Download the Raspberry Pi image from https://en.opensuse.org/Portal:MicroOS/Downloads and copy it the MicsoSD card.
# xz -d openSUSE-MicroOS.aarch64-ContainerHost-RaspberryPi.raw.xz
# dd bs=4M if=openSUSE-MicroOS.aarch64-ContainerHost-RaspberryPi.raw of=/dev/mmcblk0 iflag=fullblock oflag=direct status=progress; sync
In the past it was necessary to use ignition or combustion to set a root password or add an ssh key to .ssh/authorized_keys. You can still do that - see https://en.opensuse.org/Portal:MicroOS/Combustion - but today the "Jeos First Boot" will be presented if a USB drive with label "iginition" is not found, and it allows you to set the root password.
After the dd/sync is done, insert the SD card into the Pi, attach monitor, keyboard and network cable and power it up. The screen goes black after about 40sec and stays like that for another few minutes. Then the "Jeos First Boot" prompts you to set the language, timezone and root password. After that you should be able to login at the console as root. You can curl your ssh public key from somewhere and add it to authorized_keys.
This package provides the wg tool and qg-quick. With MicroOS you need to use transactional-update to install packages and reboot after. Note reboot can take a few minutes because selinux relabeling is slow on microSD storage.
# transactional-update pkg install wireguard-tools
# reboot
There are many possible topologies - this doc just shows a simple point-to-point example between a laptop and the Pi. Also there are different ways to configure/persist WireGuard. This guide uses wg-quick. See https://www.wireguard.com/ for other ways.
For Pi:
laptop # TTY=$(tty); wg genkey | tee $TTY | wg pubkey
6FAsBgy1OmGRzCMOoXJK5tz2esx0ElfArAhvaTX800k=
1INU+lEE6Jo0XxqENneInEqgjctXQZQj6dX1y1OJZgE=
For laptop:
laptop# TTY=$(tty); wg genkey | tee $TTY | wg pubkey
aAtkn8TfFA5+cm/YVoC0gV1RsFThz997dpaPKe2eMls=
DZwInXs4evwwR0EzZKU7Dhn2Y/wToraT4t2GCrrZFGU=
The latop's eth0 ip is 192.168.0.31 and the pi's is 192.168.0.234. The port 51871 was choosen for the laptop, so that port will need to be opened on the firewall for UDP.
For Pi:
[Interface]
ListenPort = 51872
PrivateKey = 6FAsBgy1OmGRzCMOoXJK5tz2esx0ElfArAhvaTX800k=
Address = 172.31.0.2/30
[Peer]
PublicKey = DZwInXs4evwwR0EzZKU7Dhn2Y/wToraT4t2GCrrZFGU=
AllowedIPs = 172.31.0.1/32
Endpoint = 192.168.0.31:51871
For latop:
[Interface]
ListenPort = 51871
PrivateKey = aAtkn8TfFA5+cm/YVoC0gV1RsFThz997dpaPKe2eMls=
Address = 172.31.0.1/30
[Peer]
PublicKey = 1INU+lEE6Jo0XxqENneInEqgjctXQZQj6dX1y1OJZgE=
AllowedIPs = 172.31.0.2/32
Endpoint = 192.168.0.234:51872
pi # systemctl enable [email protected] --now
latop # systemctl enable [email protected] --now
pi# ping -c1 172.31.0.1
PING 172.31.0.1 (172.31.0.1) 56(84) bytes of data.
64 bytes from 172.31.0.1: icmp_seq=1 ttl=64 time=5.09 ms
--- 172.31.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.089/5.089/5.089/0.000 ms
pi# wg
interface: wg0
public key: 1INU+lEE6Jo0XxqENneInEqgjctXQZQj6dX1y1OJZgE=
private key: (hidden)
listening port: 51872
peer: DZwInXs4evwwR0EzZKU7Dhn2Y/wToraT4t2GCrrZFGU=
endpoint: 192.168.0.31:51871
allowed ips: 172.31.0.1/32
latest handshake: 23 seconds ago
transfer: 476 B received, 564 B sent
pi# ip -4 address show dev wg0
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 172.31.0.2/30 scope global wg0
valid_lft forever preferred_lft forever