• 1 – Prepare Hardware and Install Alpine Linux (tar.gz method)
• 2 – Update and Install Required Packages
• 3 – Enable IP Forwarding (WireGuard routing)
• 4 – Configure Static IP (Required for SMB Access)
• 5 – Install and Configure PiVPN (WireGuard)
• 6 – Enable WireGuard on Boot and Verify
• 7 – Create VPN Client Profiles
• 8 – Configure Sagemcom Port Forwarding (WireGuard)
• 9 – Test VPN Connectivity
• 10 – Disable DLNA (SMB Only) and Confirm SMB Settings
• 11 – Access the Router’s SMB Share Over VPN
• 12 – Quick Troubleshooting

Objective & constants: WireGuard VPN on Raspberry Pi 3B+ to reach the Sagemcom F@st 5670 SMB share over the internet via VPN. Router: 192.168.1.1. Pi static IP: 192.168.1.2. WireGuard UDP port: 51820. SMB share example: //192.168.1.1/MARIOUSB (user: Telekom-USB).

#1 – Prepare Hardware and Install Alpine Linux (tar.gz method)

1. Gather a Raspberry Pi 3B+, microSD (≥8 GB), and a 5 V/2.5 A power supply.
2. Download Alpine Raspberry Pi (armv7), e.g., alpine-rpi-3.22.1-armv7.tar.gz.
3. On a Linux host, prepare the card:
   • Create a single FAT32 partition and format it (e.g., with mkfs.vfat).
   • Mount the partition and extract the tarball contents to the root of the FAT32 partition:
     mount /dev/sdX1 /mnt tar -xzf alpine-rpi-3.22.1-armv7.tar.gz -C /mnt sync umount /mnt

     Replace /dev/sdX1 with the correct device.

4. Insert the card, power on the Pi, and log in as root.
5. Initialize:
   setup-alpine
   • Disk mode: “sys” (installs to SD card).
   • Configure keyboard, timezone, hostname, and networking per prompts.
6. Confirm the system:
   cat /etc/alpine-release uname -a

#2 – Update and Install Required Packages

1. Update/upgrade:
   apk update && apk upgrade
2. Install WireGuard and tools:
   apk add bash curl git nano iptables wireguard-tools wireguard-tools-wg-quick
3. Improve entropy for key generation:
   apk add haveged rc-service haveged start rc-update add haveged default
4. Verify availability:
   which wg && wg --version rc-status

#3 – Enable IP Forwarding (WireGuard routing)

1. Enable IPv4 forwarding:
   echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p | grep net.ipv4.ip_forward

   Expect net.ipv4.ip_forward = 1.

#4 – Configure Static IP (Required for SMB Access)

1. Set a static IP for eth0:
   nano /etc/network/interfaces

   Use:

   auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1
2. Apply and verify:
   rc-service networking restart ip addr show eth0 ip route | grep default ping -c3 192.168.1.1
3. On the Sagemcom router (LAN/DHCP → IP Reservation), bind the Pi’s MAC to 192.168.1.2 to prevent conflicts.

#5 – Install and Configure PiVPN (WireGuard)

1. Run the installer:
   bash curl -L https://install.pivpn.io | bash
2. Prompts:
   • Confirm static IP.
   • Select the admin user (e.g., root).
   • Choose WireGuard; port 51820/UDP.
   • DNS Provider: Custom, set 192.168.1.1 (router) to enable local name resolution for VPN clients.
   • Public endpoint: choose IP or DNS as appropriate (if using DDNS, select the DNS option and enter your configured hostname).
   • Allow PiVPN to configure firewall rules; enable unattended upgrades if offered.
3. NAT quick-check (after install):
   iptables -t nat -S | grep MASQUERADE

   Expect a MASQUERADE rule referencing the VPN subnet/interface (PiVPN typically adds this).

#6 – Enable WireGuard on Boot and Verify

1. Enable/start:
   rc-update add wg-quick.wg0 default rc-service wg-quick.wg0 start
2. Validate:
   ip addr show wg0 wg show

   Confirm wg0 exists, shows a public key, and listens on 51820/UDP.

#7 – Create VPN Client Profiles

1. Create a client (example: laptop):
   pivpn add -n laptop

   The config (e.g., laptop.conf) will be created under the PiVPN configs directory.

2. Transfer the config securely (SCP/USB). Treat it as sensitive (keys inside).
3. Traffic routing options (client config):
   • Full tunnel (default, most secure): AllowedIPs = 0.0.0.0/0, ::/0
   • Split tunnel (LAN-only): AllowedIPs = 192.168.1.0/24, 10.6.0.0/24
4. DNS confirmation: open the client .conf and confirm:
   DNS = 192.168.1.1

#8 – Configure Sagemcom Port Forwarding (WireGuard)

1. Log into http://192.168.1.1 as admin.
2. Access Control → Port Forwarding → Add rule:
   • Service Name: WireGuard
   • Protocol: UDP
   • External Port: 51820
   • Internal IP: 192.168.1.2
   • Internal Port: 51820
3. Save/apply. Ensure no DMZ is set for the Pi and that UPnP IGD is disabled to prevent unintended openings.

#9 – Test VPN Connectivity

1. On the remote client, install the official WireGuard app, import laptop.conf, and activate the tunnel.
2. Validate from the client:
   ping 192.168.1.1
   • If full tunnel, confirm public IP reflects home WAN.
3. On the Pi, observe handshake and peer:
   wg show

#10 – Disable DLNA (SMB Only) and Confirm SMB Settings

1. Router → My Media: disable DLNA.
2. Ensure File Sharing (SMB) is enabled with Access Authenticate; note credentials (e.g., user Telekom-USB) and share (e.g., MARIOUSB).

#11 – Access the Router’s SMB Share Over VPN

• Windows:
  1. File Explorer → \\192.168.1.1
  2. Authenticate with the router’s SMB user/password (e.g., Telekom-USB).
  3. Persistent mapping (optional):
     net use Z: \\192.168.1.1\MARIOUSB /persistent:yes
• macOS:
  1. Finder → Go → Connect to Server (Cmd+K) → smb://192.168.1.1
  2. Authenticate. Add to Favorites; Keychain can store credentials.
• Linux (GUI):
  1. File manager location: smb://192.168.1.1
  2. Authenticate when prompted.
• Linux (CLI mount):
  1. Install CIFS utils (on Alpine):
     apk add cifs-utils
  2. Mount:
     mkdir -p /mnt/routershare mount -t cifs //192.168.1.1/MARIOUSB /mnt/routershare -o vers=3.0,username=Telekom-USB

     Enter the SMB password when prompted. Unmount with:

     umount /mnt/routershare

Direct IP paths (\192.168.1.1 or smb://192.168.1.1/MARIOUSB) avoid name-resolution dependencies.

#12 – Quick Troubleshooting

• VPN up, SMB unreachable:
  • Confirm client AllowedIPs includes 192.168.1.0/24.
  • From client:
    ping 192.168.1.1

    If ping works but SMB fails, test TCP 445 reachability using an alternative client or tool available on your OS.

• No handshake/traffic:
  • Re-check router port forward, endpoint/port in client config, and that wg0 is up:
    rc-service wg-quick.wg0 status wg show
• DNS issues:
  • Verify the client config includes DNS = 192.168.1.1.
  • Use IP paths for SMB to bypass name resolution if needed.