Install WireGuard VPN Server on Rocky Linux 8
Welcome to this guide where we shall discuss how to set up WireGuard VPN server on Rocky Linux 8. WireGuard VPN is an Open Source VPN server that uses a peer-to-peer kind of connectivity to establish the connections between the devices. WireGuard implements encrypted virtual networks and is designed for ease of use, high-performance speed, and low attack risk.
To install WireGuard VPN server on Rocky Linux, we need to follow the steps below.
Lab Environment
WireGuard VPN Server:
OS: Rocky Linux release 8.4
Hostname: rocky
IP Address: 172.29.10.10/24
WireGuard VPN Server:
OS: Rocky Linux release 8.4
Hostname: client
IP Address: 172.29.10.12/24
Tunnel subnet: 192.168.112.0/24
Step 1. Install EPEL Release
Install EPEL Release on Rocky Linux to enable you to install WireGuard packages that are not available from the base repos.
[root@rocky ~]# dnf install epel-release elrepo-release -y Last metadata expiration check: 0:00:16 ago on Sun 05 Sep 2021 01:22:24 PM EAT. Dependencies resolved. =============================================================== Package Architecture Version Repository Size =============================================================== Installing: elrepo-release noarch 8.2-1.el8 extras 12 k epel-release noarch 8-10.el8 extras 22 k ... Installed: elrepo-release-8.2-1.el8.noarch epel-release-8-10.el8.noarch Complete!
Step 2. Install WireGuard VPN packages
Install the WireGuard VPN packages and the dependencies:
[root@rocky ~]# dnf install kmod-wireguard wireguard-tools
Step 3. Configure WireGuard VPN server
Create the configuration directories and files for WireGuard VPN server as discussed below.
First, create the WireGuard configuration directory:
[root@rocky ~]# mkdir /etc/wireguard
Generate WireGuard Private Key
Generate a private key for WireGuard using the wg genkey command.
[root@rocky ~]# umask 077 | wg genkey | sudo tee /etc/wireguard/wireguard.key
Verify that a private key has been created at /etc/wireguard/wireguard.key.
[root@rocky ~]# cat /etc/wireguard/wireguard.key
mFEl29HDMiR3Hvx3zOg6VC7eUua/Ba4+SCapPXYPQXA=
Generate WireGuard Public Key
Generate an alternate public key from the private key created above.
[root@rocky ~]# wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key
Confirm that the public key has been created.
[root@rocky ~]# cat /etc/wireguard/wireguard.pub.key
MP0xrEFh1I1kOaHTu0LvplEWeC3oQK0N728D04OYKxY=
Step 4. WireGuard Network and Firewall Configuration
We need to configure the network for WireGuard VPN. Create a configuration file at /etc/wireguard/
called wg.conf
and add the details below.
You are required to use your wireguard private key at PrivateKey entry. You can also choose to use your own subnet depending on your existing network configurations.
[root@rocky ~]# cat /etc/wireguard/wg.conf [Interface] Address = 192.168.112.1/24 SaveConfig = true ListenPort = 51820 DNS = 8.8.8.8,192.168.112.1 PrivateKey = <WIREGUARD-PRIVATE-KEY> PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
Step 5. Enable Routing on Rocky Linux 8
Allow Rocky Linux to route incoming traffic from the VPN clients to the required destination. Run the command below:
[root@rocky ~]# echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
Reload the system daemon
[root@rocky ~]# sysctl --system
Step 6. Start WireGuard Server
Start Wireguard by running the command below:
[root@rocky ~]# wg-quick up wg
[#] ip link add wg type wireguard
[#] wg setconf wg /dev/fd/63
[#] ip -4 address add 192.168.112.1/24 dev wg
[#] ip link set mtu 1420 up dev wg
[#] mount `8.8.8.8 192.168.112.1' /etc/resolv.conf
[#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
success
success
success
success
Verify that the interface has been created:
Wireguard VPN service can also be managed by systemd:
[root@rocky ~]# systemctl start wg-quick@wg
To check the status of the service:
[root@rocky ~]# systemctl status wg-quick@wg
● wg-quick@wg.service - WireGuard via wg-quick(8) for wg
Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; vendor preset: disabled)
Active: active (exited) since Sun 2021-09-05 15:35:57 EAT; 57s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 20666 ExecStart=/usr/bin/wg-quick up wg (code=exited, status=0/SUCCESS)
Main PID: 20666 (code=exited, status=0/SUCCESS)
Sep 05 15:35:56 rocky wg-quick[20666]: [#] ip link add wg type wireguard
Sep 05 15:35:56 rocky wg-quick[20666]: [#] wg setconf wg /dev/fd/63
Sep 05 15:35:56 rocky wg-quick[20666]: [#] ip -4 address add 192.168.112.1/24 dev wg
Sep 05 15:35:56 rocky wg-quick[20666]: [#] ip link set mtu 1420 up dev wg
Sep 05 15:35:56 rocky wg-quick[20666]: [#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewal>
Sep 05 15:35:56 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky systemd[1]: Started WireGuard via wg-quick(8) for wg.
At this point, WireGuard VPN server is configured successfully. The next step is to configure a VPN client.
Step 7. Configure WireGuard Client
To connect to the WireGuard VPN server, we need to install the WireGuard packages on the client. This is done in the same way as the VPN server.
Install EPEL release
[root@rocky ~]# dnf install epel-release elrepo-release -y
Install WireGuard packages
[root@client ~]# dnf install kmod-wireguard wireguard-tools -y ELRepo.org Community Enterprise Linux Repository - el8 130 kB/s | 272 kB 00:02 Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Installing: kmod-wireguard x86_64 4:1.0.20210606-1.el8_4.elrepo elrepo 110 k wireguard-tools x86_64 1.0.20210424-1.el8 epel 125 k Transaction Summary ========================================================================================================= Install 2 Packages Total download size: 235 k Installed size: 641 k Downloading Packages: (1/2): wireguard-tools-1.0.20210424-1.el8.x86_64.rpm 361 kB/s | 125 kB 00:00 (2/2): kmod-wireguard-1.0.20210606-1.el8_4.elrepo.x86_64.rpm 115 kB/s | 110 kB 00:00 ---------------------------------------------------------------------------------------------------------
Create the Wireguard configuration directory:
[root@rocky ~]# mkdir /etc/wireguard
Generate the private and public keys for the VPN client:
[root@rocky ~]# wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
Create the configuration file for the WireGuard interface on the VPN client:
[root@rocky ~]# vi /etc/wireguard/wg.conf [Interface] PrivateKey = <Client-private-key> Address = 192.168.112.2/24 [Peer] PublicKey = <Wireguard-server-public-key> Endpoint = <wireguard-server-ip-address>:51820 AllowedIPs = 0.0.0.0/0
Substitute the public/private keys with the correct details as indicated. Also, make sure you use the WireGuard server IP address at the Endpoint entry.
Configure the Wireguard server t allow connections from the client by adding the client's public key. On the VPN server, run the command below, replacing the details with the ones matching your environment
[root@rocky ~]# wg set wg peer <client-public-key> allowed-ips 192.168.112.2
Start the VPN connection from the client:
[root@client ~]# wg-quick up wg
Sample Output:
Verify that the interface has been created on the client
[root@client ~]# ifconfig wg
Sample Output:
Similar to the VPN server, WireGuard service on the client can also be managed by systemd.
For instance, to check the status of the service, run the command below:
[root@client ~]# systemctl status wg-quick@wg
● wg-quick@wg.service - WireGuard via wg-quick(8) for wg
Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; vendor preset: disabled)
Active: active (exited) since Sun 2021-09-05 17:00:49 EAT; 2s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 14402 ExecStart=/usr/bin/wg-quick up wg (code=exited, status=0/SUCCESS)
Main PID: 14402 (code=exited, status=0/SUCCESS)
Sep 05 17:00:49 client wg-quick[14402]: [#] wg setconf wg /dev/fd/63
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 address add 192.168.112.2/24 dev wg
Sep 05 17:00:49 client wg-quick[14402]: [#] ip link set mtu 1420 up dev wg
Sep 05 17:00:49 client wg-quick[14402]: [#] wg set wg fwmark 51820
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 route add 0.0.0.0/0 dev wg table 51820
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 rule add not fwmark 51820 table 51820
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 rule add table main suppress_prefixlength 0
Sep 05 17:00:49 client wg-quick[14402]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Sep 05 17:00:49 client wg-quick[14402]: [#] nft -f /dev/fd/63
Sep 05 17:00:49 client systemd[1]: Started WireGuard via wg-quick(8) for wg.
Step 8. Verify VPN connection
The last step is to verify that the VPN connection is up.
You can check the status of the connection by running the command below on either the client or the server:
From the VPN server:
[root@rocky ~]# wg show interface: wg public key: MP0xrEFh1I1kOaHTu0LvplEWeC3oQK0N728D04OYKxY= private key: (hidden) listening port: 51820 peer: goQCA57HtKIjSyM1nLC0JhK/QPnWwZRLfsk9+jb3Sis= endpoint: 192.168.100.126:41869 allowed ips: 192.168.112.2/32 latest handshake: 1 minute, 52 seconds ago transfer: 808 B received, 952 B sent
From the Client:
[root@client ~]# wg show interface: wg public key: goQCA57HtKIjSyM1nLC0JhK/QPnWwZRLfsk9+jb3Sis= private key: (hidden) listening port: 56855 fwmark: 0xca6c peer: MP0xrEFh1I1kOaHTu0LvplEWeC3oQK0N728D04OYKxY= endpoint: 192.168.100.149:51820 allowed ips: 0.0.0.0/0 latest handshake: 22 seconds ago transfer: 540 B received, 404 B sent
You can also run a traceroute from the client to see what path the traffic is using.
[root@client ~]# traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 192.168.112.1 (192.168.112.1) 3.497 ms 3.352 ms 3.291 ms 2 * * * 3 100.65.0.1 (100.65.0.1) 11.911 ms 14.393 ms 14.438 ms ....
This output verifies that the traffic is going through the Wireguard VPN server.
Conclusion
We have successfully configured Wireguard VPN on Rocky Linux and verified that the VPN is working. As shown, WireGuard VPN server uses simple, yet secure protocols and is easy to configure. I hope this guide was insightful enough and will help you. Please feel free to give feedback in case you run into issues deploying this in your environment.
Further Readings