18

How To Configure WireGuard VPN on Rocky Linux 8

 2 years ago
source link: https://computingforgeeks.com/how-to-configure-wireguard-vpn-on-rocky-linux/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

WireGuard is a free, open-source VPN with state-of-art cryptography. WireGuard VPN uses peer-to-peer connectivity to establish the connection between the devices. Wireguard works in a server-client architecture where the WireGuard server is the one responsible for routing the traffic of the clients to the defined networks.

This guide will discuss how to set up WireGuard VPN server on Rocky Linux 8.

Install WireGuard VPN Server on Rocky Linux 8

The steps below highlight how to install WireGuard VPN server on Rocky Linux 8.

Step 1. Install Epel Release

Install EPEL release on Rocky Linux 8. This will help us download the WireGuard packages which are not available at the default Rocky Linux repos.

sudo dnf install epel-release elrepo-release -y

Step 2. Install WireGuard VPN server on Rocky Linux 8

Install wireguard vpn and the required dependencies as below:

$ sudo yum install kmod-wireguard wireguard-tools
ELRepo.org Community Enterprise Linux Repository - el8                                                                                        15 kB/s | 272 kB     00:18    
Dependencies resolved.
=============================================================================================================================================================================
 Package                                   Architecture                     Version                                                   Repository                        Size
=============================================================================================================================================================================
Installing:
 kmod-wireguard                            x86_64                           4:1.0.20210606-1.el8_4.elrepo                             elrepo                           110 k
 wireguard-tools                           x86_64                           1.0.20210424-1.el8                                        epel                             125 k

Transaction Summary
=============================================================================================================================================================================
Install  2 Packages

Total download size: 235 k
Installed size: 641 k
Is this ok [y/N]: y

Step 3. Configure WireGuard VPN on Rocky Linux 8

Once downloaded, the next step is to configure WireGuard VPN server on Rocky Linux 8.

Create a WireGuard working directory, where WireGuard shall store the configuration files.

sudo mkdir /etc/wireguard

Step 4. Generate WireGuard Keys

We will need to generate public and private keys for WireGuard.

Generate Private keys for WireGuard

Use the wg genkey command to generate WireGuard private keys.

To generate the key, use the command below:

umask 077 | wg genkey | sudo tee /etc/wireguard/wireguard.key

Confirm that the file has been written to the above path:

[root@Rocky ~]# cat /etc/wireguard/wireguard.key 
6Eh08BtDiAqkTJ0rC6AbXi+UXyg+ZZoDU4n/ariG2Hg=

Generate Public keys for Wireguard

Generate a public key from the private key created in the previous step.

wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key

Verify the contents of the public key file.

[root@Rocky ~]# cat /etc/wireguard/wireguard.pub.key 
BXfVP+JcQbwZUkhHtVJQIVEOw4oXM1fj1FDkC1f0ais=

Step 5. Create Network Configuration for WireGuard

Create the network configuration for wireguard as below. Remember to use your server’s private key.

$ sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.10.1/24
SaveConfig = true
ListenPort = 51820
DNS	   = 8.8.8.8,10.10.10.1
PrivateKey = <SERVER-PRIVATE-KEY>
PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

Step 6. Enable IP Forwarding on Rocky Linux 8

Enable IP forwarding on Rocky Linux to allow packet routing for the VPN clients to the required destinations.

Add the line net.ipv4.ip_forward = 1 to the file /etc/sysctl.conf.

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

Reload the sysctl settings:

sudo sysctl -p

Sep 7. Start WireGuard VPN Server

Start the WireGuard VPN server using the wg-quick tool.

[root@Rocky ~]# sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] mount `8.8.8.8 10.10.10.1' /etc/resolv.conf
[#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
success
success
success
success

Check and verify that the Wireguard interface is up.

[root@Rocky ~]# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.10.10.1  netmask 255.255.255.0  destination 10.10.10.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

You can also manage Wireguard service using Systemd.

To start the service:

sudo systemctl start wg-quick@wg0

To check status of the service:

[root@Rocky ~]# systemctl status wg-quick@wg0[email protected] - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
   Active: active (exited) since Thu 2021-08-12 18:41:23 EDT; 3s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 76862 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 Main PID: 76862 (code=exited, status=0/SUCCESS)

Aug 12 18:41:19 Rocky wg-quick[76862]: [#] ip link add wg0 type wireguard
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] wg setconf wg0 /dev/fd/63
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] ip -4 address add 10.10.10.1/24 dev wg0
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] ip link set mtu 1420 up dev wg0
Aug 12 18:41:19 Rocky wg-quick[76862]: [#] firewall-cmd --add-port=51820/udp; firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j 
Aug 12 18:41:20 Rocky wg-quick[76862]: success
Aug 12 18:41:21 Rocky wg-quick[76862]: success
Aug 12 18:41:22 Rocky wg-quick[76862]: success
Aug 12 18:41:23 Rocky wg-quick[76862]: success
Aug 12 18:41:23 Rocky systemd[1]: Started WireGuard via wg-quick(8) for wg0.

Setup WireGuard Client on Rocky Linux 8

After a successful configuration of the WireGuard server. We will now need to configure the WireGuard client on another Rocky Linux 8 machine.

Install Wireguard package on Rocky Linux

dnf install epel-release elrepo-release -y
dnf install kmod-wireguard wireguard-tools -y

Setup the private and public keys for the Rocky Linux client machine:

sudo su -
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

Configure the WireGuard interface for the Rocky Linux client

$ sudo vi /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <Client-private-key>
Address = 10.10.10.2/24

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip-address>:51820
AllowedIPs = 0.0.0.0/0

Make sure to use the correct details for the PrivateKey, PublicKey, and Endpoint in the above configuration.

On the VPN server, run the command below to allow the peer connection to the client machine

sudo wg set wg0 peer <client-public-key> allowed-ips 10.0.0.2

On the client machine, start the Wireguard interface with the command below:

$ sudo wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

You will have successfully connected to the VPN server. Your traffic will be routed to the VPN server.

Conclusion

Wireguard is an enterprise-class but open-source VPN solution that is easy to set up and manage. We have successfully configured WireGuard VPN server on Rocky Linux 8. Feel free to get in touch in case you encounter challenges during your deployment. Cheers!

Top Cyber Security Learning Video Courses:


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK