November 27, 2021
Updated August 8, 2022

How to Setup WireGuard VPN Server on CentOS

CentOS Linux VPN

WireGuard is an application that can provide a secure virtual private network (VPN), it is simple to use and setup. It uses strong cryptographic protocols and algorithms to cyph data. Designed exclusively for the Linux kernel, it can be deployed on Windows, macOS, FreeBSD, iOS and Android. In our case we will use CentOS 8.3 for WireGuard setup.

How to Install WireGuard VPN Server on CentOS 8.3:

Installing WireGuard Server on CentOS

Download the latest updates using the command data:

sudo yum update
sudo dnf update

Add the EPEL and Elrepo repositories to install the kernel modules and WireGuard tools.

sudo dnf install epel-release elrepo-release -y

Make sure we have the PowerTools repository enabled as EPEL packages may depend on packages from it,

sudo yum install 'dnf-command(config-manager)'
sudo yum config-manager --set-enabled PowerTools

Now let’s install WireGuard from epel repository:

sudo dnf install kmod-wireguard wireguard-tools

Generation of Private and Public Keys

WireGuard works by encrypting the connection using a cryptographic key pair. The key pair is used by passing the public key to the other party, which can then encrypt its message so that it can only be decrypted with the corresponding private key. To secure two-way communication, each side must have its own private and public keys, since each pair provides only one-way communication.

Before generating the key pair, go to the:

cd /etc/wireguard

Set the permission for this directory:

umask 077

To generate a key pair, type the following command:

wg genkey | tee private.key | wg pubkey > public.key

Setting Up the Server Configuration

To start configuring the WireGuard server, go to the /etc/wireguard folder and create the file wg0.conf

sudo nano /etc/wireguard/wg0.conf

Add the following directives to the configuration file:

PrivateKey = <contents-of-server-privatekey>
Address =
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PublicKey = <contents-of-client-publickey>
AllowedIPs =


Copy the private key we generated earlier and paste it into the PrivateKey.

Similarly, we have to generate a key pair for the client, copy the client's public key and paste it into PublicKey.

To copy the key value, run the following command:

sudo cat /etc/wireguard/public.key

sudo cat /etc/wireguard/private.key

FireWall setup

By default, the firewall stops all communication between the internal (wg0) and the public network (eth0).
Let's change that with these commands:

sudo firewall-cmd --add-interface=wg0 --zone=internal
sudo firewall-cmd --permanent --zone=internal --add-masquerade

Launch WireGuard and Make It Start at Boot

Now we are ready to start the server, to start WireGuard we use wg-quick and specify the name of the new interface:

wg-quick up wg0

If the configuration is perfect, you will see the following screen,


To check the status of the WireGuard server enter:

wg show


Congratulations, we have successfully started up the WireGuard server!

5 out of 5
Аverage rating : 5
Rated by: 1
19703 Claymont 2093 Philadelphia Pike #2345, USA
+1 302 498-83-59
700 300
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.