Introduction
WireGuard is a free, modern, open-source Virtual Private Network (VPN) application that offers simplicity and state-of-the-art cryptography. In addition, it provides strong encryption, which relies on public and private key pairs making it secure for all connected client devices.
In this guide, you will install the WireGuard server on Rocky Linux and set up a peer-to-peer VPN connection from a client computer.
Prerequisites
Choose WireGuard Network Addresses
Create a new WireGuard network address range that all connected clients will use; connections from addresses outside the range will be dropped depending on your server configuration. Choose from any of the following valid private ranges for your network.
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
10.0.0.0 - 10.255.255.255 (10/8 prefix)This guide uses the address block 10.5.0.0/24 for the WireGuard network. 10.5.0.1 is used as the server address, and clients can use other available host addresses. For purposes of this guide, 10.5.0.2. is used as the WireGuard client/peer address.
Install WireGuard Server
Install Extra Packages For Enterprise Linux (EPEL), and ELRepo to enable WireGuard installation from repository.
$ sudo dnf install epel-release elrepo-releaseUpdate the server.
$ sudo dnf updateInstall WireGuard.
$ sudo dnf install wireguard-tools kmod-wireguardConfigure WireGuard Server
Create the WireGuard configuration files directory.
$ sudo mkdir -p /etc/wireguardThen, create the configuration file tun0.
$ sudo touch tun0.confNow, generate a new private, public key pair.
$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee /etc/wireguard/publickey View and copy the private key.
$ sudo cat privatekey
yC0WsEKWC8Zjd7LtykbBNi8NIPKcrfsr7tsqgKMLO3o=Next, edit the /etc/wireguard/tun0.conf file.
$ sudo vim tun0.confPaste the following contents:
[Interface]
PrivateKey = Paste-Server-Private-Key
Address = 10.5.0.1/24
ListenPort = 51820
SaveConfig = trueEnter the private key copied earlier. Then, save and close the file.
Enable Forwarding
To configure forwarding and allow route traffic from the WireGuard network, open and edit the file /etc/sysctl.conf.
$ sudo vim /etc/sysctl.confAdd the following IPV4 rule to the bottom of the file:
net.ipv4.ip_forward=1Test and reload changes using the following command:
$ sudo sysctl -pConfigure Firewall
First, allow WireGuard traffic on UDP port 51820.
$ sudo firewall-cmd --permanent --zone=public --add-port=51820/udp Then, allow traffic from the WireGuard interface tun0 to other interfaces in the internal zone.
$ sudo firewall-cmd --permanent --add-interface=tun0 --zone=internalEnable masquerading for proper traffic routing from the WireGuard interface to other interfaces.
$ sudo firewall-cmd --permanent --zone=internal --add-masqueradeNow, reload the Firewall for changes to take effect.
$ sudo firewall-cmd --reloadView the current Firewall table per zone.
$ sudo firewall-cmd --zone=internal --list-all
$ sudo firewall-cmd --zone=public --list-allYour output should be similar to:
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:Start WireGuard Server
Enable the WireGuard tun0 interface:
$ sudo systemctl enable wg-quick@tun0Start the WireGuard service.
$ sudo systemctl start wg-quick@tun0 Verify the current WireGuard status by running the following command:
$ sudo systemctl status wg-quick@tun0If active, your output should be similar to the one below:
● wg-quick@tun0.service - WireGuard via wg-quick(8) for tun0
Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2022-01-13 12:17:06 UTC; 3s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 54871 ExecStop=/usr/bin/wg-quick down tun0 (code=exited, status=0/SUCCESS)
Process: 54898 ExecStart=/usr/bin/wg-quick up tun0 (code=exited, status=0/SUCCESS)
Main PID: 54898 (code=exited, status=0/SUCCESS)
Jan 13 12:17:05 WireguardServer systemd[1]: wg-quick@tun0.service: Succeeded.
Jan 13 12:17:05 WireguardServer systemd[1]: Stopped WireGuard via wg-quick(8) for tun0.
Jan 13 12:17:05 WireguardServer systemd[1]: Starting WireGuard via wg-quick(8) for tun0...
Jan 13 12:17:05 WireguardServer wg-quick[54898]: [#] ip link add tun0 type wireguard
Jan 13 12:17:05 WireguardServer wg-quick[54898]: [#] wg setconf tun0 /dev/fd/63
Jan 13 12:17:06 WireguardServer wg-quick[54898]: [#] ip -4 address add 10.5.0.1/24 dev tun0
Jan 13 12:17:06 WireguardServer wg-quick[54898]: [#] ip link set mtu 1420 up dev tun0
Jan 13 12:17:06 WireguardServer systemd[1]: Started WireGuard via wg-quick(8) for tun0.Also, verify WireGuard tunnel status with the following command:
$ sudo wgYour output will be similar to:
interface: tun0
public key: zSQA79woVPtGgrEub0pisZ4MRyqed1TUqmaE7t9Dlwo=
private key: (hidden)
listening port: 51820Connect WireGuard Clients
The WireGuard client application is available on multiple operating systems. You can either set up another Rocky Linux server as a peer or download the WireGuard client application to connect your IOS, Android, macOS, Linux, or Windows device.
In this guide, we’ll create a WireGuard peer-to-peer tunnel using another Rocky Linux server as the client device. Repeat the server steps above to install WireGuard on the client.
$ dnf install epel-release elrepo-release
$ sudo dnf install wireguard-tools kmod-wireguard
$ sudo mkdir -p /etc/wireguard
$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee /etc/wireguard/publickeyView the client private key.
$ cat /etc/wireguard/privatekeyThen, open and edit the WireGuard configuration file.
$ vim tun0.confPaste the following contents:
[Interface]
PrivateKey = CLIENT-PRIVATE-KEY
# Client address on the WireGuard network
Address = 10.5.0.2/24
[Peer]
PublicKey = SERVER-PUBLIC-KEY
# IP Address of the server on the WireGuard network
AllowedIPs = 10.5.0.1/24
#Rcs Server Public IP and Port
Endpoint = Server-IP:51820Enter the client's private key in the [Interface] section, the server public key, network address, and public IP in the [Peer] section.
Next, enable the VPN client interface.
$ sudo systemctl enable wg-quick@tun0Start the VPN client.
$ systemctl start wg-quick@tun0Verify the VPN interface status.
$ systemctl status wg-quick@tun0Now, view and copy the client public key.
$ cat /etc/wireguard/publickeyThen, add the client key to your WireGuard Server configuration with the following command:
$ sudo wg set tun0 peer XwJ/2joO4WFoaSkCztcCXyHLUaG0Wf2kbFCtm5IF3n8= allowed-ips 10.5.0.2Test the WireGuard connection by sending ping packets to the VPN server address.
$ ping 10.5.0.1Run the following command to view the VPN tunnel information on the server.
$ sudo wgYour output should be similar to the one below:
interface: wg0
public key: zSQA79woVPtGgrEub0pisZ4MRyqed1TUqmaE7t9Dlwo=
private key: (hidden)
listening port: 51820
peer: VB+l4vytC337tgNdvESM/U5hQaVUQQrWmNalllumeUw=
endpoint: 40.79.189.73:14050
allowed ips: 10.5.0.3/24
latest handshake: 6 seconds ago
transfer: 6.04 KiB received, 8.82 KiB sent
peer: XwJ/2joO4WFoaSkCztcCXyHLUaG0Wf2kbFCtm5IF3n8=
endpoint: 95.179.255.69:37626
allowed ips: 10.5.0.2/24
latest handshake: 35 seconds ago
transfer: 4.39 KiB received, 4.34 KiB sentConclusion
Congratulations, you have successfully set up a WireGuard VPN server on Rocky Linux and created a peer-to-peer connection using another Rocky Linux server as a client. For each client pointed to the server, be sure to edit the WireGuard configuration file and assign appropriate addresses for a successful connection.
