All Linux HowTo's Security HowTo's

Install Wireguard on CentOS 7/8 | Server Setup

This article demonstrates how to install Wireguard on CentOS 7.

Install the packages:

yum install install epel-release elrepo-release 
yum install kmod-wireguard wireguard-tools

Execute the following commands to generate the keys:

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

The above commands outputs a Public key to “/etc/wireguard/publickey” and the corresponding private key to “/etc/wireguard/privatekey”.

Put the following content into “/etc/wireguard/wg.conf” where “172.31.0.2/24” is your server’s local IP address. Ignore NAT for now. Obviously the following assumes you’re using FirewallD.

[Interface]
Address = 172.31.0.2/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade

TIP: Make sure your network-based firewall allows UDP port 51820.

Correct some permissions:

chmod 600 /etc/wireguard/{privatekey,wg0.conf}

Open your “/etc/wireguard/wg.conf” and replace the string that looks like this:

SERVER_PRIVATE_KEY

With your public key found in your “/etc/wireguard/privatekey” file.

Start the Wireguard interface:

wg-quick up wg0

If you get the following error, it’s probably because you’re missing the “kmod-wireguard” package which comes from the “elrepo-release” repo:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.31.0.2/24 dev wg0
[#] ip link set mtu 8921 up dev wg0
[#] firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
success
success

And confirm with at the IP layer using “ip addr”. You should have an interface similar to the following:

7: wg0:  mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.31.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fe80::4ddd:6a69:80b3:e98/64 scope link flags 800 
       valid_lft forever preferred_lft forever

You can bring “down” the Wireguard interface using this command:

wg-quick down wg0

You can also use SystemD to start and stop the Wireguard server:

systemctl enable [email protected]
systemctl start [email protected]

This completes the first stage.

Some help writing this article was found at “https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-centos-8/”.

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.