Configure WireGuard Server

Install WireGuard, the simple, fast and modern VPN software.

[1] Install WireGuard.

[[email protected] ~]# dnf install wireguard-tools -y

[2] The kernel modules are automatically activated when you reboot after installing WireGuard. However, we will manually enable the kernel module to be able to do the remaining settings without rebooting.

[[email protected] ~]# lsmod | grep wireguard
[[email protected] ~]# modprobe wireguard
[[email protected] ~]# lsmod | grep wireguard
wireguard              94208  0
libchacha20poly1305    16384  1 wireguard
libblake2s             16384  1 wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard
curve25519_x86_64      49152  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard

[3] We create the key pair by switching to the WireGuard configuration directory.

[[email protected] ~]# cd /etc/wireguard
[[email protected] wireguard]# umask 077 && wg genkey | tee private | wg pubkey > public
[[email protected] wireguard]# ls
private  public

[4] When configuring our WireGuard server, you must specify the secret key and which port number you will run it on. The following command sets the ListenPort value to 6789 for this example and reads the secret key of the key pair we just created and assigns it to the PrivateKey parameter.

[[email protected] wireguard]# echo -e "[Interface]\nListenPort = 6789\nPrivateKey = $(cat private)" > wg0.conf
[[email protected] wireguard]# cat wg0.conf
[Interface]
ListenPort = 6789
PrivateKey = 0IpcufRuvDjd6kMbR7CzTRhiJlvRkLu7sIXDMUPBxXI=

[5] We allow the 6789 port where WireGuard will run from the firewall and activate the masquerade feature.

[[email protected] wireguard]# firewall-cmd --permanent --add-port=6789/udp
success
[[email protected] wireguard]# firewall-cmd --permanent --add-masquerade
success
[[email protected] wireguard]# firewall-cmd --reload
success

[6] We enable the kernel's ip_forward feature with sysctl.

[[email protected] wireguard]# sysctl -p
[[email protected] wireguard]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[[email protected] wireguard]# sysctl -p
net.ipv4.ip_forward = 1

[7] We enable and start the WireGuard service so that it is active at startup.

[[email protected] wireguard]# systemctl enable --now [email protected]
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] β†’ /usr/lib/systemd/system/[email protected]

[8] We check if WireGuard is running.

[[email protected] wireguard]# wg show wg0
interface: wg0
  public key: 9LiBYQIEj91kHkmM93ilCk++ZSzWLncQGNz2iwHBFyw=
  private key: (hidden)
  listening port: 6789

[9] Now we can create a peer and add it to our WireGuard server. We create a peer for the 192.168.100.1 local ip address.

[[email protected] wireguard]# mkdir -p peers/100/1
[[email protected] wireguard]# cd peers/100/1
[[email protected] 1]# umask 077 && wg genkey | tee private | wg pubkey > public
[[email protected] 1]# wg set wg0 peer $(cat public) allowed-ips 192.168.100.1/32
[[email protected] 1]# wg
interface: wg0
  public key: 9LiBYQIEj91kHkmM93ilCk++ZSzWLncQGNz2iwHBFyw=
  private key: (hidden)
  listening port: 6789

peer: DlQJgX979QiKTVScfJ2tIoA/VkwOSNOTomOErLVAWAk=
  allowed ips: 192.168.100.1/32

[10] Now, let's create a config file to use in connection to the peer we added. For this, we add the information we will need in the file to the variables beforehand. So we can write the configuration in one go.

[[email protected] 1]# export wg_port=6789
[[email protected] 1]# export wg_ip=$(hostname -I | cut -d " " -f 1)
[[email protected] 1]# export wg_public=$(cat /etc/wireguard/public)
[[email protected] 1]# export peer_private=$(cat /etc/wireguard/peers/100/1/private)
[[email protected] 1]# echo "[Interface]
Address = 192.168.100.1/32
PrivateKey = $peer_private

[Peer]
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = $wg_ip:$wg_port
PublicKey = $wg_public" > 1.conf

[[email protected] 1]# cat 1.conf
[Interface]
Address = 192.168.100.1/32
PrivateKey = YADpm+xptxt0j2scg0MsoRCqJ6cdfGihe8TkILZHZ0Q=

[Peer]
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = 192.168.122.2:6789
PublicKey = 9LiBYQIEj91kHkmM93ilCk++ZSzWLncQGNz2iwHBFyw=