This tutorial is going to show you how to set up your own WireGuard VPN server on CentOS. WireGuard is made specifically for the Linux kernel. It runs inside the Linux kernel and allows you to create fast, modern, and secure VPN tunnel. TL;DR
This tutorial assumes that the VPN server and VPN client are both running CentOS operating system.
Log into your CentOS server, then run the following commands to install WireGuard.
# CentOS 8
sudo dnf install elrepo-release epel-release -y
sudo dnf install kmod-wireguard wireguard-tools -y
# CentOS 7
sudo yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
sudo yum install yum-plugin-elrepo
sudo yum install kmod-wireguard wireguard-tools -yThen use the same commands to install WireGuard on your local CentOS computer (the VPN client).
sudo mkdir -p /etc/wireguard/
cd /etc/wireguard
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.keysudo mkdir -p /etc/wireguard/
cd /etc/wireguard
wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.keysudo vim /etc/wireguard/wg0.confPaste in this content:
[Interface]
Address = 10.10.10.1/24
SaveConfig = true
PrivateKey = private-key-of-your-server
ListenPort = 51820
[Peer]
PublicKey = public-key-of-your-client
AllowedIPs = 10.10.10.2/32Secure the file like so:
sudo chmod 600 /etc/wireguard/ -Rsudo vim /etc/wireguard/wg-client0.confPaste in this content:
[Interface]
Address = 10.10.10.2/24
DNS = 10.10.10.1
PrivateKey = private-key-of-your-client
[Peer]
PublicKey = public-key-of-your-server
AllowedIPs = 0.0.0.0/0 # to allow untunneled traffic, use `0.0.0.0/1, 128.0.0.0/1` instead
Endpoint = public-ip-of-your-server:51820
PersistentKeepalive = 25Secure the config like so:
sudo chmod 600 /etc/wireguard/ -Rsudo vim /etc/sysctl.confAdd the following line at the end of this file.
net.ipv4.ip_forward = 1sudo sysctl -p # The -p option will load sysctl settings from /etc/sysctl.conf file. This command will preserve our changes across system reboots.Run the following command to enable IP masquerading in the server firewall.
sudo firewall-cmd --zone=public --permanent --add-masquerade
sudo systemctl reload firewalldThis will hide your VPN network from the outside world. So the Internet can only see your VPN server’s IP, but can’t see your VPN client’s IP, just like your home router hides your private home network.
Since we specify the VPN server as the DNS server for client, we need to run a DNS resolver on the VPN server. We can install the bind9 DNS server.
sudo dnf install bind
sudo systemctl start named
sudo systemctl enable named
systemctl status namedEdit the BIND main configuration file /etc/named.conf.
sudo vim /etc/named.confIn the options clause, you can find the following two lines.
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };This makes named listen on localhost only. If you want to allow clients in the same network to query domain names, then comment out these two lines. (add double slashes at the beginning of each line)
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };Find the following line.
allow-query { localhost; };Add the 10.10.10.0/24 network range so that VPN clients can send DNS queries. Note that you need to end each network range with a semicolon.
allow-query { localhost; 10.10.10.0/24; };Save and close the file. Restart BIND9 for the changes to take effect.
sudo systemctl restart namedThen you need to run the following command to allow VPN clients to connect to port 53.
sudo firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="10.10.10.0/24" accept'Run the following command to open UDP port 51820 on the server.
sudo firewall-cmd --permanent --add-port=51820/udp
sudo systemctl reload firewalldRun the following command on the server to start WireGuard.
sudo wg-quick up /etc/wireguard/wg0.confTo stop it, run
sudo wg-quick down /etc/wireguard/wg0.confYou can also use systemd service to start WireGuard.
sudo systemctl start [email protected]If the start failed, you should check the log to find out what’s wrong.
sudo journalctl -eu [email protected]Enable auto-start at system boot time with the following command.
sudo systemctl enable [email protected]Now WireGuard server is ready to accept client connections.
Start WireGuard.
sudo systemctl start [email protected]Enable auto-start at system boot time.
sudo systemctl enable [email protected]By default, all traffic on the VPN client will be routed through the VPN server. Sometimes you may want to route only a specific type of traffic, based on the transport layer protocol and the destination port. This is known as policy routing. Policy routing is configured on the client computer, and we need to stop the VPN connection first.
sudo systemctl stop [email protected]Then edit the client configuration file.
sudo nano /etc/wireguard/wg-client0.confFor example, if you add the following 3 lines in the [interface] section, then WireGuard will create a routing table named “1234” and add the ip rule into the routing table. In this example, traffic will be routed through VPN server only when TCP is used as the transport layer protocol and the destination port is 25, i.e, when the client computer sends emails.
Table = 1234
PostUp = ip rule add ipproto tcp dport 25 table 1234
PreDown = ip rule delete ipproto tcp dport 25 table 1234Save and close the file. Then start WireGuard client again.
sudo systemctl start [email protected]By default, your computer can access the Internet via the normal gateway when the VPN connection is disrupted. You may want to enable the kill switch feature, which prevents the flow of unencrypted packets through non-WireGuard interfaces. Stop the WireGuard client process.
sudo systemctl stop [email protected]Edit the client configuration file.
sudo nano /etc/wireguard/wg-client0.confAdd the following two lines in the [interface] section.
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECTLike this:
[Interface]
Address = 10.10.10.2/24
DNS = 10.10.10.1
PrivateKey = cOFA+x5UvHF+a3xJ6enLatG+DoE3I5PhMgKrMKkUyXI=
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = RaoAdsIEIwgV9DHNSubxWVG+nZ1GP/c3OU6A/efBJ0I=
AllowedIPs = 0.0.0.0/0
Endpoint = 12.34.56.78:51820
PersistentKeepalive = 25Save and close the file. Then start the WireGuard client.
sudo systemctl start [email protected]That's it. Happy networking!
A little remark that made me waste some time.
Before step 5: if for some reason you have to install firewalld because it's missing from your system and you currently connect via ssh on a different port rather than 22, be sure to move back to port 22 in /etc/ssh/sshd_config.
By default ssh is enabled as a service on firewalld, but it's just a "wrapper" to the standard port 22. So activating firewalld without switching back to the standard port is gonna lock you out.