jacks-reid.xyz
Table of contents

WireGuard on an Amazon Fire Stick

I recently installed WireGuard on an Amazon Fire Stick so I can plug into my home media server from any TV in the world. I largely followed the guide set out by m00nie.com, but still wanted to document the steps I encountered myself.

Prepping for WireGuard clients

You should have a WireGuard server set up and ready to accept clients. In my case I use OPNsense as a home router with a WireGuard plugin natively available.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Set up a WireGuard instance, generate private and public keys, configure the WireGuard device to an interface, and set up your firewall rules at the WAN and intra-LAN levels. Your client config should look something like:

[Interface]
PrivateKey = $CLIENT_PRIVATE_KEY
Address = 192.168.700.2/32  # obviously don't use this ;)
DNS = 192.168.700.1

[Peer]
PublicKey = $PEER_PUBLIC_KEY
AllowedIPs = 192.168.700.1/24
Endpoint = $YOUR_IP:$YOUR_PORT

I highly recommend you pause here and use a trusted device to test the WireGuard configuration. Debugging a VPN connection will not be easy on a TV. You need to make sure that a cell phone or laptop can successful transmit and receive packets from the WireGuard server and can access the resources you want it to reach on the network.

Prepping the Fire Stick

You should update your Fire Stick and make sure it is behaving properly. Watch a show. Make sure the network stack is happy before we start messing with it.

You should enable developer mode on your Amazon Fire Stick - for my model I could do this by clicking seven times on the Settings > About > MyFireTV setting. From there I was able to enable the newly available developer options in the settings menu.

Prepping the workstation

You’ll need a workstation to run the Android Debugging suite to install WireGuard on the Fire Stick. We specifically need adb. I downloaded Android Studio and then used Android Studio’s managed toolkit installation for the Android CLI tools which includes adb.

Go ahead and download the packages you want to install on the Fire Stick. This includes WireGuard and could potentially include a media server package, such as Jellyfin.

https://download.wireguard.com/android-client/

Installing WireGuard on the TV

With developer options enabled on the Fire Stick, you are ready to connect from the workstation. Check the Fire Stick’s IP address in your DHCP server’s lease list and then:

# connect to the Fire Stick
adb connect $FIRESTICK_IP

# make sure the device is not listed as unauthorized
# if it is, then go over to the TV and accept the connection
# from the workstation
adb devices

# install the packages onto the Fire Stick
adb install com.wireguard.android-$VERSION

# transfer the WireGuard client configuration to the Fire Stick
adb push $YOUR_WIREGUARD_CLIENT_CONFIG /sdcard/$YOUR_WIREGUARD_CLIENT_CONFIG

Testing everything

You should now be able to open the WireGuard application on the Fire Stick. Find the configuration file you pushed to the Fire Stick and select it as a new tunnel. You should now see packets being received AND transmitted. Check the WireGuard instance logs for the active client.

# something wrong? drop into a shell on the Fire Stick
adb shell

Use your preferred media server client to connect to your media server. Everything should work like a charm. Take the Fire Stick to a friend’s house and take pride in your portable VPN-tunneled media library.