Installing and Configuring WireGuard on CentOS 8
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
What is WireGuard?
WireGuard® is a next-generation security-focused Virtual Private Network (VPN) which can easily be deployed on low-end devices, like Raspberry Pi, to high-end servers.
WireGuard was written by top Linux developer Jason A. Donenfeld as a new approach to VPNs. Beloved by Linux founder Linus Torvalds, WireGuard was merged into the Linux kernel 5.6 in March 2020.
Advantages:
Agility: WireGuard can connect even when you are roaming across networks in situations where other VPN protocols fail.
Security: WireGuard can be managed with very few lines of code(about 4,000) and it is much easier to debug and more performant than its rivals, such as OpenVPN (which has over 100,000 lines of code). While simpler than its competition, it supports modern cryptography technologies such as:
- Noise protocol framework
- Curve25519
- ChaCha20
- Poly1305
- BLAKE2
- SipHash24, and HKD.
- It is also compatible with Linux’s built-in cryptographic subsystem.
Speed: WireGuard uses fast cryptography code. Tests show WireGuard is the fastest VPN protocol.
Cross-platform use: Many VPN services, such as NordVPN, SurfShark, and Private Internet Access now support WireGuard. Native WireGuard VPN clients are also available on numerous operating systems including Android, iOS, FreeBSD, macOS, OpenBSD, and Windows.
How Does Wireguard Work?
WireGuard works by securely encapsulating IP packets over UDP. WireGuard adds a network interface, lime eth0
or wlan0
under the name wg0
and so on. You configure these with your private key and your peers’ public keys. This network interface can then be configured with the usual Linux networking utilities such as ifconfig(8)
; ip-address(8)
; route(8)
and ip-route(8)
. WireGuard specific aspects are configured using the
wg(8) tool. All key distribution and pushed configuration issues are out of WireGuard’s scope.
Configuring WireGuard is as simple as setting up SSH. A connection is established by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect.
Before You Begin
- Deploy a Linode running CentOS 8.
- Add a limited user account with
sudo
privileges to your Linode. - Set your system’s hostname.
Install WireGuard
There are many ways to install WireGuard. The simplest way is to use the ELRepo’s pre-built module.
NoteELRepo is a community repository for Red Hat Enterprise Linux (RHEL) style distributions such as CentOS. It focuses on hardware-related packages. All its packages are built against the RHEL kernel.
sudo yum install elrepo-release epel-release
Install a signed WireGuard Linux kernel module and the WireGuard tools.
sudo yum install kmod-wireguard wireguard-tools
Configure WireGuard Server
Navigate to the
/etc/wireguard
directory and generate a private and public key pair for the WireGuard server.sudo umask 077 sudo wg genkey | tee privatekey | wg pubkey > publickey
This saves both the private and public keys, and they can be viewed with
cat privatekey
andcat publickey
, respectively.Create the file
/etc/wireguard/wg0.conf
with the following content. You needPrivateKey
for the PrivateKey field and its private IP addresses in theAddress
field.- File: /etc/wireguard/wg0.conf
1 2 3 4 5 6 7 8
[Interface] PrivateKey = <Private Key> Address = 10.0.0.1/24, fd86:ea04:1115::1/64 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE SaveConfig = true
Here’s an explanation of the above configuration file:
- PrivateKey: The server’s private key.
- Address: Defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value. Typical values are
10.0.0.1/24
,192.168.1.1/24
, or192.168.2.1/24
. This is not the same as a private IP address that Linode can assign to your Linode instance. - ListenPort: Specifies which port WireGuard uses for incoming connections. The default is
51820
.Note
The value you set inListenPort
is referenced in your firewall settings later. - PostUp and PostDown define steps to run after the interface is turned on or off, respectively. In this case,
iptables
sets Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 addresses. The rules are cleared once the tunnel is down. - SaveConfig: When set to
true
, the configuration file automatically updates whenever a new peer is added while the service is running.
Set Up Firewall Rules
Install Uncomplicated Firewall (UFW) if you do not have a firewall already installed.
sudo yum install ufw
Permit SSH connections and WireGuard’s VPN port.
sudo ufw allow 22/tcp sudo ufw allow 51820/udp sudo ufw enable
Verify the settings.
sudo ufw status verbose
Start the WireGuard Service
Start WireGuard with wg-quick script. This is a convenient wrapper for many of WireGuard’s common functions.
sudo wg-quick up wg0 sudo systemctl enable wg-quick@wg0
Check if the VPN tunnel is running.
sudo wg show
The results should look like the following:
interface: wg0 public key: Nrl2nVQxSwrKrvz6jQcrsziuVRPWT9N1Q8/yaQkAXUg= private key: (hidden) listening port: 51820
Now, try to connect to your new WireGuard server with the WireGuard client of your choice. If it goes well, you now have a quick, secure private connection to your server.
“WireGuard” is a registered trademark of Jason A. Donenfeld.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on