Install and Configure WireGuard on Rocky Linux 9

In this tutorial, we want to teach you to Install and Configure WireGuard VPN Server and Client on Rocky Linux 9.

WireGuard protocol is a secure network tunnel. It can be used as a standalone protocol or implemented as a VPN protocol by a VPN service provider. 

For VPNs, the WireGuard protocol aims to replace IKEv2/IPSec and OpenVPN as a more efficient solution.

Steps To Install and Configure WireGuard on Rocky Linux 9

To complete this guide, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide on Initial Server Setup with Rocky Linux 9.

Also, your SELinux must run in permissive mode.

Now follow the steps below to Set up WireGuard on Rocky Linux 9.

Enable Wireguard Kernel Module on Rocky Linux 9

At this point, you must enable the ‘wireguard’ kernel module on your server. To do this, you can use the following command:

sudo modprobe wireguard

Then, verify that your module is enabled or not by using the command below:

lsmod | grep wireguard

If the WireGuard module has been enabled, you should get the following output:

Output
wireguard              94208  0
libblake2s             16384  1 wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             24576  1 wireguard
curve25519_x86_64      36864  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard

Now you need to load the wireguard module permanently. To do this, run the command below:

sudo echo wireguard > /etc/modules-load.d/wireguard.conf

This command will load the wireguard kernel module permanently at system boot on Rocky Linux 9.

Finally, use the command below to install the ‘wireguard-tools‘ package:

sudo dnf install wireguard-tools -y

This package is used to manage the Wireguard server.

Generate WireGuard Server and Client Key Pair

At this point, you need to generate key pairs for both the Wireguard server and client via the wireguard-tools on Rocky Linux 9.

Generate WireGuard Server Key Pair

First, run the following command to generate the server private key at /etc/wireguard/server.key directory:

wg genkey | sudo tee /etc/wireguard/server.key
Output
ENza44szdCUtNZpw9bBtBQZvuPilnjCRtiZr+TukC2w=

Then, set the correct permissions for it by using the command below:

sudo chmod 0400 /etc/wireguard/server.key

This will disable writing and executing from others and groups.

Next, use the following command to generate the server public key at /etc/wireguard/server.pub directory:

sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub
Output
Rr7zWgTqE4K7VmlyDRw4Bg1yV2HFQ6QQ9sWCPdvI0z0=

Now you can verify your WireGuard Server private and public key pairs by using the following commands:

# cat /etc/wireguard/server.key
# cat /etc/wireguard/server.pub

Generate WireGuard Client Key Pair

At this point, you need to generate the key pair for the Client. Here we will generate new key pair for client1.

First, create a new directory to store client key pairs by using the command below:

mkdir -p /etc/wireguard/clients

Then, run the command below to generate the WireGuard client private key at /etc/wireguard/clients/client1.key directory:

wg genkey | sudo tee /etc/wireguard/clients/client1.key
Output
iICfUtMtAvTo+W73oQZRrMP7NSmxDxI2WnZtxtMRhGU=

Next, use the following command to generate the WireGaurd client public key at /etc/wireguard/clients/client1.pub directory:

cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub
Output
NV7SN5kqqefsmwr/eYZfw+/UHVR0SQXxBxD3N5B7fkk=

Now you can verify both client’s public and private keys by using the following commands:

# cat /etc/wireguard/clients/client1.key
# cat /etc/wireguard/clients/client1.pub

Configure WireGuard Server on Rocky Linux 9

At this point, you need to configure the WireGuard server. First, you need to create and open a new wireguard server config file /etc/wireguard/wg0.conf with your favorite text editor, here we use the vi editor:

sudo vi /etc/wireguard/wg0.conf

Add the following content to the file:

[Interface]
# Wireguard Server private key - server.key
PrivateKey = ENza44szdCUtNZpw9bBtBQZvuPilnjCRtiZr+TukC2w= 

# Wireguard interface will be run at 10.8.0.1
Address = 10.8.0.1/24

# Clients will connect to UDP port 51820
ListenPort = 51820

# Ensure any changes will be saved to the Wireguard config file
SaveConfig = true

Remember to change the ‘PrivateKey‘ with the Wirguard server private key ‘server.key‘.

Next, add the following lines to define the client-peer connection:

[Peer]
# Wireguard client public key - client1.pub
PublicKey = NV7SN5kqqefsmwr/eYZfw+/UHVR0SQXxBxD3N5B7fkk=

# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 10.8.0.8/24

Be sure to change the ‘PublicKey‘ parameter with the client public key ‘client1.pub‘.

With the ‘AllowedIPs‘ parameter, you can specify which Wireguard client that allowed to access this peer. In this example, only clients with IP ‘10.8.0.8‘ will be allowed to access this peer connection. Additionally, you can also allow the range of internal network subnets such as ‘172.16.100.0/24’ to access the wireguard peer.

When you are done, save and close the file.

Enable Port Forwarding on Rocky Linux 9

At this point, you must enable port forwarding on your deployment server. To do this, open the following file with your favorite text editor, here we use vi:

sudo vi /etc/sysctl.conf

Add the following lines to the bottom of the line. These lines will enable port forwarding for both IPv4 and IPv6. Whether you need IPv6 or not, you can disable it by putting a comment ‘#‘ at the start of the line.

# Port Forwarding for IPv4
net.ipv4.ip_forward=1

# Port forwarding for IPv6
net.ipv6.conf.all.forwarding=1

When you are done, save and close the file.

Apply the changes by running the command below:

sudo sysctl -p
Output
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

For more information about IP Forwarding, you can visit this guide on How To Enable IP Forwarding in Linux.

Configure Firewall For WireGuard on Rocky Linux 9

First, you should check the default network interface that is used for internet access on the wireguard server. To do this, run the command below:

ip route show default
Output
default via ... dev eth0 proto ... metric 100

From our output, the wireguard server used interface eth0 for internet access. You may have different names of network interfaces on your server.

Next, open your Wireguard server config file again:

sudo vi /etc/wireguard/wg0.conf

Add the following lines under the ‘[Interface]‘ section:

PostUp = firewall-cmd --zone=public --add-masquerade
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

PostDown = firewall-cmd --zone=public --remove-masquerade
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

When you are done, save and close the file.

Now you need to open the UDP port 51820 that will be used for wireguard clients:

sudo firewall-cmd --add-port=51820/udp --permanent

Reload the firewall to apply the changes:

sudo firewall-cmd --reload

Also, you can verify your firewall rules by using the command below:

sudo firewall-cmd --list-all
Output
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 51820/udp
 ...

Manage WireGuard Server on Rocky Linux 9

At this point, you can start and enable your WireGuard service on your server. To do this, run the following commands:

# sudo systemctl start wg-quick@wg0.service
# sudo systemctl enable wg-quick@wg0.service

Verify your WireGuard service is active and running on Rocky Linux 9:

sudo systemctl status wg-quick@wg0.service
Output
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor>
     Active: active (exited) since Tue 2023-02-21 03:16:16 EST; 36s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
   Main PID: 72668 (code=exited, status=0/SUCCESS)
        CPU: 829ms
...

Also, verify the interface ‘wg0’ that is created by the wireguard server via the following command:

ip a show wg0
Output
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state 
    link/none
    inet 10.8.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

There is another way that you can use to start your wireguard server by using the ‘wg-quick‘ command utility that provides by wireguard-tools.

# sudo wg-quick up /etc/wireguard/wg0.conf
# sudo wg-quick down /etc/wireguard/wg0.conf

Set up WireGuard Client

At this point, we will set up a WireGuard on the Rocky Linux machine. Then connect the client machine to the wireguard server.

First, you need to install the wireguard-tools package o your Rocky Linux client machine:

sudo dnf install wireguard-tools

Then, start and enable the ‘systemd-resolved‘ service by using the command below:

# sudo systemctl start systemd-resolved
# sudo systemctl enable systemd-resolved

Next, you need to set up the NetworkManager to use the ‘systemd-resolved‘ as the DNS backend. To do this, open the NetworkManager config file with your favorite text editor, here we use vi:

sudo vi /etc/NetworkManager/NetworkManager.conf

Add the ‘dns’ parameter to the ‘[main]‘ section as below.

[main]
dns=systemd-resolved

When you are done, save and close the file.

Next, run the following command to remove the /etc/resolv.conf‘ file and create a new symlink file of the resolv.conf‘ file managed by systemd-resolved:

# rm -f /etc/resolv.conf
# sudo ln -s /usr/lib/systemd/resolv.conf /etc/resolv.conf

Restart the NetworkManager service to apply the changes:

sudo systemctl restart NetworkManager

Now use the command below to create a new WireGuard client config file:

sudo vi /etc/wireguard/wg-client1.conf

Add the following content to the file:

Add the following lines to the file.

[Interface]
# Define the IP address for the client - must be matched with wg0 on Wireguard Server
Address = 10.8.0.8/24

# Private key for the client - client1.key
PrivateKey = iICfUtMtAvTo+W73oQZRrMP7NSmxDxI2WnZtxtMRhGU=

# Run resolvectl command
PostUp = resolvectl dns %i 1.1.1.1 9.9.9.9; resolvectl domain %i ~.
PreDown = resolvectl revert %i

[Peer]
# Public key of the Wireguard server - server.pub
PublicKey = Rr7zWgTqE4K7VmlyDRw4Bg1yV2HFQ6QQ9sWCPdvI0z0=

# Allow all traffic to be routed via Wireguard VPN
AllowedIPs = 0.0.0.0/0

# Public IP address of the Wireguard Server
Endpoint = 192.168.5.59:51820

# Sending Keepalive every 25 sec
PersistentKeepalive = 25

The IP address of the client must be matched with the subnet of the Wireguard server. The Wireguard client will get the IP address ‘10.8.0.8’ in this example.

Specify ‘AllowedIPs‘ to restrict access on the VPN peer, you can specify subnets of networks or you can just put 0.0.0.0/0 to tunnel all traffic over VPN.

Specify the Endpoint parameter with the public IP address of the Wireguard server or you can also use a domain name.

When you are done, save and close the file.

Next, use the following command to start your WireGuard client service:

wg-quick up wg-client1

Finally, run the below command to ensure that the client machine can access the internet or access the internal network subnet of the Wireguard VPN.

# ping -c5 10.8.0.1
# ping -c5 1.1.1.1

That’s it, you are done.

Conclusion

At this point, you have learned to Install and Configure WireGuard VPN Server and Client on Rocky Linux 9.

How To Set up Redis on Rocky Linux 9

Install and Configure WordPress on Rocky Linux 9

Set up NTP Server and Client on Rocky Linux 9

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!