WireGuard is an open-source, fast, security-focused virtual private network application that can be used to create secure point-to-point connections in routed configurations. It is simple, faster than OpenVPN, and uses proven cryptography protocols and algorithms to protect data. It can be installed in many operating systems including Windows, macOS, BSD, iOS, Linux, and Android. WireGuard is a peer-to-peer VPN and does not use the client-server model. It assigns static IP addresses to VPN clients, and user authentication is done by exchanging public keys.

In this tutorial, we will show you how to set up WireGuard VPN on CentOS 8.

Step 1 – Enable IP Forwarding

Before starting, you will need to enable IP forwarding in your system. You can enable it by creating a new /etc/sysctl.d/99-custom.conf file:

nano /etc/sysctl.d/99-custom.conf

Add the following line:

net.ipv4.ip_forward=1

Save and close the file then run the following command to apply the changes:

sysctl -p /etc/sysctl.d/99-custom.conf

Step 2 – Install Wireguard

First, you will need to install the Epel and Elrepo repositories in your system. You can install them with the following command:

dnf install epel-release elrepo-release -y

Once installed, install WireGuard by running the following command:

dnf install kmod-wireguard wireguard-tools -y

Once the installation is completed, restart your system to load the kernel module.

Step 3 – Configure WireGuard

First, you will need to generate the public and private keys inside /etc/wireguard directory. Run the following command to generate them:

wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

You should see your generated key in the following output:

Nnid+rqJBnsZ+SN68dILbmxMreKyFTlSjBI8bh4sbzU=

You can also list them with the following command:

ls /etc/wireguard/

You should see the following output:

privatekey  publickey

Next, you will need to configure the tunnel device that will route the VPN traffic. You can do that by creating a new configuration file named wp0.conf:

nano /etc/wireguard/wg0.conf

Add the following lines:

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = Nnid+rqJBnsZ+SN68dILbmxMreKyFTlSjBI8bh4sbzU=
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade

Save and close the file when you are finished.

Here are the relevant definitions for the lines above:

  • Address: Specify the private IP address of the VPN server.
  • ListenPort: Specify the WireGuard listening port.
  • PrivateKey: Specify private key of the VPN server, which can be found in the /etc/wireguard/privatekey.
  • PostUp: Specify any actions to execute at the time of bringing up the WireGuard interface.
  • PostDown: Specify any actions to execute at the time of bringing down the WireGuard interface.

Next, bring up the WireGuard interface by using wg-quick command:

wg-quick up wg0

You should get the following output:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
success

You can now check the status of the wg0 interface with the following command:

wg show wg0

You should see the following output:

interface: wg0
  public key: 6hxSg1eZR9n4oPYckJbzXcNbVwcjF5vNsSzUREsoBEY=
  private key: (hidden)
  listening port: 51820

ip a show wg0
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

Next, enable the wg0 interface to start at system reboot with the following command:

systemctl enable wg-quick@wg0

Step 4 – Install and Configure Wireguard VPN Client

First, install the Epel and Elrepo repositories on the client machine with the following command:

dnf install epel-release elrepo-release -y

Once installed, install WireGuard by running the following command:

dnf install kmod-wireguard wireguard-tools

Once the installation is completed, restart your system to load the kernel module.

Next, generate the public and private keys with the following command:

wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

You should get the following output:

NvzqF7ilT01OD3uTAmNME1rHFnCcTdGSXo+f8tkRElQ=

Next, create a new wg0.conf configuration file with the following command:

nano /etc/wireguard/wg0.conf

Add the following lines:

[Interface]
PrivateKey = NvzqF7ilT01OD3uTAmNME1rHFnCcTdGSXo+f8tkRElQ=
Address = 10.0.0.2/24

[Peer]
PublicKey = Nnid+rqJBnsZ+SN68dILbmxMreKyFTlSjBI8bh4sbzU=
Endpoint = your-server-ip:51820
AllowedIPs = 0.0.0.0/0

Save and close the file when you are finished.

Here are the relevant definitions for the lines above:

  • PrivateKey : Specify the client’s private key.
  • Address : Specify the private IP address for wg0 interface.
  • PublicKey : Specify the server public key.
  • Endpoint : Specify the server IP address.
  • AllowedIPs : Specify the allowed IPs.

Step 5 – Add the Client Peer to the Server

Next, you will need to add your WireGuard client’s public key and IP Address in your WireGuard VPN Server.

On the server machine, run the following command to add the client public key and IP address to the server:

wg set wg0 peer NvzqF7ilT01OD3uTAmNME1rHFnCcTdGSXo+f8tkRElQ= allowed-ips 10.0.0.2

You can find the client-public key at /etc/wireguard/publickey on the client machine.

On the client machine, bring up the wg0 interface with the following command:

wg-quick up wg0

You should see the following output:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

On the server machine, you can check the WireGuard server status with the following command:

wg

You should get the following output:

interface: wg0
  public key: 6hxSg1eZR9n4oPYckJbzXcNbVwcjF5vNsSzUREsoBEY=
  private key: (hidden)
  listening port: 51820

peer: NvzqF7ilT01OD3uTAmNME1rHFnCcTdGSXo+f8tkRElQ=
  allowed ips: 0.0.0.0/0
  latest handshake: 22 seconds ago
  transfer: 126.15 KiB received, 123.12 KiB sent

Conclusion

Congratulations, you have successfully set up a WireGuard VPN server on CentOS 8 and created a VPN tunnel between two CentOS 8 machines. You can now surf the web anonymously and keep your traffic data private. Get started today with a virtual private server from Atlantic.Net!