Serverspace added new Oracle Linux 8.5 template

How to Setup WireGuard VPN Server on CentOS

Oleg Lalaev
November 27, 2021

WireGuard is an application that can provide a secure virtual private network (VPN), it is simple to use and setup. It uses strong cryptographic protocols and algorithms to cyph data. Designed exclusively for the Linux kernel, it can be deployed on Windows, macOS, FreeBSD, iOS and Android. In our case we will use CentOS 8.3 for WireGuard setup.

Installing WireGuard Server on CentOS

Log in to your Linux server, after logging in, add the EPEL and Elrepo repositories to install the kernel modules and WireGuard tools.

sudo dnf install epel-release elrepo-release -y

Now let’s install WireGuard from epel repository:

sudo dnf install kmod-wireguard wireguard-tools

Setting up IP Forwarding

For VPN to work we need to enable packet forwarding, only then we will be able to connect through Wireguard server, to do this we need to edit /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf

remove the "#" for the following command:


After that, run the following command to apply the changes:

sysctl -p

The following message will be displayed:

Generation of Private and Public Keys

WireGuard works by encrypting the connection using a cryptographic key pair. The key pair is used by passing the public key to the other party, which can then encrypt its message so that it can only be decrypted with the corresponding private key. To secure two-way communication, each side must have its own private and public keys, since each pair provides only one-way communication.

Before generating the key pair, go to the

dwg sudo cd /etc/wireguard

Set the permission for this directory:

umask 077

To generate a key pair, type the following command:

wg genkey | tee private.key | wg pubkey > public.key

Setting Up the Server Configuration

To start configuring the WireGuard server, go to the /etc/wireguard folder and create the file wg0.conf

sudo nano /etc/wireguard/wg0.conf

Add the following directives to the configuration file:

PrivateKey = <contents-of-server-privatekey>
Address =
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PublicKey = <contents-of-client-publickey>
AllowedIPs =

Copy the private key we generated earlier and paste it into the PrivateKey.

Similarly, we have to generate a key pair for the client, copy the client's public key and paste it into PublicKey.

To copy the key value, run the following command:

sudo cat /etc/wireguard/public.key

sudo cat /etc/wireguard/private.key

Launch WireGuard and Make It Start at Boot

Now we are ready to start the server, to start WireGuard we use wg-quick and specify the name of the new interface:

wg-quick up wg0

If the configuration is perfect, you will see the following screen,

To check the status of the WireGuard server enter:

wg show

Congratulations, we have successfully started up the WireGuard server!

Start your cloud journey Take the first step right now.
We use cookies to provide our services and for analytics and marketing. To find out more about our use of cookies, please see our Privacy Policy. By continuing to browse our website, you agree to our use of cookies.