Set Up WireGuard VPN on CentOS (Server and Client)

WireGuard is a simple, fast, and secure VPN that utilizes state-of-the-art cryptography. With a small source code footprint, it aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec. WireGuard is still under development, but even in its unoptimized state it is faster than the popular OpenVPN protocol.

The WireGuard configuration is as simple as setting up SSH. A connection is established by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. WireGuard sets up standard network interfaces (such as wg0 and wg1), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as ifconfig and ip.

This guide will configure a simple peer connection between CentOS server and client, as all the installation set up will be the same from all sides, server and the client, what will make difference is the configuration which we will go through in details.

Install WireGuard

  1. Update your package index by running the following command:
sudo yum update
  1. Install and Enable EPEL Repository
sudo yum install epel-release elrepo-release 
  1. Install Wireguard and the required packages
sudo yum install kmod-wireguard wireguard-tools ufw
  1. Install Kernel Headers
sudo yum install kernel-headers

Lastly, Reboot your VM by:

sudo reboot

and then login again.

Configure WireGuard Server

  1. One of the best things about WireGuard is that it’s security is based on SSH-like key pairs. So, the first thing to be done is to generate the necessary private and public key pair. Generate a private and public key pair for the WireGuard server:
$ mkdir ~/.wireguard
$ cd ~/.wireguard
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey

This will save both the private and public keys to your home directory; they can be viewed with cat privatekey and cat publickey respectively. 2. Next, you need to copy the contents of newly-generated private key with the command:

cat privatekey

The above command will print out a string of characters. You’ll need to do this on both the server and the client (as you’ll need the server private key and the client public key). 3. Copy that string to your clipboard and then create a new WireGuard configuration file with the command:

sudo nano /etc/wireguard/wg0.conf
  1. In that file, paste the following:
[Interface]
Address = 10.0.0.1/24
ListenPort = 41194
PrivateKey = SERVER_PRIVATE_KEY
  • Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field.
  • ListenPort specifies which port WireGuard will use for incoming connections.

NOTE: If you want to have many servers connected to one or more clients, you need to have different ListenPort, and allow it in your server ufw.

Now, save and close the file.

Set up UFW firewall rules to open required ports

$ sudo ufw default allow outgoing
$ sudo ufw allow 41194/udp
$ sudo ufw status

If the ufw is inactive, you can enable it by the following command:

sudo ufw enable

Enable and start WireGuard Service

Turn the WireGuard service at boot time using the systemctl command, run:

sudo systemctl enable wg-quick@wg0

Start the service, execute:

sudo systemctl start wg-quick@wg0

Get the service status, run:

sudo systemctl status wg-quick@wg0

Note You can turn off the wg0 interface with sudo systemctl stop wg-quick@wg0

Verify that interface named wg0 is up and running on CentOS server using the following command:

$ sudo wg
$ sudo ip a show wg0

Wireguard Client

The process for setting up a client is exactly same as setting up the server. When using CentOS as your client’s operating system, the only difference between the client and the server is the contents of the configuration file. If your client uses CentOS, follow the steps provided in the above sections and in this section.

  1. Generate a key pair for the client:
$ mkdir ~/.wireguard
$ cd ~/.wireguard
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
  1. Next, copy the contents of newly-generated private key with the command:
cat privatekey
  1. Copy that string to your clipboard and then create a new WireGuard configuration file with this command -we are using nano in this example, but feel free to use whatever text editor you prefer-:
sudo nano /etc/wireguard/wg0.conf
  1. In that file, paste the following:
[Interface]
Address = 10.0.0.2/32
PrivateKey = CLIENT_PRIVATE_KEY

Connect the Client and Server

First of all, you need to stop the interface on the server, by issuing the following command:

sudo systemctl stop wg-quick@wg0
  1. Edit the client’s wg0.conf file by adding the server’s public key, public IP address, and port:
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:41194
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 15
  1. Edit the server’s wg0.conf file by adding the client’s public key, and port:
[Peer]
PublicKey =  CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/0

Enable and start VPN client/peer connection, run:

$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl status wg-quick@wg0

Then, run sudo wg and you will be able to see their connection! The last two lines of the output from running the wg command should be similar to:

latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent

This indicates that you now have a private connection between the server and client. You can also ping the client from the server to verify that the connection works both ways.

Verification

That is all. By now, both CentOS servers and clients must be connected securely using a peer-to-peer VPN called WireGuard. Let us test the connection. Type the following ping command on your client machine/desktop system:

$ ping 10.0.0.1
$ sudo wg

Conclusion

Congratulation! You just learned about setting up a WireGuard VPN server on CentOS server and peer (client machine) . For more information, I strongly suggest that you read WireGuard project documentation here.