KEY>
AllowedIPs = 10.8.0.3/32

Replace <PHONE_PUBLIC_KEY> and <LAPTOP_PUBLIC_KEY> with their public keys you generated.

Important:

Each peer needs its own IP. Notice how the phone IP is 10.8.0.2 and the laptop is 10.8.0.3 Reuse causes breakage. If you add another peer like another phone use 10.8.0.4 etc.

Restart so it loads the config:

sudo systemctl restart wg-quick@wg0
sudo wg

You should see a [Peer] section with their allowed ips and no handshake yet.

11. Download the WireGuard App

On your phone and laptop download and install WireGuard

12. Create Your Phone Config for the app

nano phone.conf

Copy and Paste:

[Interface]
PrivateKey = <PHONE_PRIVATE_KEY>
Address = 10.8.0.2/32

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <PI-LAN-IP>:51820
PersistentKeepalive = 25

Replace <PHONE_PRIVATE_KEY> and <SERVER_PUBLIC_KEY> with the ones we generated and saved. Replace <PI-LAN-IP> with the IP address you saved from step #3.

Generate QR:

qrencode -t ansiutf8 < phone.conf

Your terminal will show a QR code block.

On your phone:

  1. Install WireGuard app (if not already).
  2. Add tunnel -> “Create from QR code”.
  3. Scan the terminal QR.
  4. Save as ZeroSentinel

13. Local test of ZeroSentinel Tunnel

On your phone turn WireGuard on while connected to your home WIFI.

On ZeroSentinel run:

sudo wg

You want to see:

  • latest handshake: X seconds ago
  • transfer: some bytes received/sent for the peer.

If you don’t see a handshake you will have to troubleshoot:

  • Wrong private key on client
  • Wrong public key in peer entry
  • Wrong endpoint
  • Phone not on WiFi
  • Tunnel not enabled
  • Time drift (rare)

On the phone, open a browser and type in:

https://ifconfig.me

The IP address displayed should be your router’s WAN IP, not your phone carrier or home WiFi.

If both are working then WireGuard is correctly setup and tunnel is running while on home network (LAN). Now all we have to do is portforward from the router when we are not on the home network.

14. Enable External Access

From your browser log into your router. Look for Port forwarding under Firewall. Some routers label this as “custom service” or require creating a “service” first.

Add a Port forwarding Rule:

Name: ZeroSentinel
Protocol: UDP
External port: 51820
Internal IP: <PI-LAN-IP>
Internal port: 51820

Replace <PI-LAN-IP> with the actual address

15. Update Phone App External Access

Open the WireGuard App on your phone and open the ZeroSentinel Tunnel Settings

Replace the LAN endpoint:

Endpoint = <PI-LAN-IP>:51820

with:

Endpoint = <ROUTER_WAN_IP>:51820

<ROUTER_WAN_IP> is the IP address you found earlier from using https://ifconfig.me You are telling WireGuard that is where you want your tunnel to come from.

16. Test LTE / External Access

On your phone turn off WiFi and be connected to LTE only. Turn on your WireGuard tunnel.

On ZeroSentinel run:

sudo wg

You want to see:

  • endpoint shows cellular IP
  • handshake recent
  • counters increasing

On your Phone open the browser and go to any website. You should have internet access. If both of these work then external access confirmed.

17. Add Other Peers (Laptop)

Repeat Step #12 for your laptop and any other Peers you setup. On a laptop a manual setup will probably be easier than a QR code like the phone. See the tunnel settings in the WireGuard app on your phone if you are not sure what to use. Just remember the laptop uses a different LAN IP i.e. Address = 10.8.0.3/32

The project is now a success!

You now have:

  • A clean tunnel home
  • WireGuard installed
  • LAN and WAN access confirmed
  • Peers configured
  • Routing enforced

Congratulations! This was the hardest part of the entire setup. The later steps will be much easier. Now whenever you are not home you can turn on your WireGuard tunnel and be connected to your home network to have access to your own files, systems, and router level VPN.

-GHOST
Written by GHOST, creator of the Untraceable Digital Dissident project.

This is part of the Untraceable Digital Dissident series — tactical privacy for creators and rebels.
Explore more privacy tactics at untraceabledigitaldissident.com.