How to Install WireGuard VPN Server on Rocky Linux

Updated on February 4, 2022
How to Install WireGuard VPN Server on Rocky Linux  header image

Introduction

WireGuard is a free, modern, open-source Virtual Private Network (VPN) application that offers simplicity and state-of-the-art cryptography. In addition, it provides strong encryption, which relies on public and private key pairs making it secure for all connected client devices.

In this guide, you will install the WireGuard server on Rocky Linux and set up a peer-to-peer VPN connection from a client computer.

Prerequisites

Choose WireGuard Network Addresses

Create a new WireGuard network address range that all connected clients will use; connections from addresses outside the range will be dropped depending on your server configuration. Choose from any of the following valid private ranges for your network.

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
172.16.0.0 - 172.31.255.255  (172.16/12 prefix)
10.0.0.0 - 10.255.255.255  (10/8 prefix)

This guide uses the address block 10.5.0.0/24 for the WireGuard network. 10.5.0.1 is used as the server address, and clients can use other available host addresses. For purposes of this guide, 10.5.0.2. is used as the WireGuard client/peer address.

Install WireGuard Server

Install Extra Packages For Enterprise Linux (EPEL), and ELRepo to enable WireGuard installation from repository.

$ sudo dnf install epel-release elrepo-release

Update the server.

$ sudo dnf update

Install WireGuard.

$ sudo dnf install wireguard-tools kmod-wireguard

Configure WireGuard Server

Create the WireGuard configuration files directory.

$ sudo mkdir -p /etc/wireguard

Then, create the configuration file tun0.

$ sudo touch tun0.conf

Now, generate a new private, public key pair.

$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee /etc/wireguard/publickey   

View and copy the private key.

$ sudo cat privatekey 

yC0WsEKWC8Zjd7LtykbBNi8NIPKcrfsr7tsqgKMLO3o=

Next, edit the /etc/wireguard/tun0.conf file.

$ sudo vim tun0.conf

Paste the following contents:

[Interface]
PrivateKey = Paste-Server-Private-Key
Address = 10.5.0.1/24 
ListenPort = 51820
SaveConfig = true

Enter the private key copied earlier. Then, save and close the file.

Enable Forwarding

To configure forwarding and allow route traffic from the WireGuard network, open and edit the file /etc/sysctl.conf.

$ sudo vim /etc/sysctl.conf

Add the following IPV4 rule to the bottom of the file:

net.ipv4.ip_forward=1

Test and reload changes using the following command:

$ sudo sysctl -p

Configure Firewall

First, allow WireGuard traffic on UDP port 51820.

$ sudo firewall-cmd --permanent --zone=public --add-port=51820/udp 

Then, allow traffic from the WireGuard interface tun0 to other interfaces in the internal zone.

$ sudo firewall-cmd --permanent --add-interface=tun0 --zone=internal

Enable masquerading for proper traffic routing from the WireGuard interface to other interfaces.

$ sudo firewall-cmd --permanent --zone=internal --add-masquerade

Now, reload the Firewall for changes to take effect.

$ sudo firewall-cmd --reload

View the current Firewall table per zone.

$ sudo firewall-cmd --zone=internal --list-all

$ sudo firewall-cmd --zone=public --list-all

Your output should be similar to:

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Start WireGuard Server

Enable the WireGuard tun0 interface:

$ sudo systemctl enable wg-quick@tun0

Start the WireGuard service.

$ sudo systemctl start wg-quick@tun0   

Verify the current WireGuard status by running the following command:

$ sudo systemctl status wg-quick@tun0

If active, your output should be similar to the one below:

● wg-quick@tun0.service - WireGuard via wg-quick(8) for tun0
   Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service;    enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2022-01-13 12:17:06 UTC; 3s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
        https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 54871 ExecStop=/usr/bin/wg-quick down tun0  (code=exited, status=0/SUCCESS)
  Process: 54898 ExecStart=/usr/bin/wg-quick up tun0 (code=exited, status=0/SUCCESS)
 Main PID: 54898 (code=exited, status=0/SUCCESS)

Jan 13 12:17:05 WireguardServer systemd[1]:     wg-quick@tun0.service: Succeeded.
Jan 13 12:17:05 WireguardServer systemd[1]: Stopped WireGuard via wg-quick(8) for tun0.
Jan 13 12:17:05 WireguardServer systemd[1]: Starting WireGuard via wg-quick(8) for tun0...
Jan 13 12:17:05 WireguardServer wg-quick[54898]: [#] ip link add tun0 type wireguard
Jan 13 12:17:05 WireguardServer wg-quick[54898]: [#] wg setconf tun0 /dev/fd/63
Jan 13 12:17:06 WireguardServer wg-quick[54898]: [#] ip -4 address add 10.5.0.1/24 dev tun0
Jan 13 12:17:06 WireguardServer wg-quick[54898]: [#] ip link set mtu 1420 up dev tun0
Jan 13 12:17:06 WireguardServer systemd[1]: Started WireGuard via wg-quick(8) for tun0.

Also, verify WireGuard tunnel status with the following command:

$ sudo wg

Your output will be similar to:

interface: tun0
  public key: zSQA79woVPtGgrEub0pisZ4MRyqed1TUqmaE7t9Dlwo=
  private key: (hidden)
  listening port: 51820

Connect WireGuard Clients

The WireGuard client application is available on multiple operating systems. You can either set up another Rocky Linux server as a peer or download the WireGuard client application to connect your IOS, Android, macOS, Linux, or Windows device.

In this guide, we’ll create a WireGuard peer-to-peer tunnel using another Rocky Linux server as the client device. Repeat the server steps above to install WireGuard on the client.

$ dnf install epel-release elrepo-release

$ sudo dnf install wireguard-tools kmod-wireguard

$ sudo mkdir -p /etc/wireguard

$ wg genkey | sudo tee privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

View the client private key.

$ cat /etc/wireguard/privatekey

Then, open and edit the WireGuard configuration file.

$ vim tun0.conf

Paste the following contents:

[Interface]

PrivateKey = CLIENT-PRIVATE-KEY

# Client address on the WireGuard network

Address = 10.5.0.2/24

[Peer]

PublicKey = SERVER-PUBLIC-KEY

# IP Address of the server on the WireGuard network 
AllowedIPs = 10.5.0.1/24

#Vultr Server Public IP and Port
Endpoint = Server-IP:51820

Enter the client's private key in the [Interface] section, the server public key, network address, and public IP in the [Peer] section.

Next, enable the VPN client interface.

$ sudo systemctl enable wg-quick@tun0

Start the VPN client.

$ systemctl start wg-quick@tun0

Verify the VPN interface status.

$ systemctl status wg-quick@tun0

Now, view and copy the client public key.

$ cat /etc/wireguard/publickey

Then, add the client key to your WireGuard Server configuration with the following command:

$ sudo wg set tun0 peer XwJ/2joO4WFoaSkCztcCXyHLUaG0Wf2kbFCtm5IF3n8= allowed-ips 10.5.0.2

Test the WireGuard connection by sending ping packets to the VPN server address.

$ ping 10.5.0.1

Run the following command to view the VPN tunnel information on the server.

$ sudo wg

Your output should be similar to the one below:

interface: wg0
  public key: zSQA79woVPtGgrEub0pisZ4MRyqed1TUqmaE7t9Dlwo=
  private key: (hidden)
  listening port: 51820

peer: VB+l4vytC337tgNdvESM/U5hQaVUQQrWmNalllumeUw=
  endpoint: 40.79.189.73:14050
  allowed ips: 10.5.0.3/24
  latest handshake: 6 seconds ago
  transfer: 6.04 KiB received, 8.82 KiB sent

peer: XwJ/2joO4WFoaSkCztcCXyHLUaG0Wf2kbFCtm5IF3n8=
  endpoint: 95.179.255.69:37626
  allowed ips: 10.5.0.2/24
  latest handshake: 35 seconds ago
  transfer: 4.39 KiB received, 4.34 KiB sent

Conclusion

Congratulations, you have successfully set up a WireGuard VPN server on Rocky Linux and created a peer-to-peer connection using another Rocky Linux server as a client. For each client pointed to the server, be sure to edit the WireGuard configuration file and assign appropriate addresses for a successful connection.