Install and Configure WireGuard on Rocky Linux 9: Best VPN Server

In this tutorial, we want to teach you to Install and Configure WireGuard on Rocky Linux 9. WireGuard protocol is a secure network tunnel. It can be used as a standalone protocol or implemented as a VPN protocol by a VPN service provider. For VPNs, the WireGuard protocol aims to replace IKEv2/IPSec and OpenVPN as a more efficient solution.

Now you can proceed to the following steps on the Orcacore website to set up WireGuard VPN server and client on Rocky Linux 9.

To complete this guide, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide on Initial Server Setup with Rocky Linux 9.

Also, your SELinux must run in permissive mode. Now follow the steps below to Set up WireGuard VPN Server and Client on Rocky Linux 9.

1. Enable Wireguard Kernel Module on Rocky Linux 9

At this point, you must enable the ‘wireguard’ kernel module on your server. To do this, you can use the following command:

sudo modprobe wireguard

Then, verify that your module is enabled or not by using the command below:

lsmod | grep wireguard

If the WireGuard module has been enabled, you should get the following output:

Now you need to load the wireguard module permanently. To do this, run the command below:

sudo echo wireguard > /etc/modules-load.d/wireguard.conf

This command will load the wireguard kernel module permanently at system boot on Rocky Linux 9.

Finally, use the command below to install the ‘wireguard-tools’ package:

sudo dnf install wireguard-tools -y

This package is used to manage the Wireguard server.

2. Generate WireGuard VPN Server and Client Key Pair

At this point, you need to generate key pairs for both the Wireguard server and client via the wireguard-tools on Rocky Linux 9.

Generate WireGuard Server Key Pair

First, run the following command to generate the server private key at /etc/wireguard/server.key directory:

wg genkey | sudo tee /etc/wireguard/server.key

**<mark>Output</mark>**
ENza44szdCUtNZpw9bBtBQZvuPilnjCRtiZr+TukC2w=

Then, set the correct permissions for it by using the command below:

sudo chmod 0400 /etc/wireguard/server.key

This will disable writing and executing from others and groups.

Next, use the following command to generate the server public key at /etc/wireguard/server.pub directory:

sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub

**<mark>Output</mark>**
Rr7zWgTqE4K7VmlyDRw4Bg1yV2HFQ6QQ9sWCPdvI0z0=

Now you can verify your WireGuard Server private and public key pairs by using the following commands:

# cat /etc/wireguard/server.key
# cat /etc/wireguard/server.pub

Generate WireGuard Client Key Pair

At this point, you need to generate the key pair for the Client. Here we will generate new key pair for client1.

First, create a new directory to store client key pairs by using the command below:

mkdir -p /etc/wireguard/clients

Then, run the command below to generate the WireGuard client private key at /etc/wireguard/clients/client1.key directory:

wg genkey | sudo tee /etc/wireguard/clients/client1.key

**<mark>Output</mark>**
iICfUtMtAvTo+W73oQZRrMP7NSmxDxI2WnZtxtMRhGU=

Next, use the following command to generate the WireGaurd client public key at /etc/wireguard/clients/client1.pub directory:

cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub

**<mark>Output</mark>**
NV7SN5kqqefsmwr/eYZfw+/UHVR0SQXxBxD3N5B7fkk=

Now you can verify both client’s public and private keys by using the following commands:

# cat /etc/wireguard/clients/client1.key
# cat /etc/wireguard/clients/client1.pub

3. Configure WireGuard VPN Server on Rocky Linux 9

At this point, you need to configure the WireGuard server. First, you need to create and open a new wireguard server config file ‘/etc/wireguard/wg0.conf’ with your favorite text editor, here we use the vi editor:

sudo vi /etc/wireguard/wg0.conf

Add the following content to the file:

[Interface]
# Wireguard Server private key - server.key
**PrivateKey** = ENza44szdCUtNZpw9bBtBQZvuPilnjCRtiZr+TukC2w=

# Wireguard interface will be run at 10.8.0.1
Address = 10.8.0.1/24

# Clients will connect to UDP port 51820
ListenPort = 51820

# Ensure any changes will be saved to the Wireguard config file
SaveConfig = true

Remember to change the ‘PrivateKey’ with the Wirguard server private key ‘server.key’.

Next, add the following lines to define the client-peer connection:

[Peer]
# Wireguard client public key - client1.pub
**PublicKey** = NV7SN5kqqefsmwr/eYZfw+/UHVR0SQXxBxD3N5B7fkk=

# clients' VPN IP addresses you allow to connect
# possible to specify subnet ‘ [172.16.100.0/24]
AllowedIPs = 10.8.0.8/24

Be sure to change the ‘PublicKey’ parameter with the client public key ‘client1.pub’.

With the ‘AllowedIPs’ parameter, you can specify which Wireguard client that allowed to access this peer. In this example, only clients with IP ‘10.8.0.8’ will be allowed to access this peer connection. Additionally, you can also allow the range of internal network subnets such as ‘172.16.100.0/24’ to access the wireguard peer.

When you are done, save and close the file.

4. Enable Port Forwarding on Rocky Linux 9

At this point, you must enable port forwarding on your deployment server. To do this, open the following file with your favorite text editor, here we use vi:

sudo vi /etc/sysctl.conf

Add the following lines to the bottom of the line. These lines will enable port forwarding for both IPv4 and IPv6. Whether you need IPv6 or not, you can disable it by putting a comment ‘#’ at the start of the line.

# Port Forwarding for IPv4
net.ipv4.ip_forward=1

# Port forwarding for IPv6
net.ipv6.conf.all.forwarding=1

When you are done, save and close the file.

Apply the changes by running the command below:

sudo sysctl -p

**<mark>Output</mark>**
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

For more information about IP Forwarding, you can visit this guide on How To Enable IP Forwarding in Linux.

5. Configure Firewall For WireGuard VPN on Rocky Linux 9

First, you should check the default network interface that is used for internet access on the wireguard server. To do this, run the command below:

ip route show default

**<mark>Output</mark>**
default via ... dev **eth0** proto ... metric 100

From our output, the wireguard server used interface eth0 for internet access. You may have different names of network interfaces on your server.

Next, open your Wireguard server config file again:

sudo vi /etc/wireguard/wg0.conf

Add the following lines under the ‘[Interface]’ section:

PostUp = firewall-cmd --zone=public --add-masquerade
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

PostDown = firewall-cmd --zone=public --remove-masquerade
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

When you are done, save and close the file.

Now you need to open the UDP port 51820 that will be used for wireguard clients:

sudo firewall-cmd --add-port=51820/udp --permanent

Reload the firewall to apply the changes:

sudo firewall-cmd --reload

Also, you can verify your firewall rules by using the command below:

sudo firewall-cmd --list-all

6. Manage WireGuard VPN Server on Rocky Linux 9

At this point, you can start and enable your WireGuard service on your server. To do this, run the following commands:

# sudo systemctl start wg-quick@wg0.service
# sudo systemctl enable wg-quick@wg0.service

Verify your WireGuard service is active and running on Rocky Linux 9:

sudo systemctl status wg-quick@wg0.service

Also, verify the interface ‘wg0’ that is created by the wireguard server via the following command:

ip a show wg0

There is another way that you can use to start your wireguard server by using the ‘wg-quick’ command utility that provides by wireguard-tools.

# sudo wg-quick up /etc/wireguard/wg0.conf
# sudo wg-quick down /etc/wireguard/wg0.conf

7. Set up WireGuard VPN Client

At this point, we will set up a WireGuard on the Rocky Linux machine. Then connect the client machine to the wireguard server.

First, you need to install the wireguard-tools package o your Rocky Linux client machine:

sudo dnf install wireguard-tools

Then, start and enable the ‘systemd-resolved’ service by using the command below:

# sudo systemctl start systemd-resolved
# sudo systemctl enable systemd-resolved

Next, you need to set up the NetworkManager to use the ‘systemd-resolved’ as the DNS backend. To do this, open the NetworkManager config file with your favorite text editor, here we use vi:

sudo vi /etc/NetworkManager/NetworkManager.conf

Add the ‘dns’ parameter to the ‘[main]’ section as below.

[main]
dns=systemd-resolved

When you are done, save and close the file.

Next, run the following command to remove the ‘/etc/resolv.conf’ file and create a new symlink file of the ‘resolv.conf’ file managed by systemd-resolved:

# rm -f /etc/resolv.conf
# sudo ln -s /usr/lib/systemd/resolv.conf /etc/resolv.conf

Restart the NetworkManager service to apply the changes:

sudo systemctl restart NetworkManager

Now use the command below to create a new WireGuard client config file:

sudo vi /etc/wireguard/wg-client1.conf

Add the following content to the file:

Add the following lines to the file.

[Interface]
# Define the IP address for the client - must be matched with wg0 on Wireguard Server
Address = 10.8.0.8/24

**# Private key for the client - client1.key**
**PrivateKey** = iICfUtMtAvTo+W73oQZRrMP7NSmxDxI2WnZtxtMRhGU=

# Run resolvectl command
PostUp = resolvectl dns %i 1.1.1.1 9.9.9.9; resolvectl domain %i ~.
PreDown = resolvectl revert %i

[Peer]
**# Public key of the Wireguard server - server.pub**
**PublicKey** = Rr7zWgTqE4K7VmlyDRw4Bg1yV2HFQ6QQ9sWCPdvI0z0=

# Allow all traffic to be routed via Wireguard VPN
AllowedIPs = 0.0.0.0/0

# Public IP address of the Wireguard Server
Endpoint = 192.168.5.59:51820

# Sending Keepalive every 25 sec
PersistentKeepalive = 25

The IP address of the client must be matched with the subnet of the Wireguard server. The Wireguard client will get the IP address ‘10.8.0.8’ in this example.

Specify ‘AllowedIPs’ to restrict access on the VPN peer, you can specify subnets of networks or you can just put 0.0.0.0/0 to tunnel all traffic over the VPN.

Specify the Endpoint parameter with the public IP address of the Wireguard server or you can also use a domain name.

When you are done, save and close the file.

Next, use the following command to start your WireGuard client service:

wg-quick up wg-client1

Finally, run the below command to ensure that the client machine can access the internet or access the internal network subnet of the Wireguard VPN.

# ping -c5 10.8.0.1
# ping -c5 1.1.1.1

That’s it, you are done.

Conclusion

At this point, you have learned to Install and Configure the WireGuard VPN Server and Client on Rocky Linux 9. A WireGuard VPN server is used to establish encrypted connections between devices across the internet or local networks. Now you know how to Install and Configure WireGuard on Rocky Linux 9.

Hope you enjoy it. Please subscribe to us on Facebook, Twitter, and YouTube.

Also, you may like to read the following articles:

• How To Set up Redis on Rocky Linux 9
• Install and Configure WordPress on Rocky Linux 9
• Set up NTP Server and Client on Rocky Linux 9
• Bitwarden Setup on Rocky Linux 9
• GitLab CE Installation on Rocky Linux 9
• Zoom Client Setup on Rocky Linux 9
• Gnome Desktop For Rocky Linux 9
• Apache Solr Installation Rocky Linux 9

Alternative Solutions for WireGuard on Rocky Linux 9

While the outlined method provides a comprehensive guide to manually configuring WireGuard, alternative approaches exist that can streamline the process and potentially offer more flexibility or integration with existing infrastructure. Here are two alternative solutions for setting up WireGuard on Rocky Linux 9:

1. Using a Configuration Management Tool (Ansible)

Configuration management tools like Ansible allow you to automate the deployment and configuration of WireGuard across multiple servers. This approach is particularly useful for managing larger deployments or ensuring consistency across your infrastructure.

Explanation:

Ansible uses playbooks, which are YAML files that define the desired state of your systems. You can create an Ansible playbook that automatically installs the necessary packages, generates key pairs, configures the WireGuard server and client configuration files, enables port forwarding, and manages the firewall rules. This approach offers several benefits:

• Automation: Reduces manual intervention and the risk of errors.
• Idempotency: Ansible ensures that the desired state is achieved, even if the playbook is run multiple times.
• Scalability: Easily deploy and manage WireGuard on multiple servers.
• Version Control: Playbooks can be stored in version control systems, allowing you to track changes and revert to previous configurations.

Code Example (Snippet of an Ansible Playbook):

---
- hosts: wireguard_server
  become: true
  tasks:
    - name: Install wireguard-tools
      dnf:
        name: wireguard-tools
        state: present

    - name: Generate server private key
      command: wg genkey | tee /etc/wireguard/server.key
      args:
        creates: /etc/wireguard/server.key

    - name: Set server private key permissions
      file:
        path: /etc/wireguard/server.key
        mode: 0400

    - name: Generate server public key
      command: cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub
      args:
        creates: /etc/wireguard/server.pub

    - name: Configure WireGuard server
      template:
        src: wg0.conf.j2
        dest: /etc/wireguard/wg0.conf
      notify: restart_wireguard

  handlers:
    - name: restart_wireguard
      systemd:
        name: wg-quick@wg0.service
        state: restarted

This is a basic example. The wg0.conf.j2 would be a Jinja2 template that dynamically generates the wg0.conf file based on variables defined in your Ansible inventory or playbook. You would extend this playbook to include tasks for enabling IP forwarding, configuring the firewall, and setting up the client configuration as well.

2. Using a Docker Container

Another alternative is to run WireGuard within a Docker container. This approach provides isolation, portability, and ease of deployment.

Explanation:

Docker allows you to package WireGuard and its dependencies into a self-contained container. You can then deploy this container on any system that has Docker installed, regardless of the underlying operating system. This approach simplifies the deployment process and ensures that WireGuard runs in a consistent environment. Several Docker images for WireGuard are readily available on Docker Hub.

Code Example (docker-compose.yml):

version: "3.7"
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERPORT=51820 #optional
      - SERVER_PUBLIC_IP=your_server_ip #optional
      - PEERS=1 #optional - number of peers you want to setup, default is 1
    volumes:
      - /path/to/wireguard/config:/config
      - /lib/modules:/lib/modules:ro
    ports:
      - 51820:51820/udp
    sysctl:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    restart: unless-stopped

Explanation of the docker-compose.yml file:

• image: Specifies the Docker image to use (in this case, linuxserver/wireguard, a popular and well-maintained WireGuard image).
• cap_add: Grants the container the necessary capabilities to manage network interfaces and load kernel modules.
• environment: Sets environment variables for configuring the WireGuard server, such as the user ID (PUID), group ID (PGID), timezone (TZ), server port (SERVERPORT), server public IP (SERVER_PUBLIC_IP), and the number of peers to configure (PEERS).
• volumes: Mounts the configuration directory and kernel modules into the container. Important: Replace /path/to/wireguard/config with the actual path to your WireGuard configuration directory on the host system. Mounting /lib/modules is essential for WireGuard to function correctly within the container.
• ports: Exposes the WireGuard port (51820) to the host system.
• sysctl: Enables IP forwarding within the container.
• restart: Configures the container to restart automatically unless it is explicitly stopped.

To use this, save the above content as docker-compose.yml and run docker-compose up -d in the same directory. This will download the image, create the container, and start WireGuard. You still need to configure the /path/to/wireguard/config directory with your WireGuard configuration files (server and client configs). The image provides scripts to help with initial setup.

These alternative solutions offer different approaches to deploying and managing WireGuard on Rocky Linux 9, providing flexibility based on your specific needs and infrastructure. The manual configuration detailed in the original article gives a solid understanding, while Ansible and Docker provide efficient automation and portability.