This tutorial is going to show you how to set up your own WireGuard VPN server on CentOS. WireGuard is made specifically for the Linux kernel. It runs inside the Linux kernel and allows you to create fast, modern, and secure VPN tunnel.
Features of WireGuard VPN
- Lightweight and super fast speed, blowing OpenVPN out of the water.
- Cross-platform. WireGuard can run on Linux, BSD, macOS, Windows, Android, iOS, and OpenWRT.
- User authentication is done by exchanging public keys, similar to SSH keys.
- It assigns static tunnel IP addresses to VPN clients. Some folks may not like it, but it can be useful in some cases.
- Mobile devices can switch between Wi-Fi and mobile network seamlessly without dropping any connectivity.
- It aims to replace OpenVPN and IPSec in most use cases.
Prerequisites
This tutorial assumes that the VPN server and VPN client are both running CentOS operating system.
Step 1: Install WireGuard on CentOS Server and Desktop
Log into your CentOS server, then run the following commands to install WireGuard.
CentOS 8
sudo dnf install elrepo-release epel-release -y sudo dnf install kmod-wireguard wireguard-tools -y
CentOS 7
sudo yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm sudo yum install yum-plugin-elrepo sudo yum install kmod-wireguard wireguard-tools -y
Then use the same commands to install WireGuard on your local CentOS computer (the VPN client).
Step 2: Generate Public/Private Keypair
Server
Create a directory for WireGuard.
sudo mkdir /etc/wireguard/
Run the following command on the CentOS server to create a public/private key pair, which will be saved under /etc/wireguard/ directory.
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
Client
Create a directory for WireGuard.
sudo mkdir /etc/wireguard/
Run the following command to create a public/private key pair on the local CentOS computer (the VPN client).
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
Step 3: Create WireGuard Configuration File
Server
Use a command-line text editor like Nano to create a WireGuard configuration file on the CentOS server. wg0 will be the network interface name.
sudo dnf install nano sudo nano /etc/wireguard/wg0.conf
Copy the following text and paste it to your configuration file. You need to use your own server private key and client public key.
[Interface] Address = 10.10.10.1/24 SaveConfig = true PrivateKey = kLmHUf4LNmxtz1uA3riC7MMXzwBFjJrSWE/Lb4p 4Ec= ListenPort = 51820 [Peer] PublicKey = 75VNV7HqFh 3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA= AllowedIPs = 10.10.10.2/32
Where:
- Address: Specify the private IP address of the VPN server. Here I’m using the 10.10.10.0/24 network range. 10.10.10.1 is the private IP address for the VPN server.
- SaveConfig: the configuration should be saved on shutdown using the current status of the interface.
- PrivateKey: The private key of VPN server, which can be found in the
/etc/wireguard/server_private.keyfile on the server. - ListenPort: WireGuard VPN server will be listening on UDP port 51820, which is the default.
- PublicKey: The public key of VPN client, which can be found in the
/etc/wireguard/client_public.keyfile on the client computer. - AllowedIPs: IP addresses the VPN client is allowed to use. In this example, the client can only use the 10.10.10.2 IP address inside the VPN tunnel.
Save and close the file. (To save a file in Nano text editor, press Ctrl O, then press Enter to confirm. Press Ctrl X to exit.)
Change the file permission mode so that only root user can read the files.
sudo chmod 600 /etc/wireguard/ -R
Client
Use a command-line text editor like Nano to create a WireGuard configuration file on your local CentOS computer. wg-client0 will be the network interface name.
sudo nano /etc/wireguard/wg-client0.conf
Copy the following text and paste it to your configuration file. You need to use your own client private key and server public key.
[Interface] Address = 10.10.10.2/24 DNS = 10.10.10.1 PrivateKey = cOFA x5UvHF a3xJ6enLatG DoE3I5PhMgKrMKkUyXI= [Peer] PublicKey = vxyo4l4I3jWK KZquNIDJF/hzQq29DOIxSUOrfNZZCs= AllowedIPs = 0.0.0.0/0 Endpoint = 12.34.56.78:51820
Where:
- Address: Specify the private IP address of the VPN client.
- DNS: specify 10.10.10.1 (VPN server) as the DNS server. It will be configured via the
resolvconfcommand. - PrivateKey: The client’s private key, which can be found in the
/etc/wireguard/client_private.keyfile on the client computer. - PublicKey: The server’s public key, which can be found in the
/etc/wireguard/server_public.keyfile on the server. - AllowedIPs: 0.0.0.0/0 represents the whole Internet, which means all traffic to the Internet should be routed via the VPN.
- Endpoint: The public IP address and port number of VPN server. Replace 12.34.56.78 with your server’s real public IP address.
Save and close the file.
Change the file mode so that only root user can read the files.
sudo chmod 600 /etc/wireguard/ -R
Step 4: Enable IP Forwarding on the Server
In order for the VPN server to route packets between VPN clients and the Internet, we need to enable IP forwarding. Edit sysctl.conf file.
sudo nano /etc/sysctl.conf
Add the following line at the end of this file.
net.ipv4.ip_forward = 1
Save and close the file. Then apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.conf file. This command will preserve our changes across system reboots.
sudo sysctl -p
Step 5: Configure IP Masquerading on the Server
Run the following command to enable IP masquerading in the server firewall.
sudo firewall-cmd --zone=public --permanent --add-masquerade sudo systemctl reload firewalld
This will hide your VPN network from the outside world. So the Internet can only see your VPN server’s IP, but can’t see your VPN client’s IP, just like your home router hides your private home network.
Step 6: Install a DNS Resolver on the Server
Since we specify the VPN server as the DNS server for client, we need to run a DNS resolver on the VPN server. We can install the bind9 DNS server.
sudo dnf install bind
Start BIND 9 with:
sudo systemctl start named
And enable auto start at boot time:
sudo systemctl enable named
You can check its status with:
systemctl status named
Sample output:
● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disable> Active: active (running) since Sun 2020-05-17 11:07:34 EDT; 9s ago Process: 7203 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TE> Process: 7218 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited,> Process: 7215 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; the> Main PID: 7220 (named) Tasks: 4 (limit: 5045) Memory: 55.5M CGroup: /system.slice/named.service └─7220 /usr/sbin/named -u named -c /etc/named.conf -4
Hint: If the above command doesn’t quit immediately, press Q.
Edit the BIND main configuration file /etc/named.conf.
sudo nano /etc/named.conf
In the options clause, you can find the following two lines.
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
This makes named listen on localhost only. If you want to allow clients in the same network to query domain names, then comment out these two lines. (add double slashes at the beginning of each line)
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
Find the following line.
allow-query { localhost; };
Add the 10.10.10.0/24 network range so that VPN clients can send DNS queries. Note that you need to end each network range with a semicolon.
allow-query { localhost; 10.10.10.0/24; };
Save and close the file. Restart BIND9 for the changes to take effect.
sudo systemctl restart named
Then you need to run the following command to allow VPN clients to connect to port 53.
sudo firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="10.10.10.0/24" accept'
Step 7: Open WireGuard Port in Firewall
Run the following command to open UDP port 51820 on the server.
sudo firewall-cmd --permanent --add-port=51820/udp sudo systemctl reload firewalld
Step 8: Start WireGuard
server
Run the following command on the server to start WireGuard.
sudo wg-quick up /etc/wireguard/wg0.conf
To stop it, run
sudo wg-quick down /etc/wireguard/wg0.conf
You can also use systemd service to start WireGuard.
sudo systemctl start [email protected]
If the start failed, you should check the log to find out what’s wrong.
sudo journalctl -eu [email protected]
Enable auto-start at system boot time with the following command.
sudo systemctl enable [email protected]
Check its status with the following command. Its status should be active (exited).
systemctl status [email protected]
Now WireGuard server is ready to accept client connections.
Client
Start WireGuard.
sudo systemctl start [email protected]
If the start failed, you should check the log to find out what’s wrong.
sudo journalctl -eu [email protected]
Enable auto-start at system boot time.
sudo systemctl enable [email protected]
Check its status:
systemctl status [email protected]
Now go to this website: http://icanhazip.com/ to check your public IP address. If everything went well, it should display your VPN server’s public IP address instead of your client computer’s public IP address.
Policy Routing
By default, all traffic on the VPN client will be routed through the VPN server. Sometimes you may want to route only a specific type of traffic, based on the transport layer protocol and the destination port. This is known as policy routing.
Policy routing is configured on the client computer, and we need to stop the VPN connection first.
sudo systemctl stop [email protected]
Then edit the client configuration file.
sudo nano /etc/wireguard/wg-client0.conf
For example, if you add the following 3 lines in the [interface] section, then WireGuard will create a routing table named “1234” and add the ip rule into the routing table. In this example, traffic will be routed through VPN server only when TCP is used as the transport layer protocol and the destination port is 25, i.e, when the client computer sends emails.
Table = 1234 PostUp = ip rule add ipproto tcp dport 25 table 1234 PreDown = ip rule delete ipproto tcp dport 25 table 1234
Save and close the file. Then start WireGuard client again.
sudo systemctl start [email protected]
VPN Kill Switch
By default, your computer can access the Internet via the normal gateway when the VPN connection is disrupted. You may want to enable the kill switch feature, which prevents the flow of unencrypted packets through non-WireGuard interfaces.
Edit the client configuration file.
sudo nano /etc/wireguard/wg-client0.conf
Add the following two lines in the [interface] section.
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Like this:
[Interface] Address = 10.10.10.2/24 DNS = 10.10.10.1 PrivateKey = cOFA x5UvHF a3xJ6enLatG DoE3I5PhMgKrMKkUyXI= PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT [Peer] PublicKey = RaoAdsIEIwgV9DHNSubxWVG nZ1GP/c3OU6A/efBJ0I= AllowedIPs = 0.0.0.0/0 Endpoint = 12.34.56.78:51820
Save and close the file. Then restart the WireGuard client.
sudo systemctl restart [email protected]
Wrapping Up
That’s it! I hope this tutorial helped you install and configure WireGuard on CentOS. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂
Rate this tutorial
[Total: 0 Average: 0]
