How to Setup WireGuard VPN Server on CentOS
WireGuard is an application that can provide a secure virtual private network (VPN), it is simple to use and setup. It uses strong cryptographic protocols and algorithms to cyph data. Designed exclusively for the Linux kernel, it can be deployed on Windows, macOS, FreeBSD, iOS and Android. In our case we will use CentOS 8.3 for WireGuard setup.
How to Install WireGuard VPN Server on CentOS 8.3:
- How to install server WirrGuard on CentOS
- How to generate private and public keys
- How to tune server configuration
- How to configurate FireWall
- How to launch WireGuard and enable it on boot
Installing WireGuard Server on CentOS
Download the latest updates using the command data:
sudo yum update
sudo dnf update
Add the EPEL and Elrepo repositories to install the kernel modules and WireGuard tools.
sudo dnf install epel-release elrepo-release -y
Make sure we have the PowerTools repository enabled as EPEL packages may depend on packages from it,
sudo yum install 'dnf-command(config-manager)'
sudo yum config-manager --set-enabled PowerTools
Now let’s install WireGuard from epel repository:
sudo dnf install kmod-wireguard wireguard-tools
Generation of Private and Public Keys
WireGuard works by encrypting the connection using a cryptographic key pair. The key pair is used by passing the public key to the other party, which can then encrypt its message so that it can only be decrypted with the corresponding private key. To secure two-way communication, each side must have its own private and public keys, since each pair provides only one-way communication.
Before generating the key pair, go to the:
Set the permission for this directory:
To generate a key pair, type the following command:
wg genkey | tee private.key | wg pubkey > public.key
Setting Up the Server Configuration
To start configuring the WireGuard server, go to the /etc/wireguard folder and create the file wg0.conf
sudo nano /etc/wireguard/wg0.conf
Add the following directives to the configuration file:
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
Copy the private key we generated earlier and paste it into the PrivateKey.
Similarly, we have to generate a key pair for the client, copy the client's public key and paste it into PublicKey.
To copy the key value, run the following command:
sudo cat /etc/wireguard/public.key
sudo cat /etc/wireguard/private.key
By default, the firewall stops all communication between the internal (wg0) and the public network (eth0).
Let's change that with these commands:
sudo firewall-cmd --add-interface=wg0 --zone=internal
sudo firewall-cmd --permanent --zone=internal --add-masquerade
Launch WireGuard and Make It Start at Boot
Now we are ready to start the server, to start WireGuard we use wg-quick and specify the name of the new interface:
wg-quick up wg0
If the configuration is perfect, you will see the following screen,
To check the status of the WireGuard server enter:
Congratulations, we have successfully started up the WireGuard server!