Install WireGuard VPN Server on Rocky Linux

|
Last Updated:
|
|

Follow through this tutorial to learn how to install WireGuard VPN server on Rocky Linux. According wireguard.com, WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installing WireGuard VPN Server on Rocky Linux

Install EPEL Repos

WireGuard packages are not available on the default Rocky Linux repositories. To install them, you need EPEL repositories.

dnf install epel-release -y

Install ELRepo RPM repository

ELRepo RPM repository provides some of the required WireGuard Modules. You can install ELRepo rpm repository by running the command below;

dnf install elrepo-release -y

Install WireGuard VPN Server

To install WireGuard and the required modules, run the command below;

yum install kmod-wireguard wireguard-tools

Sample output;

Dependencies resolved.
============================================================================================================================================================================
 Package                                   Architecture                     Version                                                  Repository                        Size
============================================================================================================================================================================
Installing:
 kmod-wireguard                            x86_64                           4:1.0.20210606-1.el8_4.elrepo                            elrepo                           110 k
 wireguard-tools                           x86_64                           1.0.20210424-1.el8                                       epel                             125 k

Transaction Summary
============================================================================================================================================================================
Install  2 Packages

Total download size: 235 k
Installed size: 641 k
Is this ok [y/N]: y

The command installs two WireGuard VPN utilities:

  • wg: is the configuration utility for getting and setting the configuration of WireGuard tunnel interfaces.
  • wg-quick: Use to set up a WireGuard interface. Refer to man wg-quick.

Configuring WireGuard VPN Server on Rocky Linux 8

Once the installation is done, you can now proceed to configure WireGuard VPN server on Rocky Linux 8.

Create WireGuard Configuration Directory

WireGuard dont create any configuration files by default. So first off, create WireGuard configuration directory;

mkdir /etc/wireguard

Generate WireGuard Private/Public Keys

Next, you need to generate WireGuard based64-encoded private and public keys.

Generate WireGuard Private Keys

Private keys can be generated using wg genkey command as follows:

umask 077
wg genkey

The command will print the private key to stdout. To write to a file, simply run;

wg genkey > /etc/wireguard/wireguard.key

Generate WireGuard Public Keys

Public keys can be generated from the privates using wg pubkey command. The command similarly prints the key to standard output;

wg pubkey < /etc/wireguard/wireguard.key

To write to a file;

wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key

Generate Both Private and Public Key at Once

You can run the command below to genereate WireGuard private key and public key at the same time;

wg genkey | tee /etc/wireguard/wireguard.key | wg pubkey > /etc/wireguard/wireguard.pub.key

Below are the contents of my private and public keys;

cat /etc/wireguard/wireguard.key
cPjxCJPn6YRZQh4wn4jN2LAPlYOjT2b4v0N+qsu5+1U=
cat /etc/wireguard/wireguard.pub.key
60UScq0EQ7ZHXIdHcOnjFYK6N/TLtmtPGTBqLwLd0WY=

Generate WireGuard Server Configuration File

Once that is done, you can now generate WireGuard configuration file, /etc/wireguard/INTERFACE.conf.

Recommended INTERFACE names include ‘wg0’ or ‘wgvpn0’ or even ‘wgmgmtlan0’. However, the number at the end is in fact optional, and really any free-form string [a-zA-Z0-9_=+.-]{1,15} will work. So even interface names corresponding to geographic locations would suffice, such as ‘cincinnati’, ‘nyc’, or ‘paris’, if that’s somehow desirable.

You can simply run the command below to create a config file, named, /etc/wireguard/wg0.conf.

Be sure to replace the private key accordingly.

cat > /etc/wireguard/wg0.conf << 'EOL'
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
ListenPort = 51820
DNS	   = 8.8.8.8,10.8.0.1
PrivateKey = cPjxCJPn6YRZQh4wn4jN2LAPlYOjT2b4v0N+qsu5+1U=
PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
EOL

You can get explanation of the configuration options from man wg-quick.

  • Address: a comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. May be specified multiple
    times.
  • ListenPort: WireGuard starts at 51820/UDP by default. However, you can choose any free higher range port.
  • DNS : a comma-separated list of IP (v4 or v6) addresses to be set as the interface’s DNS servers, or non-IP hostnames to be set as the interface’s DNS search domains. May be specified multiple times.
  • PrivateKey: The key extracted from the Private key file created above, /etc/wireguard/wireguard.key
  • PostUp, PostDown: script snippets which will be executed before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules.
  • SaveConfig: if set to ‘true’, the configuration is saved from the current state of the interface upon shutdown. Any changes made to the configuration file before the interface is removed will therefore be overwritten.

Enable IP Forwarding on WireGuard VPN Server

To route packets between VPN clients, you need to enable Kernel IP forwarding by simply running the command below:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Reload sysctl settings

sysctl -p

Running WireGuard VPN Server

You can run WireGuard by bringing up the WireGuard VPN server interface using the wg-quick command or by using systemd service.

To use wg-quick command to bring up the interface.

wg-quick up wg0

Sample command output;

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
success
success
success
success

Checking the wg0 interface details:

ip add show wg0
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.8.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

Listing Firewall rules on an active interface;

firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 51820/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

To use systemd service to manage WireGuard, simply run the command below to start it.

systemctl start wg-quick@wg0

To check the status;

systemctl status wg-quick@wg0
[email protected] - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
   Active: active (exited) since Sat 2021-07-03 21:24:49 EAT; 1h 5min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 5304 ExecStop=/usr/bin/wg-quick down wg0 (code=exited, status=0/SUCCESS)
  Process: 5337 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 Main PID: 5337 (code=exited, status=0/SUCCESS)

Jul 03 21:24:47 elk.kifarunix-demo.com systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Jul 03 21:24:47 elk.kifarunix-demo.com wg-quick[5337]: [#] ip link add wg0 type wireguard
Jul 03 21:24:47 elk.kifarunix-demo.com wg-quick[5337]: [#] wg setconf wg0 /dev/fd/63
Jul 03 21:24:47 elk.kifarunix-demo.com wg-quick[5337]: [#] ip -4 address add 10.8.0.1/24 dev wg0
Jul 03 21:24:47 elk.kifarunix-demo.com wg-quick[5337]: [#] ip link set mtu 1420 up dev wg0
Jul 03 21:24:47 elk.kifarunix-demo.com wg-quick[5337]: [#] firewall-cmd --zone=public --add-port 51820/udp --permanent;firewall-cmd --zone=public --add-masquerade --perman>
Jul 03 21:24:48 elk.kifarunix-demo.com wg-quick[5337]: success
Jul 03 21:24:48 elk.kifarunix-demo.com wg-quick[5337]: success
Jul 03 21:24:49 elk.kifarunix-demo.com wg-quick[5337]: success
Jul 03 21:24:49 elk.kifarunix-demo.com systemd[1]: Started WireGuard via wg-quick(8) for wg0.

To enable it to run on boot;

systemctl enable wg-quick@wg0

To stop the WireGuard VPN, run;

wg-quick down wg0

Or

systemctl stop wg-quick@wg0

Configure WireGuard VPN Clients

Once the server is setup, you can now proceed to configure WireGuard VPN clients.

Generate WireGuard VPN Clients Private/Public Keys

To begin with, you need to generate the clients keys. You can use the same command as used above while generating the keys for the server.

The command below generates keys for our three test servers.

for i in ubuntu debian rocky8; do wg genkey | tee /etc/wireguard/$i.key | wg pubkey > /etc/wireguard/$i.pub.key; done
ls -1 /etc/wireguard
debian.key
debian.pub.key
rocky8.key
rocky8.pub.key
ubuntu.key
ubuntu.pub.key
wg0.conf
wireguard.key
wireguard.pub.key

Checking the contents of each keys;

cat /etc/wireguard/debian.key /etc/wireguard/debian.pub.key
UMXEH1lTn7OF+fgBswsdDJU6NAu7N5or43FPWP1EyWY=
YitAHwAT+8Z6JR8iWBRzCdD3uXEujkT8uftOMWnBqjw=
cat /etc/wireguard/ubuntu.key /etc/wireguard/ubuntu.pub.key
qJ2Sczxh8QWO5ZHlN+zZ4IaaMzmnMtgITLfQ0cam82M=
CcBg7ik7RnXkNSabIY8fjeZqoNOWUu6PfMwH6MmLGl4=
cat /etc/wireguard/rocky8.key /etc/wireguard/rocky8.pub.key
kIn6rA7W9MbGdZxRtziFN1DCJsqCi/hAdwhyH76cyU4=
0yjtKHIH2SCZwuA6j0EboagraEdWHWZH++QxM4hWAgs=

Next, you need to add the client peer settings in the WireGuard VPN Server configuration file as shown below. Be sure to replace the Public Keys for the respective clients accordingly.

cat >> /etc/wireguard/wg0.conf << 'EOL'

[Peer]
PublicKey = CcBg7ik7RnXkNSabIY8fjeZqoNOWUu6PfMwH6MmLGl4=
AllowedIPs = 10.8.0.10

[Peer]
PublicKey = YitAHwAT+8Z6JR8iWBRzCdD3uXEujkT8uftOMWnBqjw=
AllowedIPs = 10.8.0.20

[Peer]
PublicKey = 0yjtKHIH2SCZwuA6j0EboagraEdWHWZH++QxM4hWAgs=
AllowedIPs = 10.8.0.30
EOL

Our WireGuard VPN server configuration file now looks like;

cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = cPjxCJPn6YRZQh4wn4jN2LAPlYOjT2b4v0N+qsu5+1U=

[Peer]
PublicKey = CcBg7ik7RnXkNSabIY8fjeZqoNOWUu6PfMwH6MmLGl4=
AllowedIPs = 10.8.0.10

[Peer]
PublicKey = YitAHwAT+8Z6JR8iWBRzCdD3uXEujkT8uftOMWnBqjw=
AllowedIPs = 10.8.0.20

[Peer]
PublicKey = 0yjtKHIH2SCZwuA6j0EboagraEdWHWZH++QxM4hWAgs=
AllowedIPs = 10.8.0.30

Reload WireGuard;

wg syncconf wg0 <(wg-quick strip wg0)

Install and Setup WireGuard VPN Client on Rocky Linux 8/Ubuntu/Debian

Follow the link below to learn how to install and setup WireGuard VPN clients.

Install WireGuard VPN Client on Rocky Linux/Ubuntu/Debian

That concludes our guide on how to install WireGuard VPN Server.

Read more on WireGuard page.

Other Tutorials

Setup OpenVPN Server on Rocky Linux 8

Install and Configure OpenVPN Client on Rocky Linux 8

Monitor OpenVPN Connections with Prometheus and Grafana

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment