Introduction
WireGuard is a free, modern, open-source Virtual Private Network (VPN) application that offers simplicity and state-of-the-art cryptography. In addition, it provides strong encryption, which relies on public and private key pairs making it secure for all connected client devices.
In this guide, you will install the WireGuard server on Rocky Linux and set up a peer-to-peer VPN connection from a client computer.
Prerequisites
Choose WireGuard Network Addresses
Create a new WireGuard network address range that all connected clients will use; connections from addresses outside the range will be dropped depending on your server configuration. Choose from any of the following valid private ranges for your network.
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
10.0.0.0 - 10.255.255.255 (10/8 prefix)
This guide uses the address block 10.5.0.0/24
for the WireGuard network. 10.5.0.1
is used as the server address, and clients can use other available host addresses. For purposes of this guide, 10.5.0.2
. is used as the WireGuard client/peer address.
Install WireGuard Server
Install Extra Packages For Enterprise Linux (EPEL), and ELRepo to enable WireGuard installation from repository.
$ sudo dnf install epel-release elrepo-release
Update the server.
$ sudo dnf update
Install WireGuard.
$ sudo dnf install wireguard-tools kmod-wireguard
Configure WireGuard Server
Create the WireGuard configuration files directory.
$ sudo mkdir -p /etc/wireguard
Then, create the configuration file tun0
.
$ sudo touch tun0.conf
Now, generate a new private, public key pair.
$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
View and copy the private key.
$ sudo cat privatekey
yC0WsEKWC8Zjd7LtykbBNi8NIPKcrfsr7tsqgKMLO3o=
Next, edit the /etc/wireguard/tun0.conf
file.
$ sudo vim tun0.conf
Paste the following contents:
[Interface]
PrivateKey = Paste-Server-Private-Key
Address = 10.5.0.1/24
ListenPort = 51820
SaveConfig = true
Enter the private key copied earlier. Then, save and close the file.
Enable Forwarding
To configure forwarding and allow route traffic from the WireGuard network, open and edit the file /etc/sysctl.conf
.
$ sudo vim /etc/sysctl.conf
Add the following IPV4 rule to the bottom of the file:
net.ipv4.ip_forward=1
Test and reload changes using the following command:
$ sudo sysctl -p
Configure Firewall
First, allow WireGuard traffic on UDP port 51820.
$ sudo firewall-cmd --permanent --zone=public --add-port=51820/udp
Then, allow traffic from the WireGuard interface tun0
to other interfaces in the internal zone.
$ sudo firewall-cmd --permanent --add-interface=tun0 --zone=internal
Enable masquerading for proper traffic routing from the WireGuard interface to other interfaces.
$ sudo firewall-cmd --permanent --zone=internal --add-masquerade
Now, reload the Firewall for changes to take effect.
$ sudo firewall-cmd --reload
View the current Firewall table per zone.
$ sudo firewall-cmd --zone=internal --list-all
$ sudo firewall-cmd --zone=public --list-all
Your output should be similar to:
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Start WireGuard Server
Enable the WireGuard tun0
interface:
$ sudo systemctl enable wg-quick@tun0
Start the WireGuard service.
$ sudo systemctl start wg-quick@tun0
Verify the current WireGuard status by running the following command:
$ sudo systemctl status wg-quick@tun0
If active, your output should be similar to the one below:
● wg-quick@tun0.service - WireGuard via wg-quick(8) for tun0
Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2022-01-13 12:17:06 UTC; 3s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 54871 ExecStop=/usr/bin/wg-quick down tun0 (code=exited, status=0/SUCCESS)
Process: 54898 ExecStart=/usr/bin/wg-quick up tun0 (code=exited, status=0/SUCCESS)
Main PID: 54898 (code=exited, status=0/SUCCESS)
Jan 13 12:17:05 WireguardServer systemd[1]: wg-quick@tun0.service: Succeeded.
Jan 13 12:17:05 WireguardServer systemd[1]: Stopped WireGuard via wg-quick(8) for tun0.
Jan 13 12:17:05 WireguardServer systemd[1]: Starting WireGuard via wg-quick(8) for tun0...
Jan 13 12:17:05 WireguardServer wg-quick[54898]: [#] ip link add tun0 type wireguard
Jan 13 12:17:05 WireguardServer wg-quick[54898]: [#] wg setconf tun0 /dev/fd/63
Jan 13 12:17:06 WireguardServer wg-quick[54898]: [#] ip -4 address add 10.5.0.1/24 dev tun0
Jan 13 12:17:06 WireguardServer wg-quick[54898]: [#] ip link set mtu 1420 up dev tun0
Jan 13 12:17:06 WireguardServer systemd[1]: Started WireGuard via wg-quick(8) for tun0.
Also, verify WireGuard tunnel status with the following command:
$ sudo wg
Your output will be similar to:
interface: tun0
public key: zSQA79woVPtGgrEub0pisZ4MRyqed1TUqmaE7t9Dlwo=
private key: (hidden)
listening port: 51820
Connect WireGuard Clients
The WireGuard client application is available on multiple operating systems. You can either set up another Rocky Linux server as a peer or download the WireGuard client application to connect your IOS, Android, macOS, Linux, or Windows device.
In this guide, we’ll create a WireGuard peer-to-peer tunnel using another Rocky Linux server as the client device. Repeat the server steps above to install WireGuard on the client.
$ dnf install epel-release elrepo-release
$ sudo dnf install wireguard-tools kmod-wireguard
$ sudo mkdir -p /etc/wireguard
$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
View the client private key.
$ cat /etc/wireguard/privatekey
Then, open and edit the WireGuard configuration file.
$ vim tun0.conf
Paste the following contents:
[Interface]
PrivateKey = CLIENT-PRIVATE-KEY
# Client address on the WireGuard network
Address = 10.5.0.2/24
[Peer]
PublicKey = SERVER-PUBLIC-KEY
# IP Address of the server on the WireGuard network
AllowedIPs = 10.5.0.1/24
#Rcs Server Public IP and Port
Endpoint = Server-IP:51820
Enter the client's private key in the [Interface]
section, the server public key, network address, and public IP in the [Peer]
section.
Next, enable the VPN client interface.
$ sudo systemctl enable wg-quick@tun0
Start the VPN client.
$ systemctl start wg-quick@tun0
Verify the VPN interface status.
$ systemctl status wg-quick@tun0
Now, view and copy the client public key.
$ cat /etc/wireguard/publickey
Then, add the client key to your WireGuard Server configuration with the following command:
$ sudo wg set tun0 peer XwJ/2joO4WFoaSkCztcCXyHLUaG0Wf2kbFCtm5IF3n8= allowed-ips 10.5.0.2
Test the WireGuard connection by sending ping packets to the VPN server address.
$ ping 10.5.0.1
Run the following command to view the VPN tunnel information on the server.
$ sudo wg
Your output should be similar to the one below:
interface: wg0
public key: zSQA79woVPtGgrEub0pisZ4MRyqed1TUqmaE7t9Dlwo=
private key: (hidden)
listening port: 51820
peer: VB+l4vytC337tgNdvESM/U5hQaVUQQrWmNalllumeUw=
endpoint: 40.79.189.73:14050
allowed ips: 10.5.0.3/24
latest handshake: 6 seconds ago
transfer: 6.04 KiB received, 8.82 KiB sent
peer: XwJ/2joO4WFoaSkCztcCXyHLUaG0Wf2kbFCtm5IF3n8=
endpoint: 95.179.255.69:37626
allowed ips: 10.5.0.2/24
latest handshake: 35 seconds ago
transfer: 4.39 KiB received, 4.34 KiB sent
Conclusion
Congratulations, you have successfully set up a WireGuard VPN server on Rocky Linux and created a peer-to-peer connection using another Rocky Linux server as a client. For each client pointed to the server, be sure to edit the WireGuard configuration file and assign appropriate addresses for a successful connection.