Wireguard is one of the commonly used open-source communication tools used in the implementation of encrypted Virtual Private Networks. Its main goal is to increase performance and offer a low attack surface achieved by passing traffic over UDP. This gives Wireguard better performance as compared to the two tunneling protocols OpenVPN and IPsec.
Wireguard VPN offers the below features:
- Supports Pre-shared Symmetric Key Mode to provide an additional layer of symmetric encryption using ChaCha20. This will help mitigate future advancements in quantum computing.
- It can be extended by third-party programmes and scripts making it more friendly for logging, LDAP intergration and firewall updates.
- It supports multiple network topologies i.e. point-to-point, star. mesh e.t.c
- It uses SipHash for hashtable keys, Curve25519 for key exchange, BLAKE2s for cryptographic hash function, and Poly1305 for message authentication codes.
- It is UDP-based only and supports IPV6
- It is peer-to-peer VPN, doesn’t require the client server model.
- It is simple and effective
- It supports multiple network topologies i.e. point-to-point, star. mesh e.t.c
In March 2020, Wireguard VPN produced a stable version, this version was integrated into the Linux kernel 5.6 and also backported to older Linux kernels in some Linux distributions. In this guide, we will take a systematic walk through how to set up WireGuard VPN on Amazon Linux 2.
You will require the following:
- An Amazon Linux 2 instnace.
- A user with sudo access
Having met the above conditions, proceed as below.
1. Add the Required Repositories on Amazon Linux 2
In this guide, we will download Wireguard from the Wireguard repo added below, we will also add the EPEL repo, to install all the required Wirguard dependencies.
sudo curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
sudo yum install epel-release
2. Install WireGuard VPN server on Amazon Linux 2
After adding the EPEL and DKMS repo to our system, we can easily install the Wireguard VPN server and its dependencies using the command:
sudo yum install wireguard-dkms wireguard-tools vim
Dependency tree:
....
Transaction Summary
========================================================================================================================================================================================================
Install 2 Packages (+38 Dependent packages)
Total download size: 63 M
Installed size: 137 M
Is this ok [y/d/N]: y
Accept GPG keys importation when you get the prompt.
etrieving key from https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg
Importing GPG key 0xFD626932:
Userid : "jdoss_wireguard (None) <jdoss#[email protected]>"
Fingerprint: 9cbc e731 a606 afc3 e7ce 66f6 151c 9ff7 fd62 6932
From : https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg
Is this ok [y/N]: y
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <[email protected]>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Update and reboot your system.
sudo yum update -y
sudo reboot -i
3. Configure WireGuard VPN on Amazon Linux 2.
After a successful installation, we are now set to configure Wireguard on Amazon Linux 2. Wireguard configuration is done using the wg
and wg-quick
commands. For the setup to work, all the devices on the Wireguard network need to have private and public keys.
This pair of keys can be generated using the wg
command below.
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
This command generates the pair and saves it in the /etc/wireguard directory. Remember, private keys should never be shared with anyone for security reasons.
The next step now requires us to create a conf file to be used to route the VPN traffic. We will manually create the config file with the name wgvpn.conf.
sudo vim /etc/wireguard/wgvpn.conf
In the created file, add the below lines.
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = GENERATED_SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Remember to replace:
- GENERATED_SERVER_PRIVATE_KEY with your generated private key obtained using
sudo cat /etc/wireguard/privatekey
- 10.0.0.1/24 wiht the IP range reserved for private netwoeks, you can also enter multiple IPs for both IPV4 and IPV6 separating them by commas.
Save the file and make the conf and private keys unreadable to users.
sudo chmod 600 /etc/wireguard/{privatekey,wgvpn.conf}
Now using the wg-quick command, start the interface.
sudo wg-quick up wgvpn
Sample Output:
[#] ip link add wgvpn type wireguard
[#] wg setconf wgvpn /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wgvpn
[#] ip link set mtu 1420 up dev wgvpn
[#] iptables -A FORWARD -i wgvpn -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Verify the interface is running:
$ sudo wg show wgvpn
##Or
$ ip a show wgvpn
Sample output:
$ ip a show wgvpn
5: wgvpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wgvpn
valid_lft forever preferred_lft forever
Allow the Wireguard service to run automatically on boot.
sudo systemctl enable wg-quick@wgvpn
Next, enable IP forwarding on Amazon Linux 2 by editing the /etc/sysctl.conf file as below.
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
Reload the sysctl configuration.
$ sudo sysctl -p
net.ipv4.ip_forward = 1
If you have a firewall enabled, allow the port through the firewall.
sudo firewall-cmd --zone=public --permanent --add-port=51820/udp
sudo firewall-cmd --reload
4. WireGuard VPN Client Setup
After a successful configuration, we now need to set up a WireGuard VPN client to connect to the VPN server.
Wireguard is supported on various platforms such as Linux, macOS, and Windows systems. Setup Wireguard client on your preferred system as below.
4.1. Setup WireGuard Client on Linux and macOS
You need to install the Wireguard client on your Linux or macOS system as illustrated in the official Wireguard installation instructions page.
You can use the package manager on Linux and Homebrew in macOS. Then proceed and generate the key pair as below.
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Also here, create the wpvpn.conf file.
sudo vi /etc/wireguard/wgvpn.conf
Add the below lines.
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0
In the above code, replace values as below:
Client section
- CLIENT_PRIVATE_KEY with the private key obtained using
sudo cat /etc/wireguard/privatekey
- 10.0.0.2/24 with your IP adress for the wgvpn interface on this client.
Peer section.
- SERVER_PUBLIC_KEY – the public Wireguard VPN server of the peer you want to connect to.
- SERVER_IP_ADDRESS – is the public IP address/hostname of the peer to connect to followed with the port that wireguad VPN is listening.
- AllowedIPs – is the list of IPs from which traffic for the pper is allowed. In this guide, we are using 0.0.0.0/0 because we want all the peer server to send traffic with any source Ip address.
Below is a sample of how the file will look like:
[Interface]
PrivateKey = KTRyDUP1pydfsdwGUfjdhfnE61y6WC++L8iq+QfguVok8=
Address = 10.0.0.2/24
[Peer]
PublicKey = FPEZwqsdfsdwGddhfnE61fghBnAy1+sdjI0sOx1IT1X4=
Endpoint = 192.168.100.249:51820
AllowedIPs = 0.0.0.0/0
4.2. Setup WireGuard Client on Windows.
Similar to Linux and macOS systems, on Windows, you also have to download and install the Wireguard client IMSI file as directed on the official WireGuard page.
On successful installation, launch Wireguard Client and click Add empty Tunnel as shown.
Here, the key pair is automatically generated and displayed.
Now add them replacing as we did for Linux and macOS above.
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0
Once done, click save and proceed as below.
5. Add Client Peer to WireGuard VPN Server on Amazon Linux 2.
Now that everything has been configured on both the server and the client, we will now proceed and add the client to the server as below.
sudo wg set wgvpn peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2
In the command, replace the CLIENT_PUBLIC_KEY with the client peer public key. Start the tunneling interface on the client.
- On Linux and macOS
Update and reboot your system for the changes to apply.
##On RHEL/CentOS/Rocky Linux
sudo yum update
sudo reboot -i
##On Debian/Ubuntu
sudo apt update && sudo apt upgrade
sudo reboot -i
Then start the interface as below.
$ sudo wg-quick up wgvpn
#] ip link add wgvpn type wireguard
[#] wg setconf wgvpn /dev/fd/63
[#] ip -4 address add 10.0.0.2/24 dev wgvpn
[#] ip link set mtu 65456 up dev wgvpn
[#] wg set wgvpn fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wgvpn table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
Verify that the interface is running:
sudo wg
Sample Output:
- On Windows
Here, start Wireguard tunneling by clicking activate. Then proceed and check the status as shown. The status should change to active as below.
Conclusion.
That marks the end of this guide on how to set up WireGuard VPN on Amazon Linux 2. We also went further and set up a Wireguard Client on Windows, Linux, and macOS systems. I hope this was fascinating.
See more on this page:
- How To Configure WireGuard VPN on Rocky Linux 8
- Install and Configure Pritunl VPN server on CentOS 8
- Install and Configure Pritunl VPN server on Ubuntu