Install WireGuard VPN Rocky Linux 8 [Step-by-Step]

 

Install WireGuard VPN Server on Rocky Linux 8

Welcome to this guide where we shall discuss how to set up WireGuard VPN server on Rocky Linux 8. WireGuard VPN is an Open Source VPN server that uses a peer-to-peer kind of connectivity to establish the connections between the devices. WireGuard implements encrypted virtual networks and is designed for ease of use, high-performance speed, and low attack risk.

To install WireGuard VPN server on Rocky Linux, we need to follow the steps below.

Advertisement

 

Lab Environment

WireGuard VPN Server:
OS: Rocky Linux release 8.4
Hostname: rocky
IP Address: 172.29.10.10/24

WireGuard VPN Server:
OS: Rocky Linux release 8.4
Hostname: client
IP Address: 172.29.10.12/24

Tunnel subnet: 192.168.112.0/24

 

Step 1. Install EPEL Release

Install EPEL Release on Rocky Linux to enable you to install WireGuard packages that are not available from the base repos.

[root@rocky ~]# dnf install epel-release elrepo-release -y
Last metadata expiration check: 0:00:16 ago on Sun 05 Sep 2021 01:22:24 PM EAT.
Dependencies resolved.
===============================================================
 Package                      Architecture         Version                   Repository            Size
===============================================================
Installing:
 elrepo-release               noarch               8.2-1.el8                 extras                12 k
 epel-release                 noarch               8-10.el8                  extras                22 k

...

Installed:
  elrepo-release-8.2-1.el8.noarch                      epel-release-8-10.el8.noarch                     

Complete!

 

Step 2. Install WireGuard VPN packages

Install the WireGuard VPN packages and the dependencies:

[root@rocky ~]# dnf install kmod-wireguard wireguard-tools

 

Step 3. Configure WireGuard VPN server

Create the configuration directories and files for WireGuard VPN server as discussed below.

Advertisement

First, create the WireGuard configuration directory:

[root@rocky ~]# mkdir /etc/wireguard

 

Generate WireGuard Private Key

Generate a private key for WireGuard using the wg genkey command.

[root@rocky ~]# umask 077 | wg genkey | sudo tee /etc/wireguard/wireguard.key

Verify that a private key has been created at /etc/wireguard/wireguard.key.

[root@rocky ~]# cat /etc/wireguard/wireguard.key 
mFEl29HDMiR3Hvx3zOg6VC7eUua/Ba4+SCapPXYPQXA=

 

Generate WireGuard Public Key

Generate an alternate public key from the private key created above.

[root@rocky ~]# wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key

Confirm that the public key has been created.

[root@rocky ~]# cat /etc/wireguard/wireguard.pub.key 
MP0xrEFh1I1kOaHTu0LvplEWeC3oQK0N728D04OYKxY=

 

Step 4. WireGuard Network and Firewall Configuration

We need to configure the network for WireGuard VPN. Create a configuration file at /etc/wireguard/ called wg.conf and add the details below.

You are required to use your wireguard private key at PrivateKey entry. You can also choose to use your own subnet depending on your existing network configurations.

[root@rocky ~]# cat /etc/wireguard/wg.conf 
[Interface]
Address = 192.168.112.1/24
SaveConfig = true
ListenPort = 51820
DNS	   = 8.8.8.8,192.168.112.1
PrivateKey = <WIREGUARD-PRIVATE-KEY>
PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

 

Step 5. Enable Routing on Rocky Linux 8

Allow Rocky Linux to route incoming traffic from the VPN clients to the required destination. Run the command below:

Advertisement
[root@rocky ~]# echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

Reload the system daemon

[root@rocky ~]# sysctl --system

 

Step 6. Start WireGuard Server

Start Wireguard by running the command below:

[root@rocky ~]# wg-quick up wg
[#] ip link add wg type wireguard
[#] wg setconf wg /dev/fd/63
[#] ip -4 address add 192.168.112.1/24 dev wg
[#] ip link set mtu 1420 up dev wg
[#] mount `8.8.8.8 192.168.112.1' /etc/resolv.conf
[#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
success
success
success
success

Verify that the interface has been created:

Install WireGuard VPN Rocky Linux 8 [Step-by-Step]

Wireguard VPN service can also be managed by systemd:

[root@rocky ~]# systemctl start wg-quick@wg

To check the status of the service:

[root@rocky ~]# systemctl status wg-quick@wg
● wg-quick@wg.service - WireGuard via wg-quick(8) for wg
   Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; vendor preset: disabled)
   Active: active (exited) since Sun 2021-09-05 15:35:57 EAT; 57s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 20666 ExecStart=/usr/bin/wg-quick up wg (code=exited, status=0/SUCCESS)
 Main PID: 20666 (code=exited, status=0/SUCCESS)

Sep 05 15:35:56 rocky wg-quick[20666]: [#] ip link add wg type wireguard
Sep 05 15:35:56 rocky wg-quick[20666]: [#] wg setconf wg /dev/fd/63
Sep 05 15:35:56 rocky wg-quick[20666]: [#] ip -4 address add 192.168.112.1/24 dev wg
Sep 05 15:35:56 rocky wg-quick[20666]: [#] ip link set mtu 1420 up dev wg
Sep 05 15:35:56 rocky wg-quick[20666]: [#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT; firewal>
Sep 05 15:35:56 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky wg-quick[20666]: success
Sep 05 15:35:57 rocky systemd[1]: Started WireGuard via wg-quick(8) for wg.

At this point, WireGuard VPN server is configured successfully. The next step is to configure a VPN client.

 

Step 7. Configure WireGuard Client

To connect to the WireGuard VPN server, we need to install the WireGuard packages on the client. This is done in the same way as the VPN server.

Install EPEL release

[root@rocky ~]# dnf install epel-release elrepo-release -y

Install WireGuard packages

[root@client ~]# dnf install kmod-wireguard wireguard-tools -y
ELRepo.org Community Enterprise Linux Repository - el8                   130 kB/s | 272 kB     00:02    
Dependencies resolved.
=========================================================================================================
 Package                  Architecture    Version                                  Repository       Size
=========================================================================================================
Installing:
 kmod-wireguard           x86_64          4:1.0.20210606-1.el8_4.elrepo            elrepo          110 k
 wireguard-tools          x86_64          1.0.20210424-1.el8                       epel            125 k

Transaction Summary
=========================================================================================================
Install  2 Packages

Total download size: 235 k
Installed size: 641 k
Downloading Packages:
(1/2): wireguard-tools-1.0.20210424-1.el8.x86_64.rpm                     361 kB/s | 125 kB     00:00    
(2/2): kmod-wireguard-1.0.20210606-1.el8_4.elrepo.x86_64.rpm             115 kB/s | 110 kB     00:00    
---------------------------------------------------------------------------------------------------------

Create the Wireguard configuration directory:

[root@rocky ~]# mkdir /etc/wireguard

Generate the private and public keys for the VPN client:

[root@rocky ~]# wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

Create the configuration file for the WireGuard interface on the VPN client:

[root@rocky ~]# vi /etc/wireguard/wg.conf
[Interface]
PrivateKey = <Client-private-key>
Address = 192.168.112.2/24

[Peer]
PublicKey = <Wireguard-server-public-key>
Endpoint = <wireguard-server-ip-address>:51820
AllowedIPs = 0.0.0.0/0

Substitute the public/private keys with the correct details as indicated. Also, make sure you use the WireGuard server IP address at the Endpoint entry.

Configure the Wireguard server t allow connections from the client by adding the client's public key. On the VPN server, run the command below, replacing the details with the ones matching your environment

[root@rocky ~]# wg set wg peer <client-public-key> allowed-ips 192.168.112.2

Start the VPN connection from the client:

[root@client ~]# wg-quick up wg

Sample Output:
Install WireGuard VPN Rocky Linux 8 [Step-by-Step]

Verify that the interface has been created on the client

[root@client ~]# ifconfig wg

Sample Output:
Install WireGuard VPN Rocky Linux 8 [Step-by-Step]

Similar to the VPN server, WireGuard service on the client can also be managed by systemd.

For instance, to check the status of the service, run the command below:

[root@client ~]# systemctl status wg-quick@wg
● wg-quick@wg.service - WireGuard via wg-quick(8) for wg
   Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; vendor preset: disabled)
   Active: active (exited) since Sun 2021-09-05 17:00:49 EAT; 2s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 14402 ExecStart=/usr/bin/wg-quick up wg (code=exited, status=0/SUCCESS)
 Main PID: 14402 (code=exited, status=0/SUCCESS)

Sep 05 17:00:49 client wg-quick[14402]: [#] wg setconf wg /dev/fd/63
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 address add 192.168.112.2/24 dev wg
Sep 05 17:00:49 client wg-quick[14402]: [#] ip link set mtu 1420 up dev wg
Sep 05 17:00:49 client wg-quick[14402]: [#] wg set wg fwmark 51820
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 route add 0.0.0.0/0 dev wg table 51820
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 rule add not fwmark 51820 table 51820
Sep 05 17:00:49 client wg-quick[14402]: [#] ip -4 rule add table main suppress_prefixlength 0
Sep 05 17:00:49 client wg-quick[14402]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Sep 05 17:00:49 client wg-quick[14402]: [#] nft -f /dev/fd/63
Sep 05 17:00:49 client systemd[1]: Started WireGuard via wg-quick(8) for wg.

 

Step 8. Verify VPN connection

The last step is to verify that the VPN connection is up.

You can check the status of the connection by running the command below on either the client or the server:

From the VPN server:

[root@rocky ~]# wg show
interface: wg
  public key: MP0xrEFh1I1kOaHTu0LvplEWeC3oQK0N728D04OYKxY=
  private key: (hidden)
  listening port: 51820

peer: goQCA57HtKIjSyM1nLC0JhK/QPnWwZRLfsk9+jb3Sis=
  endpoint: 192.168.100.126:41869
  allowed ips: 192.168.112.2/32
  latest handshake: 1 minute, 52 seconds ago
  transfer: 808 B received, 952 B sent

From the Client:

[root@client ~]# wg show
interface: wg
  public key: goQCA57HtKIjSyM1nLC0JhK/QPnWwZRLfsk9+jb3Sis=
  private key: (hidden)
  listening port: 56855
  fwmark: 0xca6c

peer: MP0xrEFh1I1kOaHTu0LvplEWeC3oQK0N728D04OYKxY=
  endpoint: 192.168.100.149:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 22 seconds ago
  transfer: 540 B received, 404 B sent

You can also run a traceroute from the client to see what path the traffic is using.

[root@client ~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.112.1 (192.168.112.1)  3.497 ms  3.352 ms  3.291 ms
 2  * * *
 3  100.65.0.1 (100.65.0.1)  11.911 ms  14.393 ms  14.438 ms
....

This output verifies that the traffic is going through the Wireguard VPN server.

 

Conclusion

We have successfully configured Wireguard VPN on Rocky Linux and verified that the VPN is working. As shown, WireGuard VPN server uses simple, yet secure protocols and is easy to configure. I hope this guide was insightful enough and will help you. Please feel free to give feedback in case you run into issues deploying this in your environment.

 

Further Readings

Wireguard Installation

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment