All Linux HowTo's Security HowTo's

Install Wireguard on CentOS 7/8 | Server Setup

This article demonstrates how to install Wireguard on CentOS 7.

Install the packages:

yum install install epel-release elrepo-release 
yum install kmod-wireguard wireguard-tools

Execute the following commands to generate the keys:

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

The above commands outputs a Public key to “/etc/wireguard/publickey” and the corresponding private key to “/etc/wireguard/privatekey”.

Put the following content into “/etc/wireguard/wg.conf” where “” is your server’s local IP address. Ignore NAT for now. Obviously the following assumes you’re using FirewallD.

Address =
SaveConfig = true
ListenPort = 51820
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade

TIP: Make sure your network-based firewall allows UDP port 51820.

Correct some permissions:

chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Open your “/etc/wireguard/wg.conf” and replace the string that looks like this:


With your public key found in your “/etc/wireguard/privatekey” file.

Start the Wireguard interface:

wg-quick up wg0

If you get the following error, it’s probably because you’re missing the “kmod-wireguard” package which comes from the “elrepo-release” repo:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 8921 up dev wg0
[#] firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade

And confirm with at the IP layer using “ip addr”. You should have an interface similar to the following:

7: wg0:  mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
    inet scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fe80::4ddd:6a69:80b3:e98/64 scope link flags 800 
       valid_lft forever preferred_lft forever

You can bring “down” the Wireguard interface using this command:

wg-quick down wg0

You can also use SystemD to start and stop the Wireguard server:

systemctl enable [email protected]
systemctl start [email protected]

This completes the first stage.

Some help writing this article was found at “”.

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.