CentOS Stream 10
Sponsored Link

WireGuard : Configure Server2025/02/14
 

Install WireGuard which is the simple yet fast and modern VPN software.

This example is based on the environment like follows.

First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server from WireGuard client via internet are forwared to local IP address of WireGuard server. 

  +------------------------+
  | [  WireGuard Server  ] |172.16.100.1 (VPN IP)
  |      dlp.srv.world     +--------+
  |                        |wg0     |
  +-----------+------------+        |
        enp1s0|10.0.0.30/24         |
              |                     |
              |       Local Network |
       +------+-----+               |
-------|  Router#1  |---------------|-----
       +------+-----+               |
              |                     |
    Internet  |  Internet           |
              |                     |
       +------+-----+               |
-------|  Router#2  |---------------|-----
       +------+-----+               |
              |       Local Network |
              |                     |
        enp1s0|192.168.10.30/24     |
  +-----------+------------+        |
  |  [ WireGuard Client ]  |wg0     |
  |                        +--------+
  |                        |172.16.100.5 (VPN IP)
  +------------------------+
[1] Install WireGuard.
[root@dlp ~]#
dnf -y install wireguard-tools
[2] Configure WireGuard.
It needs Firewalld is running for the example of settings below.
[root@dlp ~]#
umask 077
# generate private key for server

[root@dlp ~]#
wg genkey | tee /etc/wireguard/server.key

WInCFAeM30UvtAroGiNfgkPuyrelGuCghYmiuGtjAls=
# generate public key for server

[root@dlp ~]#
cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub

zNIFEnFjexFUCJ7ojN5U5in+mXbY2F8cH/wIvLQfkxQ=
# generate private key for client

[root@dlp ~]#
wg genkey | tee /etc/wireguard/client.key

MLGNaOfdzUCLsOf06xk/aTrgmRYZzVhkSzg3QJO9W0I=
# generate public key for client

[root@dlp ~]#
cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub

BVMYk8mKyppaCPYZezfY4KBTUVtwpzbMrpXZFXCw11o=
# confirm network interface

[root@dlp ~]#
ip addr 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ec:51:ad brd ff:ff:ff:ff:ff:ff
    altname enx525400ec51ad
    inet 10.0.0.30/24 brd 10.0.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:feec:51ad/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
# confirm firewalld active zone

[root@dlp ~]#
firewall-cmd --get-active-zone 

public
  interfaces: enp1s0
# create a new config
# [wg0.conf] ⇒ [(VPN interface name).conf]
# VPN interface name ⇒ any name you like

[root@dlp ~]#
vi /etc/wireguard/wg0.conf 
[Interface]
# specify generated private key for server
PrivateKey = WInCFAeM30UvtAroGiNfgkPuyrelGuCghYmiuGtjAls=
# IP address for VPN interface
Address = 172.16.100.1
# UDP port WireGuard server listens
ListenPort = 51820

# possible to set any commands after WireGuard starts/stops
# set routing rules like follows to access to local network via VPN session
# [--zone=***] ⇒ firewalld active zone name
# [wg0] ⇒ VPN interface name
# [enp1s0] ⇒ Ethernet interface name
PostUp = firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o enp1s0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp1s0 -j MASQUERADE; firewall-cmd --add-port=51820/udp
PostDown = firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o enp1s0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o enp1s0 -j MASQUERADE; firewall-cmd --remove-port=51820/udp

[Peer]
# specify public key for client
PublicKey = BVMYk8mKyppaCPYZezfY4KBTUVtwpzbMrpXZFXCw11o=
# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 172.16.100.5, 172.16.100.6
# [wg-quick@wg0] ⇒ [wg-quick@(VPN interface name)]

[root@dlp ~]#
systemctl enable --now wg-quick@wg0
[root@dlp ~]#
ip addr 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ec:51:ad brd ff:ff:ff:ff:ff:ff
    altname enx525400ec51ad
    inet 10.0.0.30/24 brd 10.0.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:feec:51ad/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.100.1/32 scope global wg0
       valid_lft forever preferred_lft forever
Matched Content