This blog post is an update to the original post from 2019 for Debian buster and bullseye.
In this tutorial we use eth0 as our main internet, wireguard uses eth0 to connect to the server and created a tunneled connection which is used for hotspot by wlan0.
NetworkManager GUI Interface makes our work easy. No need to setup a dhcp server like isc-dhcp-server since NetworkManager has built-in dnsmasq-basic package installed and uses it for DHCP.
To setup hotspot, use Network icon in Raspberrypi to setup a wireless hotspot. For wireguard, you need to edit the hotspot connection and set MTU to 1420. Also, enable auto connect in General tab. Disable IPv6 in IPv6 tab if you are not using it. Set the range for your DHCP clients in IPv4 tab to 10.0.1.1 with mask 255.255.255.0 and gateway 10.0.1.1
To disable WPA Personal and force at least WPA2 Personal authentication use the following command:
nmcli device wifi list
nmcli con modify "Wi-Fi Hot" 802-11-wireless-security.proto rsn
then set a separate routing table for the hotspot ip range which is 10.0.1.0/24:
echo 200 INET2 >> /etc/iproute2/rt_tables
and setup wireguard to route the ip range from your hotspot through itself.
[Interface]
PrivateKey = YOUR.PRIVATE.KEY
Address = 10.10.0.6/24
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip rule add from 10.0.1.0/24 table INET2; ip route add default via 10.10.0.1 dev wg0 table INET2; ip route add 8.8.8.8/32 dev wg0; ip route add 8.8.4.4/32 dev wg0; ip route flush cache
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip rule del from 10.0.1.0/24 table INET2; ip route del default via 10.10.0.1 dev wg0 table INET2; ip route del 8.8.8.8/32 dev wg0; ip route del 8.8.4.4/32 dev wg0; ip route flush cache
Table = off
MTU = 1420
[Peer]
PublicKey = SERVER.PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = IP:Port
PersistentKeepalive = 25
set net.ipv4.ip_forward=1 in /etc/sysctl.conf
Edit your upstream Network connections and set their DNS to 8.8.8.8,1.1.1.1
This way, after a reboot your /etc/resolv.conf is correctly set to the above name servers by NetworkManager.
NetworkManager has a built-in dnsmasq-base package installed and we need to set it to use google name servers for our dhcp clients:
echo -e "dhcp-option=option:dns-server,8.8.8.8,8.8.4.4" > /etc/NetworkManager/dnsmasq-shared.d/dns.conf
Restart your raspberrypi to apply changes.
You can see a list of connected clients in /var/lib/NetworkManager/dnsmasq-wlan0.leases
ps aux | grep dnsmasq
shows the dnsmasq and its parameters which is running by NetworkManager.