Installing Wireguard VPN Server in Centos 8. Site-to-site VPN

WireGuard is a free open source software application and communications protocol that implements VPN techniques for creating secure point-to-point connections in routed or bridged configurations.

Setting up the main server

Add EPEL and Elrepo repositories

$ sudo dnf -y install epel-release elrepo-release

Checking if the correct driver is connected

$ sudo lsmod | grep 8021q
8021q                  40960  0
garp                   16384  1 8021q
mrp                    20480  1 8021q

If these lines are missing, add the driver to the kernel

$ sudo modprobe 8021q

Installing wireguard

$ sudo dnf makecache
$ sudo dnf install -y kmod-wireguard wireguard-tools

Generating private and public keys

$ wg genkey | sudo tee /etc/wireguard/privatekey
$ wg pubkey | sudo tee /etc/wireguard/publickey

Set up the configuration file for the wg0 interface and change the access rights

$ sudo touch /etc/wireguard/wg0.conf
$ sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Turn on Forwarding

$ echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
$ echo "net.ipv4.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
$ echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
$ sysctl -p

Open the port (we will use port 41321)

$ sudo firewall-cmd --permanent --zone=public --add-port=41321/udp
$ sudo firewall-cmd --reload

We look at the private / public keys of the main server

$ sudo cat /etc/wireguard/privatekey
SMWUid073s000000000tvGgeN/Ow4BX9gsLqXFY=
$ sudo cat /etc/wireguard/publickey
RAalpQDMW000000000M761Vc56ugguVupB8ig=

Configuring the wg0 interface

$ sudo nano /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.30.1/24
# Отключаем перезапись конфига клиентом
SaveConfig = false
ListenPort = 41321
# Private Key of first Server
PrivateKey = SMWUid073scI+SyL/000000000000/Ow4BX9gsLqXFY=
PostUp = firewall-cmd --zone=public --add-port 41321/udp
PostUp = firewall-cmd --zone=public --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 41321/udp
PostDown = firewall-cmd --zone=public --remove-masquerade

[Peer]
# Public Key of second Server
PublicKey = vQyGpGrxCog0000h87mFHLt3Nkb4aJcTieq/yIJJ3Y=
AllowedIPs = 172.16.30.2/32

Wireguard Commands

$ sudo wg-quick up wg0
$ sudo wg-quick down wg0
$ sudo wg show wg0
interface: wg0
  public key: RAalpQD0000Z7fP5L000000000006ugguVupB8ig=
  private key: (hidden)
  listening port: 41321

Add the service to startup and start it

$ sudo systemctl enable --now [email protected]

Check if the interface has appeared and if the port is available

$ ip a
$ ss -nltup

Setting up a secondary server

Installation is done in the same way.

Looking at the private / public keys

$ sudo cat /etc/wireguard/privatekey 
SNtUeP3cn700000000Zc0000pDi4MC1nl8AoR28=
$ sudo cat /etc/wireguard/publickey 
vQyGpGrx00000000000000000cTieq/yIJJ3Y=

Configuring the wg0 interface

$ sudo nano /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.30.2/24
SaveConfig = true
ListenPort = 41321
# Private Key of second Server
PrivateKey = SNtUeP3cn7Y26zy0000Z00000000Di4MC1nl8AoR28=

[Peer]
# Public Key of first Server
PublicKey = RAalpQDMWkMZ7f0000sz00000000000gguVupB8ig=
AllowedIPs = 172.16.30.1/32
# public ip main server
Endpoint = 8.8.8.8:41321

Add the service to startup and start it

$ sudo systemctl enable --now [email protected]

Or you can use the wireguard control commands

$ sudo wg-quick up wg0
$ sudo wg-quick down wg0
$ sudo wg show wg0
Sidebar