Configure WireGuard Server

Install WireGuard, the simple, fast and modern VPN software.

[1] Install WireGuard.

[root@futurelinux ~]# dnf install wireguard-tools -y

[2] The kernel modules are automatically activated when you reboot after installing WireGuard. However, we will manually enable the kernel module to be able to do the remaining settings without rebooting.

[root@futurelinux ~]# lsmod | grep wireguard
[root@futurelinux ~]# modprobe wireguard
[root@futurelinux ~]# lsmod | grep wireguard
wireguard              94208  0
libchacha20poly1305    16384  1 wireguard
libblake2s             16384  1 wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard
curve25519_x86_64      49152  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard

[3] We create the key pair by switching to the WireGuard configuration directory.

[root@futurelinux ~]# cd /etc/wireguard
[root@futurelinux wireguard]# umask 077 && wg genkey | tee private | wg pubkey > public
[root@futurelinux wireguard]# ls
private  public

[4] When configuring our WireGuard server, you must specify the secret key and which port number you will run it on. The following command sets the ListenPort value to 6789 for this example and reads the secret key of the key pair we just created and assigns it to the PrivateKey parameter.

[root@futurelinux wireguard]# echo -e "[Interface]\nListenPort = 6789\nPrivateKey = $(cat private)" > wg0.conf
[root@futurelinux wireguard]# cat wg0.conf
[Interface]
ListenPort = 6789
PrivateKey = 0IpcufRuvDjd6kMbR7CzTRhiJlvRkLu7sIXDMUPBxXI=

[5] We allow the 6789 port where WireGuard will run from the firewall and activate the masquerade feature.

[root@futurelinux wireguard]# firewall-cmd --permanent --add-port=6789/udp
success
[root@futurelinux wireguard]# firewall-cmd --permanent --add-masquerade
success
[root@futurelinux wireguard]# firewall-cmd --reload
success

[6] We enable the kernel's ip_forward feature with sysctl.

[root@futurelinux wireguard]# sysctl -p
[root@futurelinux wireguard]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@futurelinux wireguard]# sysctl -p
net.ipv4.ip_forward = 1

[7] We enable and start the WireGuard service so that it is active at startup.

[root@futurelinux wireguard]# systemctl enable --now wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] β†’ /usr/lib/systemd/system/[email protected].

[8] We check if WireGuard is running.

[root@futurelinux wireguard]# wg show wg0
interface: wg0
  public key: 9LiBYQIEj91kHkmM93ilCk++ZSzWLncQGNz2iwHBFyw=
  private key: (hidden)
  listening port: 6789

[9] Now we can create a peer and add it to our WireGuard server. We create a peer for the 192.168.100.1 local ip address.

[root@futurelinux wireguard]# mkdir -p peers/100/1
[root@futurelinux wireguard]# cd peers/100/1
[root@futurelinux 1]# umask 077 && wg genkey | tee private | wg pubkey > public
[root@futurelinux 1]# wg set wg0 peer $(cat public) allowed-ips 192.168.100.1/32
[root@futurelinux 1]# wg
interface: wg0
  public key: 9LiBYQIEj91kHkmM93ilCk++ZSzWLncQGNz2iwHBFyw=
  private key: (hidden)
  listening port: 6789

peer: DlQJgX979QiKTVScfJ2tIoA/VkwOSNOTomOErLVAWAk=
  allowed ips: 192.168.100.1/32

[10] Now, let's create a config file to use in connection to the peer we added. For this, we add the information we will need in the file to the variables beforehand. So we can write the configuration in one go.

[root@futurelinux 1]# export wg_port=6789
[root@futurelinux 1]# export wg_ip=$(hostname -I | cut -d " " -f 1)
[root@futurelinux 1]# export wg_public=$(cat /etc/wireguard/public)
[root@futurelinux 1]# export peer_private=$(cat /etc/wireguard/peers/100/1/private)
[root@futurelinux 1]# echo "[Interface]
Address = 192.168.100.1/32
PrivateKey = $peer_private

[Peer]
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = $wg_ip:$wg_port
PublicKey = $wg_public" > 1.conf

[root@futurelinux 1]# cat 1.conf
[Interface]
Address = 192.168.100.1/32
PrivateKey = YADpm+xptxt0j2scg0MsoRCqJ6cdfGihe8TkILZHZ0Q=

[Peer]
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = 192.168.122.2:6789
PublicKey = 9LiBYQIEj91kHkmM93ilCk++ZSzWLncQGNz2iwHBFyw=