WireGuard is a free, open-source VPN with state-of-art cryptography. WireGuard VPN uses peer-to-peer connectivity to establish the connection between the devices. Wireguard works in a server-client architecture where the WireGuard server is the one responsible for routing the traffic of the clients to the defined networks.
This guide will discuss how to set up WireGuard VPN server on Rocky Linux 8.
Install WireGuard VPN Server on Rocky Linux 8
The steps below highlight how to install WireGuard VPN server on Rocky Linux 8.
Step 1. Install Epel Release
Install EPEL release on Rocky Linux 8. This will help us download the WireGuard packages which are not available at the default Rocky Linux repos.
sudo dnf install epel-release elrepo-release -y
Step 2. Install WireGuard VPN server on Rocky Linux 8
Install wireguard vpn and the required dependencies as below:
$ sudo yum install kmod-wireguard wireguard-tools
ELRepo.org Community Enterprise Linux Repository - el8 15 kB/s | 272 kB 00:18
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Installing:
kmod-wireguard x86_64 4:1.0.20210606-1.el8_4.elrepo elrepo 110 k
wireguard-tools x86_64 1.0.20210424-1.el8 epel 125 k
Transaction Summary
=============================================================================================================================================================================
Install 2 Packages
Total download size: 235 k
Installed size: 641 k
Is this ok [y/N]: y
Step 3. Configure WireGuard VPN on Rocky Linux 8
Once downloaded, the next step is to configure WireGuard VPN server on Rocky Linux 8.
Create a WireGuard working directory, where WireGuard shall store the configuration files.
sudo mkdir /etc/wireguard
Step 4. Generate WireGuard Keys
We will need to generate public and private keys for WireGuard.
Generate Private keys for WireGuard
Use the wg genkey
command to generate WireGuard private keys.
To generate the key, use the command below:
umask 077 | wg genkey | sudo tee /etc/wireguard/wireguard.key
Confirm that the file has been written to the above path:
[root@Rocky ~]# cat /etc/wireguard/wireguard.key
6Eh08BtDiAqkTJ0rC6AbXi+UXyg+ZZoDU4n/ariG2Hg=
Generate Public keys for Wireguard
Generate a public key from the private key created in the previous step.
wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key
Verify the contents of the public key file.
[root@Rocky ~]# cat /etc/wireguard/wireguard.pub.key
BXfVP+JcQbwZUkhHtVJQIVEOw4oXM1fj1FDkC1f0ais=
Step 5. Create Network Configuration for WireGuard
Create the network configuration for wireguard as below. Remember to use your server’s private key.
$ sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.10.1/24
SaveConfig = true
ListenPort = 51820
DNS = 8.8.8.8,10.10.10.1
PrivateKey = <SERVER-PRIVATE-KEY>
PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
Step 6. Enable IP Forwarding on Rocky Linux 8
Enable IP forwarding on Rocky Linux to allow packet routing for the VPN clients to the required destinations.
Add the line net.ipv4.ip_forward = 1
to the file /etc/sysctl.conf
.
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
Reload the sysctl settings:
sudo sysctl -p
Sep 7. Start WireGuard VPN Server
Start the WireGuard VPN server using the wg-quick
tool.
[root@Rocky ~]# sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] mount `8.8.8.8 10.10.10.1' /etc/resolv.conf
[#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
success
success
success
success
Check and verify that the Wireguard interface is up.
[root@Rocky ~]# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.10.10.1 netmask 255.255.255.0 destination 10.10.10.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
You can also manage Wireguard service using Systemd.
To start the service:
sudo systemctl start wg-quick@wg0
To check status of the service:
[root@Rocky ~]# systemctl status wg-quick@wg0
● [email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
Active: active (exited) since Thu 2021-08-12 18:41:23 EDT; 3s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 76862 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 76862 (code=exited, status=0/SUCCESS)
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] ip link add wg0 type wireguard
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] wg setconf wg0 /dev/fd/63
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] ip -4 address add 10.10.10.1/24 dev wg0
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] ip link set mtu 1420 up dev wg0
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j
Aug 12 18:41:20 Rocky wg-quick[76862]: success
Aug 12 18:41:21 Rocky wg-quick[76862]: success
Aug 12 18:41:22 Rocky wg-quick[76862]: success
Aug 12 18:41:23 Rocky wg-quick[76862]: success
Aug 12 18:41:23 Rocky systemd[1]: Started WireGuard via wg-quick(8) for wg0.
Setup WireGuard Client on Rocky Linux 8
After a successful configuration of the WireGuard server. We will now need to configure the WireGuard client on another Rocky Linux 8 machine.
Install Wireguard package on Rocky Linux
dnf install epel-release elrepo-release -y
dnf install kmod-wireguard wireguard-tools -y
Setup the private and public keys for the Rocky Linux client machine:
sudo su -
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
Configure the WireGuard interface for the Rocky Linux client
$ sudo vi /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <Client-private-key>
Address = 10.10.10.2/24
[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip-address>:51820
AllowedIPs = 0.0.0.0/0
Make sure to use the correct details for the PrivateKey, PublicKey, and Endpoint in the above configuration.
On the VPN server, run the command below to allow the peer connection to the client machine
sudo wg set wg0 peer <client-public-key> allowed-ips 10.10.10.2
On the client machine, start the Wireguard interface with the command below:
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
You will have successfully connected to the VPN server. Your traffic will be routed to the VPN server.
Conclusion
Wireguard is an enterprise-class but open-source VPN solution that is easy to set up and manage. We have successfully configured WireGuard VPN server on Rocky Linux 8. Feel free to get in touch in case you encounter challenges during your deployment. Cheers!
Top Cyber Security Learning Video Courses:
- Kali Linux Tutorial For Beginners
- The Complete Ethical Hacking Course: Beginner to Advanced!
- The Complete Cyber Security Course : Hackers Exposed!
- The Complete Cyber Security Course : Network Security!
- The Complete Cyber Security Course : End Point Protection!
- Network Hacking Continued – Intermediate to Advanced