• 1 – Prepare Hardware and Flash Alpine Linux
• 2 – System Update and Required Package Installation
• 3 – Enable Tunnels and IP Forwarding
• 4 – Configure Static IP (Required for SMB Access)
• 5 – Run the PiVPN Installer
• 6 – Configure WireGuard Service to Start on Boot
• 7 – Create a VPN Client Profile
• 8 – Configure Router Port Forwarding
• 9 – Test Your VPN Connection
• 10 – Disable DLNA on the Router
• 11 – Accessing the Router’s SMB Share

#1 – Prepare Hardware and Flash Alpine Linux

1. Gather a Raspberry Pi 3B+, a microSD card (≥8 GB), and a reliable power supply (5 V, 2.5 A).
2. Download the official Alpine Linux image for Raspberry Pi from the Alpine Linux website (select the armv7 version, e.g., alpine-rpi-3.22.1-armv7.tar.gz).
3. Flash the image onto the microSD card. On a Linux host, use dd: umount /dev/sdX* dd if=alpine-rpi-3.22.1-armv7.tar.gz of=/dev/sdX bs=4M status=progress && sync (Replace /dev/sdX with your actual device name.)
4. Insert the card into the Pi 3B+ and power it on.
5. Log in as root and run the initial setup script: setup-alpine Follow the prompts. For disk mode, select “sys” to install Alpine directly to the SD card.

#2 – System Update and Required Package Installation

1. Update Alpine’s package repositories and upgrade existing packages: apk update && apk upgrade
2. Install the necessary packages for PiVPN and WireGuard operation: apk add bash curl git nano iptables wireguard-tools wireguard-tools-wg-quick
3. Install haveged to ensure sufficient entropy for cryptographic key generation: apk add haveged
4. Start and enable the haveged service to run on boot: rc-service haveged start rc-update add haveged default

#3 – Enable Tunnels and IP Forwarding

1. Ensure the tun module is loaded on boot: echo "tun" > /etc/modules-load.d/tun.conf modprobe tun
2. Enable kernel IP forwarding to allow VPN traffic to be routed to your LAN. To make this setting persistent across reboots, execute the following: echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p

#4 – Configure Static IP (Required for SMB Access)

1. Assign a static IP address to the Raspberry Pi 3B+. This is mandatory for port forwarding and reliable DNS resolution. Edit the network interfaces file: nano /etc/network/interfaces
2. Configure the eth0 interface with a static IP outside your router’s DHCP range. The Sagemcom router’s default subnet is 192.168.1.0/24.
   auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1
3. Restart the networking service to apply the changes: service networking restart

#5 – Run the PiVPN Installer

1. Switch to the Bash shell: bash
2. Download and execute the PiVPN installation script: curl -L https://install.pivpn.io | bash
3. Follow the interactive prompts with the specific choices required for remote SMB access:
   • Acknowledge the static IP requirement.
   • Select a local user to manage profiles (e.g., root).
   • Choose “WireGuard” as your VPN protocol.
   • Accept the default UDP port: 51820.
   • CRITICAL STEP: When prompted to pick a DNS Provider, select the “Custom” option.
   • Enter the IP address of your Sagemcom router as the custom DNS server: 192.168.1.1. This enables connected VPN clients to resolve local device names.
   • For public access, select “DNS Entry” and provide your dynamic DNS hostname (e.g., your-hostname.duckdns.org).
   • Allow PiVPN to manage firewall rules and enable unattended upgrades.

#6 – Configure WireGuard Service to Start on Boot

1. Enable the wg-quick service for the wg0 interface created by PiVPN: rc-update add wg-quick.wg0 default
2. Start the WireGuard service immediately: rc-service wg-quick.wg0 start

#7 – Create a VPN Client Profile

1. Add a client profile using the pivpn command (e.g., for a client named laptop): pivpn add -n laptop
2. This will generate a laptop.conf file in the /root/configs/ directory (or the selected user’s home directory).
3. Transfer this file securely to your client device (e.g., via SCP or a USB drive).

#8 – Configure Router Port Forwarding

1. Log in to your Sagemcom F@st 5670 router’s web interface (typically at http://192.168.1.1).
2. Navigate to the “Access Control” -> “Port Forwarding” section.
3. Create a new port forwarding rule with the following parameters:
   • Service Name: WireGuard
   • Protocol: UDP
   • External Port: 51820
   • Internal IP: 192.168.1.2 (The static IP you assigned to the Raspberry Pi).
   • Internal Port: 51820
4. Save and apply the rule. Reboot the router if required.

#9 – Test Your VPN Connection

1. On your remote client device (e.g., laptop or phone), install the official WireGuard client.
2. Import the laptop.conf configuration file into the client.
3. Activate the VPN tunnel.
4. Verify connectivity by browsing to an external website. Your public IP address should now be that of your home network.

#10 – Disable DLNA on the Router

1. Log in to your Sagemcom F@st 5670 router’s web interface.
2. Navigate to the “My Media” section.
3. Locate the “DLNA” settings and disable the service.
4. Save and apply the changes.

#11 – Accessing the Router’s SMB Share

Once connected to the VPN from a remote location, you can access the SMB share on your Sagemcom router as if you were on your local home network.

• On Windows:
  1. Open File Explorer.
  2. In the address bar, type \\192.168.1.1 and press Enter.
  3. When prompted, enter the SMB username and password configured on your router.
• On macOS:
  1. Open Finder.
  2. From the “Go” menu, select “Connect to Server…” (or press Cmd+K).
  3. In the “Server Address” field, type smb://192.168.1.1 and click “Connect”.
  4. Enter your SMB credentials when prompted.
• On Linux (GUI File Manager):
  1. Open your file manager (e.g., Nautilus, Dolphin).
  2. In the location or address bar, type smb://192.168.1.1 and press Enter.
  3. Provide your SMB credentials when prompted.