Linux

How to Set Up WireGuard VPN on CentOS 8

How to Set Up WireGuard VPN on CentOS 8

WireGuard is a simple and modern VPN (Virtual Private Network) with sophisticated cryptography. Faster, easier to configure, and more performance than other similar solutions, such as IPsec and OpenVPN.

WireGuard is cross-platform and can run almost anywhere, including Linux, Windows, Android, and macOS. Wireguard is a peer-to-peer VPN; it is not based on the client-server model. Depending on the configuration, the peer can act as a traditional server or client.

WireGuard works by creating a network interface on each peer device that operates as a tunnel. Colleagues authenticate each other by exchanging and validating public keys, imitating the SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. VPN traffic is encapsulated in UDP.

This tutorial explains how to set up WireGuard on a CentOS 8 machine that will act as a VPN server. We will also show you how to configure WireGuard as a client. Client traffic will be routed through the CentOS 8 server. This setting can be used as a protection against Man in the Middle attacks, surfing the web anonymously, bypassing Geo-restricted content, or allowing your colleagues who work from home to safely connect to company networks.

Precondition

You need a CentOS 8 server that you can access as root or an account with sudo privileges.

Setting up a WireGuard Server

We will start by installing WireGuard on a CentOS machine and setting it up to act as a server. We also configure the system to route client traffic through it.

Install WireGuard on CentOS 8

WireGuard tools and kernel modules are available for installation from the Epel and Elrepo repositories. To add a repository to your system, run the following command:

$ sudo dnf install epel-release elrepo-release

When finished, install the WireGuard packages:

$ sudo dnf install kmod-wireguard wireguard-tools

You may be asked to import the GPG Keys repository. Type y when prompted.

Configure WireGuard

The wireguard-tools package includes two command-line tools named wg and wg-quick that allow you to configure and manage the WireGuard interface.

We will save the VPN server configuration and in the / etc / wireguard directory. On CentOS, this directory was not created during installation. Run the following command to create a directory:

sudo mkdir /etc/wireguard

Generate public and private keys in the / etc / wireguard directory.

$ wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

You can see the file with paint or less. Private keys may not be shared with anyone.

Now that the button is created, the next step is to configure the tunnel device which will route VPN traffic.

The device can be set from the command line using ip and wg or by creating a configuration file with a text editor.

Create a new file called wg0.conf and add the following content:

$ sudo nano /etc/wireguard/wg0.conf
/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade

The interface can be named whatever you want, but it is recommended to use something like include wg0 or wgvpn0. Settings in the interface section have the following meanings:

  • Address – comma separated list of IP v4 or v6 addresses for the wg0 interface. Use IPs from the range provided for private networks (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16).
  • ListenPort – the port where WireGuard will accept incoming connections.
  • PrivateKey – private key generated by the wg gen command. (To view the contents of the file, run: sudo cat / etc / wireguard / privatekey)
  • SaveConfig – when set to true, the current interface state is saved to the configuration file when it is turned off.
  • PostUp – command or script that is run before displaying the interface. In this example, we use firewall-cmd to open the WireGuard port and enable incognito. This will allow traffic to leave the server, giving VPN clients access to the Internet.
  • PostDown – commands or scripts that are run before lowering the interface. Firewall rules will be deleted after the interface is turned off.

The wg0.conf and private files should not be read by normal users. Use chmod to set permissions to 600:

$ sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

When finished, bring the wg0 interface using the attributes specified in the configuration file:

$ sudo wg-quick up wg0

The command will display something like this:

Output :

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

To view the interface state and configuration, run:

$ sudo wg show wg0

Output :

interface: wg0
  public key: My3uqg8LL9S3XZBo8alclOjiNkp+T6GfxS+Xhn5a40I=
  private key: (hidden)
  listening port: 51820

You can also use the ip command to verify the state of the interface:

$ ip a show wg0

Output :

4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

To present the wg0 interface at boot, run the following command:

$ sudo systemctl enable wg-quick@wg0

Network server

For NAT to work, we need to enable IP forwarding. Create a ne /etc/sysctl.d/99-custom.conf file, and add the following line:

$ sudo nano /etc/sysctl.d/99-custom.conf

/etc/sysctl.d/99-custom.conf

net.ipv4.ip_forward=1

Save the file and apply the changes:

$ sudo sysctl -p /etc/sysctl.d/99-custom.conf

Output :

net.ipv4.ip_forward = 1

There she is. CentOS peer which will act as a server is set up.

Linux and macOS Client Settings

Installation instructions for all supported platforms are available at https://wireguard.com/install/. On a Linux system, you can install packages using the distribution package manager and on macOS with Brew. After you install WireGuard, follow the steps below to configure the client device.

The process for setting up Linux and macOS clients is almost the same as what you do for the server. Start by generating public and private keys:

$ wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Create a wg0.conf file and add the following content:

$ sudo nano /etc/wireguard/wg0.conf
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24


[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0

The settings in the interface section have the same meaning as when setting up the server:

  • Address – comma separated list of IP v4 or v6 addresses for the wg0 interface.
  • PrivateKey – To view the contents of the file on the client machine run: sudo cat / etc / wireguard / privatekey

The peer section contains the following fields:

  • PublicKey – the public key of the partner you want to connect. (Fill in the file server / etc / wireguard / publickey).
  • Endpoint – The IP or hostname of the peer you want to connect to is followed by a colon, and then the port number where the remote peer is listening.
  • Allowed IPs – comma-separated lists of IP addresses v4 or v6 from which incoming traffic for associates is permitted and to which outgoing traffic for associates is directed. We use 0.0.0.0/0 because we route traffic and want server partners to send packets with any source IP.

If you need to configure additional clients, repeat the same steps using a different private IP address.

Windows Client Settings

Download and install the Windows msi package from the WireGuard website.

Once installed, open the WireGuard application and click “Add Tunnel” -> “Add an empty tunnel …” as shown in the image below:

1

A pair of publickey is automatically created and displayed on the screen.

2

Enter a name for the tunnel and edit the configuration as follows:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24


[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0

In the interface section add a new line to specify the Client tunnel address.

In the peer section add the following fields:

  • PublicKey – public key from the CentOS server (/ etc / wireguard / publickey file).
  • Endpoint – the IP address of the CentOS server followed by a colon, and the WireGuard port (51820).\
  • Allowed IPs – 0.0.0.0/0

When finished, click the “Save” button.

Add Client Peers to the Server

The final step is to add the client’s public key and IP address to the server:

$ sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2

Be sure to change CLIENT_PUBLIC_KEY with the public key you created on the client machine (sudo cat / etc / wireguard / publickey) and adjust the client’s IP address if it is different. Windows users can copy public keys from the WireGuard application.

When finished, return to the client machine and open the tunneling interface.

Linux and macOS clients

On Linux, the client runs the following command to open the interface:

$ sudo wg-quick up wg0

Now you must be connected to a CentOS server, and traffic from your client machine must be routed through it. You can check connections by:

$ sudo wg

Output :

interface: wg0
  public key: sZThYo/0oECwzUsIKTa6LYXLhk+Jb/nqK4kCCP2pyFg=
  private key: (hidden)
  listening port: 60351
  fwmark: 0xca6c

peer: My3uqg8LL9S3XZBo8alclOjiNkp+T6GfxS+Xhn5a40I=
  endpoint: XXX.XXX.XXX.XXX:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 41 seconds ago
  transfer: 213.25 KiB received, 106.68 KiB sent

You can also open your browser, type “what my ip”, and you will see the IP address of your CentOS server.

To stop tunneling, drop the wg0 interface:

$ sudo wg-quick down wg0

Windows client

If you installed WireGuard on Windows, click the “Activate” button. After peers are connected, the tunnel status will change to Active:

3

Conclusion

We have shown you how to install WireGuard on a CentOS 8 machine and configure it as a VPN server. This setting allows you to surf the web anonymously by keeping your data traffic private.

If you encounter a problem, please leave a comment.

Related posts

How to Install a Plex Media Server on Ubuntu 20.04 / Linux Mint 20

Linux

Tutorial mktemp Linux Commands for Beginners (5 Examples)

Howto

How to Install Memcached on Ubuntu 20.04 LTS

Linux

How to Install Nginx with PHP and MySQL (LEMP Stack) on Ubuntu 20.04 LTS

Linux

How to Set Up WireGuard VPN Server and Client on Ubuntu 20.04

Linux

How to install headless CAC Strapi Node.js

Abim

How to Change the Directory Name in Linux

Linux

Fedora 31: How to Install Fuel CMS with Nginx

Howto

How to Manage, Change and Reset MySQL and MariaDB Root Passwords

Linux