Wireguard is a fast and modern VPN which is used as an alternative to the older OpenVPN. The main advantages that they claim are being easier to use, having a very high performance, being well defined and only needing very few lines of code to be implemented when compared to the alternatives.
The way it works is by adding a network interface, like eth0 or wlan0, called wg0, that can then be configured manually using ifconfig or ip-address as any other interface. The packets are then shared to the VPN server encrypted with private-public key pairs, through UDP.
In this guide we will walk you through how to setup Wireguard in a machine running CentOS 7.
Contents
Prerequisites
- A server running CentOS 7
- We recommend acting as a non-root sudo user. In case you have not created one yet, we will guide you through the steps to do so below.
Creating a non-root sudo user
First, it is necessary to add the user:
adduser {username}
Then, create the password for the new user:
passwd {username}
Finally, add the user to the “wheel” group in order for it to have sudo access.
gpasswd -a {username} wheel
Figure 1- Creating a non-root user
Installing Wireguard
First, we will make sure that everything is up-to-date with (this might take a while):
sudo yum update -y
Having that out of the way, Wireguard can be installed using the following two commands:
sudo yum install epel-release elrepo-release -y sudo yum install kmod-wireguard wireguard-tools -y
Configuring Wireguard
First, it is necessary to create a private-public key pair for the server to use. This will allow client peers to encrypt their message using a public key which can only be decrypted by the server, since it is the only one with the corresponding private key. For more information on asymmetric encryption visit ….
Go into the wireguard directory:
sudo su ( to gain root access since sudo cd command does not work) cd /etc/wireguard
Generate the keys with wg genkey, then use tee command to pass the generated privatekey to wg pubkey command, for it to generate the corresponding public key and save it with the name publickey.
wg genkey | tee privatekey | wg pubkey > publickey
You should now have 2 files in the folder named privatekey and publickey.
Figure 2 – Creating a private-public key pair
Next step is to create the configuration file for Wireguard, to do so, open it with your preferred text editor:
If you want to use nano, install it with:
yum install nano -y
Then create and open a file with the name wg0 by using the following command:
nano /etc/wireguard/wg0.conf
You can then copy paste the configurations below. In Nano you can use right click to paste and Ctrl+X followed by y to save and close. Be aware of some necessary changes:
YOUR_INTERFACE_NAMEshould be the name of the internet interface which has access to the internet in the server. To check this use the command:ip a
Figure 3 –“ ip a” command result
The interface you will use will be the one with your public IP address. In this case it would be “eth0”.
YOUR_PRIVATE_KEYshould be the text inside theprivatekeyfile we generated before. To copy it you can usecat privatekeyand copy the text.CLIENT_PUBLIC_KEYis the the publickey of theCLIENT. This was not generated yet, but we will talk about it in the next section. Leave this space empty for now.
[Interface] Address = 10.6.0.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE ListenPort = 51820 PrivateKey = YOUR_PRIVATE_KEY [Peer] PublicKey = CLIENT_PUBLIC_KEY AllowedIPs = 10.6.0.2/32
It should look something like this:
Figure 4 – Creating a Wireguard config file
You can now exit sudo mode:
exit
Make sure that the firewall is not blocking the vps port, this will open the 51820 port which we configured before in wg0.conf file to accept UDP packets:
sudo iptables -I INPUT 1 -p udp – dport 51820 -j ACCEPT
To make it persistent after reboots:
sudo yum install iptables iptables-services sudo service iptables save sudo systemctl enable iptables
Also make sure to enable IPv4 and IPv6 forwarding. To do this, run:
sudo nano /etc/sysctl.conf
and add the following lines:
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
Client Configuration
To configure the client, we will have to repeat some of the steps done for the server:
First, install Wireguard. If the client is a CentOS machine, follow the same commands given above. We will use as an example having a Windows 10 machine as the client. You can find a list of the installation files in the official installation page of the Wireguard website, including the Windows one.
Then, the client will also be required to have a private-public key pair. Either generate it like before, or if you are using a platform like Windows, the Wireguard client will generate them automatically for you. In our case, a windows client was used, and the keys are generated automatically:
In the application, at the bottom, press Add tunnel arrow and select “Add empty tunnel”. Give it a name.
Figure 5- Wireguard for Windows
Having the keys, the only thing missing is to update the configuration file, you can copy-paste the snippet below. Be aware that:
CLIENT_PRIVATE_KEYis the private key generated for the clientSERVER_PUBLIC_KEYis the public key that was generated before in the server, you need to copy it to this fileSERVER_IPis the public network IP for your server. You can check this either by running a command likeifconfigin Linux oripconfigin windows.
[Interface] Address = 10.6.0.2/32 PrivateKey = CLIENT_PRIVATE_KEY DNS = 1.1.1.1 [Peer] PublicKey = SERVER_PUBLIC_KEY Endpoint = SERVER_IP:51820 AllowedIPs = 0.0.0.0/0, ::/0
Finishing Server Setup
Now that the client was configured successfully, let’s go back to the server to finish the setup.
Copy the public key from the client and use it to replace the CLIENT_PUBLIC_KEY in the server /etc/wireguard/wg0.conf file.
Turn the WireGuard VPN on:
sudo wg-quick up wg0
If it does not work, reboot the machine first, and then try again:
reboot
To keep it on after reboots, it is necessary to activate the wg service with:
sudo systemctl enable wg-quick@wg0
If for any reason, you made a mistake in the server configuration file and need to change it, you can run:
sudo wg-quick down wg0 sudo wg-quick up wg0
This will reset the server, with the new configurations.
Finally, make sure that your VPS has port 51820 open for UDP connections.You can check if everything is working by searching on google for “what is my IP” and checking if it matches the VPN server public IP.
Conclusion
And that is it! You successfully configured a Wireguard VPS in your CentOS 7 machine!
Hope this tutorial was useful, you can check out some of our other tutorials for more interesting themes about Linux!
