Wireguard is a fast and modern VPN which is used as an alternative to the older OpenVPN. The main advantages that they claim are being easier to use, having a very high performance, being well defined and only needing very few lines of code to be implemented when compared to the alternatives.

The way it works is by adding a network interface, like eth0 or wlan0, called wg0, that can then be configured manually using ifconfig or ip-address as any other interface. The packets are then shared to the VPN server encrypted with private-public key pairs, through UDP.

In this guide we will walk you through how to setup Wireguard in a machine running CentOS 7.

Prerequisites

  • A server running CentOS 7
  • We recommend acting as a non-root sudo user. In case you have not created one yet, we will guide you through the steps to do so below.

Creating a non-root sudo user

First, it is necessary to add the user:

adduser {username}

Then, create the password for the new user:

passwd {username}

Finally, add the user to the “wheel” group in order for it to have sudo access.

gpasswd -a {username} wheel

Figure 1- Creating a non-root user

Installing Wireguard

First, we will make sure that everything is up-to-date with (this might take a while):

sudo yum update -y

Having that out of the way, Wireguard can be installed using the following two commands:

sudo yum install epel-release elrepo-release -y
sudo yum install kmod-wireguard wireguard-tools -y

Configuring Wireguard

First, it is necessary to create a private-public key pair for the server to use. This will allow client peers to encrypt their message using a public key which can only be decrypted by the server, since it is the only one with the corresponding private key. For more information on asymmetric encryption visit ….

Go into the wireguard directory:

sudo su ( to gain root access since sudo cd command does not work)
cd /etc/wireguard

Generate the keys with wg genkey, then use tee command to pass the generated privatekey to wg pubkey command, for it to generate the corresponding public key and save it with the name publickey.

wg genkey | tee privatekey | wg pubkey > publickey

You should now have 2 files in the folder named privatekey and publickey.

Figure 2 – Creating a private-public key pair

Next step is to create the configuration file for Wireguard, to do so, open it with your preferred text editor:

If you want to use nano, install it with:

yum install nano -y

Then create and open a file with the name wg0 by using the following command:

nano /etc/wireguard/wg0.conf

You can then copy paste the configurations below. In Nano you can use right click to paste and Ctrl+X followed by y to save and close. Be aware of some necessary changes:

  • YOUR_INTERFACE_NAME should be the name of the internet interface which has access to the internet in the server. To check this use the command:
    • ip a

Figure 3 –“ ip a” command result

The interface you will use will be the one with your public IP address. In this case it would be “eth0”.

  • YOUR_PRIVATE_KEY should be the text inside the privatekey file we generated before. To copy it you can use cat privatekey and copy the text.
  • CLIENT_PUBLIC_KEY is the the publickey of the CLIENT. This was not generated yet, but we will talk about it in the next section. Leave this space empty for now.
[Interface]
Address = 10.6.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE
ListenPort = 51820
PrivateKey = YOUR_PRIVATE_KEY

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.6.0.2/32

It should look something like this:

Figure 4 – Creating a Wireguard config file

You can now exit sudo mode:

exit

Make sure that the firewall is not blocking the vps port, this will open the 51820 port which we configured before in wg0.conf file to accept UDP packets:

sudo iptables -I INPUT 1 -p udp – dport 51820 -j ACCEPT

To make it persistent after reboots:

sudo yum install iptables iptables-services
sudo service iptables save
sudo systemctl enable iptables

Also make sure to enable IPv4 and IPv6 forwarding. To do this, run:

sudo nano /etc/sysctl.conf

and add the following lines:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Client Configuration

To configure the client, we will have to repeat some of the steps done for the server:

First, install Wireguard. If the client is a CentOS machine, follow the same commands given above. We will use as an example having a Windows 10 machine as the client. You can find a list of the installation files in the official installation page of the Wireguard website, including the Windows one.

Then, the client will also be required to have a private-public key pair. Either generate it like before, or if you are using a platform like Windows, the Wireguard client will generate them automatically for you. In our case, a windows client was used, and the keys are generated automatically:

In the application, at the bottom, press Add tunnel arrow and select “Add empty tunnel”. Give it a name.

WireGuard Client Configuration

Figure 5- Wireguard for Windows

Having the keys, the only thing missing is to update the configuration file, you can copy-paste the snippet below. Be aware that:

  • CLIENT_PRIVATE_KEY is the private key generated for the client
  • SERVER_PUBLIC_KEY is the public key that was generated before in the server, you need to copy it to this file
  • SERVER_IP is the public network IP for your server. You can check this either by running a command like ifconfig in Linux or ipconfig in windows.
[Interface]
Address = 10.6.0.2/32
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0

Finishing Server Setup

Now that the client was configured successfully, let’s go back to the server to finish the setup.

Copy the public key from the client and use it to replace the CLIENT_PUBLIC_KEY in the server /etc/wireguard/wg0.conf file.

Turn the WireGuard VPN on:

sudo wg-quick up wg0

If it does not work, reboot the machine first, and then try again:

reboot

To keep it on after reboots, it is necessary to activate the wg service with:

sudo systemctl enable wg-quick@wg0

If for any reason, you made a mistake in the server configuration file and need to change it, you can run:

sudo wg-quick down wg0
sudo wg-quick up wg0

This will reset the server, with the new configurations.

Finally, make sure that your VPS has port 51820 open for UDP connections.

You can check if everything is working by searching on google for “what is my IP” and checking if it matches the VPN server public IP.

Conclusion

And that is it! You successfully configured a Wireguard VPS in your CentOS 7 machine!

Hope this tutorial was useful, you can check out some of our other tutorials for more interesting themes about Linux!

Categories: Linux Tutorials