How to Setup WireGuard VPN Server on CentOS
WireGuard is an application that can provide a secure virtual private network (VPN), it is simple to use and setup. It uses strong cryptographic protocols and algorithms to cyph data. Designed exclusively for the Linux kernel, it can be deployed on Windows, macOS, FreeBSD, iOS and Android. In our case we will use CentOS 8.3 for WireGuard setup.
Installing WireGuard Server on CentOS
Log in to your Linux server, after logging in, add the EPEL and Elrepo repositories to install the kernel modules and WireGuard tools.
sudo dnf install epel-release elrepo-release -y
Now let’s install WireGuard from epel repository:
sudo dnf install kmod-wireguard wireguard-tools
Setting up IP Forwarding
For VPN to work we need to enable packet forwarding, only then we will be able to connect through Wireguard server, to do this we need to edit /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
remove the "#" for the following command:
After that, run the following command to apply the changes:
The following message will be displayed:
Generation of Private and Public Keys
WireGuard works by encrypting the connection using a cryptographic key pair. The key pair is used by passing the public key to the other party, which can then encrypt its message so that it can only be decrypted with the corresponding private key. To secure two-way communication, each side must have its own private and public keys, since each pair provides only one-way communication.
Before generating the key pair, go to the
dwg sudo cd /etc/wireguard
Set the permission for this directory:
To generate a key pair, type the following command:
wg genkey | tee private.key | wg pubkey > public.key
Setting Up the Server Configuration
To start configuring the WireGuard server, go to the /etc/wireguard folder and create the file wg0.conf
sudo nano /etc/wireguard/wg0.conf
Add the following directives to the configuration file:
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
Copy the private key we generated earlier and paste it into the PrivateKey.
Similarly, we have to generate a key pair for the client, copy the client's public key and paste it into PublicKey.
To copy the key value, run the following command:
sudo cat /etc/wireguard/public.key
sudo cat /etc/wireguard/private.key
Launch WireGuard and Make It Start at Boot
Now we are ready to start the server, to start WireGuard we use wg-quick and specify the name of the new interface:
wg-quick up wg0
If the configuration is perfect, you will see the following screen,
To check the status of the WireGuard server enter:
Congratulations, we have successfully started up the WireGuard server!