Handleidingen voor diverse applicaties met Rocky 9
WireGuard
Step 1 — Installing WireGuard and Generating a Key Pair
The first step in this tutorial is to install WireGuard on your server. To start off, you’ll need to add two extra software repositories to your server’s package index, epel, and elrepo. Run the following command to install them. Note that you may be prompted to provide your sudo user’s password if this is the first time you’re using sudo in this session:
sudo dnf install elrepo-release epel-release
Now that your server can access the repositories that host the WireGuard packages, install WireGuard using the following commands:
sudo dnf install wireguard-tools
Now that you have WireGuard installed, the next step is to generate a private and public keypair for the server. You’ll use the built-in wg genkey and wg pubkey commands to create the keys, and then add the private key to WireGuard’s configuration file.
You will also need to change the permissions on the key that you just created using the chmod command, since by default the file is readable by any user on your server.
Create the private key for WireGuard and change its permissions using the following commands:
wg genkey | sudo tee /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key
The sudo chmod go=... command removes any permissions on the file for users and groups other than the root user to ensure that only it can access the private key.
You should receive a single line of base64 encoded output, which is the private key. A copy of the output is also stored in the /etc/wireguard/private.key file for future reference by the tee portion of the command. Carefully make a note of the private key that is output since you’ll need to add it to WireGuard’s configuration file later in this section.
The next step is to create the corresponding public key, which is derived from the private key. Use the following command to create the public key file:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
This command consists of three individual commands that are chained together using the | (pipe) operator:
sudo cat /etc/wireguard/private.key: this command reads the private key file and outputs it to the standard output stream.wg pubkey: the second command takes the output from the first command as its standard input and processes it to generate a public key.sudo tee /etc/wireguard/public.key: the final command takes the output of the public key generation command and redirects it into the file named/etc/wireguard/public.key.
When you run the command you will again receive a single line of base64 encoded output, which is the public key for your WireGuard Server. Copy it somewhere for reference, since you will need to distribute the public key to any peer that connects to the server.
Step 2 — Choosing IPv4 Addresses
In the previous section you installed WireGuard and generated a key pair that will be used to encrypt traffic to and from the server. In this section, you will create a configuration file for the server, and set up WireGuard to start up automatically when you server reboots. You will also define private IPv4 addresses to use with your WireGuard Server and peers.
Step 2(a) — Choosing an IPv4 Range
If you are using your WireGuard server with IPv4 peers, the server needs a range of private IPv4 addresses to use for clients, and for its tunnel interface. You can choose any range of IP addresses from the following reserved blocks of addresses (if you would like to learn more about how these blocks are allocated visit the RFC 1918 specification):
10.0.0.0to10.255.255.255(10/8 prefix)172.16.0.0to172.31.255.255(172.16/12 prefix)192.168.0.0to192.168.255.255(192.168/16 prefix)
For the purposes of this tutorial we’ll use 10.8.0.0/24 as a block of IP addresses from the first range of reserved IPs. This range will allow up to 255 different peer connections, and generally should not have overlapping or conflicting addresses with other private IP ranges. Feel free to choose a range of addresses that works with your network configuration if this example range isn’t compatible with your networks.
The WireGuard Server will use a single IP address from the range for its private tunnel IPv4 address. We’ll use 10.8.0.1/24 here, but any address in the range of 10.8.0.1 to 10.8.0.255 can be used. Make a note of the IP address that you choose if you use something different from 10.8.0.1/24.
Step 3 — Creating a WireGuard Server Configuration
Before creating your WireGuard Server’s configuration, you will need the following pieces of information:
- Make sure that you have the private key available from Step 1 — Installing WireGuard and Generating a Key Pair.
- If you are using WireGuard with IPv4, you’ll need the IP address that you chose for the server in Step 2(a) — Choosing an IPv4 Range, which in this example is
10.8.0.1/24.
Once you have the required private key and IP address(es), create a new configuration file using vi or your preferred editor by running the following command:
sudo vi /etc/wireguard/wg0.conf
Add the following lines to the file, substituting your private key in place of the highlighted base64_encoded_private_key_goes_here value, and the IP address(es) on the Address line. You can also change the ListenPort line if you would like WireGuard to be available on a different port.
Press i to put vi into insertion mode and then add the following lines:
/etc/wireguard/wg0.conf [Interface] PrivateKey = base64_encoded_private_key_goes_here Address = 10.8.0.1/24 ListenPort = 51820
The SaveConfig line ensures that when a WireGuard interface is shutdown, any changes will get saved to the configuration file.
When you are finished making changes, press ESC and then :wq to write the changes to the file and quit. You now have an initial server configuration that you can build upon depending on how you plan to use your WireGuard VPN server.
Step 4 — Adjusting the WireGuard Server’s Network Configuration
If you are using WireGuard to connect a peer to the WireGuard Server in order to access services on the server only, then you do not need to complete this section. If you would like to route your WireGuard Peer’s Internet traffic through the WireGuard Server then you will need to configure IP forwarding by following this section of the tutorial.
To configure forwarding, open the /etc/sysctl.conf file using vi or your preferred editor:
sudo vi /etc/sysctl.conf
If you are using IPv4 with WireGuard, add the following line at the bottom of the file:
/etc/sysctl.conf
net.ipv4.ip_forward=1
To read the file and load the new values for your current terminal session, run:
sudo sysctl -p
net.ipv4.ip_forward = 1
Now your WireGuard Server will be able to forward incoming traffic from the virtual VPN ethernet device to others on the server, and from there to the public Internet. Using this configuration will allow you to route all web traffic from your WireGuard Peer via your server’s IP address, and your client’s public IP address will be effectively hidden.
However, before traffic can be routed via your server correctly, you will need to configure some firewall rules. These rules will ensure that traffic to and from your WireGuard Server and Peers flows properly.
Step 5 — Configuring the WireGuard Server’s Firewall
In this section you will edit the WireGuard Server’s configuration to add firewall-cmd firewall rules that will ensure traffic to and from the server and clients is routed correctly. As with the previous section, skip this step if you are only using your WireGuard VPN for a machine to machine connection to access resources that are restricted to your VPN.
To add firewall rules to your WireGuard Server, you will create some permanent rules that will ensure the server is configured correctly across reboots. Run the following to allow access to the WireGuard service itself on UDP port 51820:
sudo firewall-cmd --zone=public --add-port=51820/udp --permanent sudo firewall-cmd --permanent --zone=public --add-service=wireguard sudo firewall-cmd --permanent --zone=public --add-masquerade sudo firewall-cmd --reload
Step 6 — Starting the WireGuard Server
WireGuard can be configured to run as a systemd service using its built-in wg-quick script. While you could manually use the wg command to create the tunnel every time you want to use the VPN, doing so is a manual process that becomes repetitive and error prone. Instead, you can use systemctl to manage the tunnel with the help of the wg-quick script.
Using a systemd service means that you can configure WireGuard to start up at boot so that you can connect to your VPN at any time as long as the server is running. To do this, enable the wg-quick service for the wg0 tunnel that you’ve defined by adding it to systemctl:
sudo systemctl enable wg-quick@wg0.service
[Info] Notice that the command specifies the name of the tunnel wg0 as a part of the service name. This name maps to the /etc/wireguard/wg0.conf configuration file. This approach to naming means that you can create as many separate VPN tunnels as you would like using your server. Each tunnel can contain different IPv4, IPv6, and client firewall settings.
Now start the service:
sudo systemctl start wg-quick@wg0.service
Double check that the WireGuard service is active with the following command. You should see active (running) in the output:
sudo systemctl status wg-quick@wg0.service
Output●
wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-09-17 19:58:14 UTC; 6 days ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Main PID: 22924 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 11188)
Memory: 0B
CGroup: /system.slice/system-wg\x2dquick.slice/wg-quick@wg0.service
Sep 17 19:58:14 wg0 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Sep 17 19:58:14 wg0 wg-quick[22924]: [#] ip link add wg0 type wireguard
Sep 17 19:58:14 wg0 wg-quick[22924]: [#] wg setconf wg0 /dev/fd/63
Sep 17 19:58:14 wg0 wg-quick[22924]: [#] ip -4 address add 10.8.0.1/24 dev wg0
Sep 17 19:58:14 wg0 wg-quick[22924]: [#] ip -6 address add fd0d:86fa:c3bc::1/64 dev wg0
Sep 17 19:58:14 wg0 wg-quick[22924]: [#] ip link set mtu 1420 up dev wg0
Sep 17 19:58:14 wg0 systemd[1]: Started WireGuard via wg-quick(8) for wg0.
Notice how the output shows the ip commands that are used to create the virtual wg0 device and assign it the IPv4 and IPv6 addresses that you added to the configuration file. You can use these rules to troubleshoot the tunnel, or with the wg command itself if you would like to try manually configuring the VPN interface.
With the server configured and running, the next step is to configure your client machine as a WireGuard Peer and connect to the WireGuard Server.
Step 7 — Configuring a WireGuard Peer
Configuring a WireGuard peer is similar to setting up the WireGuard Server. Once you have the client software installed, you’ll generate a public and private key pair, decide on an IP address or addresses for the peer, define a configuration file for the peer, and then start the tunnel using the wg-quick script.
You can add as many peers as you like to your VPN by generating a key pair and configuration using the following steps. If you add multiple peers to the VPN be sure to keep track of their private IP addresses to prevent collisions.
To configure the WireGuard Peer, ensure that you have the WireGuard package installed using the following dnf commands. On the WireGuard peer run:
sudo dnf install elrepo-release epel-release sudo dnf install wireguard-tools
Creating the WireGuard Peer’s Key Pair
Next, you’ll need to generate the key pair on the peer using the same steps as you used on the server. From your local machine or remote server that will serve as peer, proceed and create the private key for the peer using the following commands:
wg genkey | sudo tee /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key
Again you will receive a single line of base64 encoded output, which is the private key. A copy of the output is also stored in the /etc/wireguard/private.key. Carefully make a note of the private key that is output since you’ll need to add it to WireGuard’s configuration file later in this section.
Next use the following command to create the public key file:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
You will again receive a single line of base64 encoded output, which is the public key for your WireGuard Peer. Copy it somewhere for reference, since you will need to distribute the public key to the WireGuard Server in order to establish an encrypted connection.
Creating the WireGuard Peer’s Configuration File
Now that you have a key pair, you can create a configuration file for the peer that contains all the information that it needs to establish a connection to the WireGuard Server.
You will need a few pieces of information for the configuration file:
- The
base64encoded private key that you generated on the peer. - The IPv4 address ranges that you defined on the WireGuard Server.
- The
base64encoded public key from the WireGuard Server. - The public IP address and port number of the WireGuard Server. Usually this will be the IPv4 address, but if your server has an IPv6 address and your client machine has an IPv6 connection to the internet you can use this instead of IPv4.
With all this information at hand, open a new /etc/wireguard/wg0.conf file on the WireGuard Peer machine using vi or your preferred editor:
sudo vi /etc/wireguard/wg0.conf
Add the following lines to the file, substituting in the various data into the highlighted sections as required:
/etc/wireguard/wg0.conf [Interface] PrivateKey = base64_encoded_peer_private_key_goes_here Address = 10.8.0.2/24 [Peer] PublicKey = base64_encoded_server_public_key_goes_here AllowedIPs = 10.8.0.0/24 Endpoint = 203.0.113.1:51820
Notice how the first Address line uses an IPv4 address from the 10.8.0.0/24 subnet that you chose earlier. This IP address can be anything in the subnet as long as it is different from the server’s IP. Incrementing addresses by 1 each time you add a peer is generally the easiest way to allocate IPs.
Likewise, notice how the second Address line uses an IPv6 address from the subnet that you generated earlier, and increments the server’s address by one. Again, any IP in the range is valid if you decide to use a different address.
The other notable part of the file is the last AllowedIPs line. These two IPv4 and IPv6 ranges instruct the peer to only send traffic over the VPN if the destination system has an IP address in either range. Using the AllowedIPs directive, you can restrict the VPN on the peer to only connect to other peers and services on the VPN, or you can configure the setting to tunnel all traffic over the VPN and use the WireGuard Server as a gateway.
In both cases, if you would like to send all your peer’s traffic over the VPN and use the WireGuard Server as a gateway for all traffic, then you can use 0.0.0.0/0, which represents the entire IPv4 address space, and ::/0 for the entire IPv6 address space.
Step 9 — Connecting the WireGuard Peer to the Tunnel
Now that your server and peer are both configured to support your choice of IPv4, IPv6, packet forwarding, and DNS resolution, it is time to connect the peer to the VPN tunnel.
Since you may only want the VPN to be on for certain use cases, we’ll use the wg-quick command to establish the connection manually. If you would like to automate starting the tunnel like you did on the server, follow those steps in Step 6 — Starting the WireGuard Server section instead of using the wq-quick command.
To start the tunnel, run the following on the WireGuard Peer:
sudo wg-quick up wg0
You will receive output like the following:
Output [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.8.0.2/24 dev wg0 [#] ip -6 address add fd0d:86fa:c3bc::2/64 dev wg0 [#] ip link set mtu 1420 up dev wg0
Notice the highlighted IPv4 and IPv6 addresses that you assigned to the peer.
If you set the AllowedIPs on the peer to 0.0.0.0/0 and ::/0 (or to use ranges other than the ones that you chose for the VPN), then your output will resemble the following:
Output [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.8.0.2/24 dev wg0 [#] ip -6 address add fd0d:86fa:c3bc::2/64 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] mount `67.207.67.2' /etc/resolv.conf [#] wg set wg0 fwmark 51820 [#] ip -6 route add ::/0 dev wg0 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] nft -f /dev/fd/63 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] nft -f /dev/fd/63 [#] ip rule add table 200 from 203.0.113.5 [#] ip route add table 200 default via 203.0.113.1
In this example, notice the highlighted routes that the command added, which correspond to the AllowedIPs in the peer configuration.
Next, generate some traffic on the tunnel interface by using ping to send a single ICMP packet (indicated by the -c 1 argument in the following commands) to the WireGuard Server:
ping -c 1 10.8.0.1
If you are routing all traffic over the VPN, you can use one of CloudFlare’s servers instead:
ping -c 1 1.1.1.1
Now check the status of the tunnel on the peer using the wg command:
sudo wg
Output interface: wg0 public key: PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= private key: (hidden) listening port: 49338 fwmark: 0xca6c peer: U9uE2kb/nrrzsEU58GD3pKFU3TLYDMCbetIsnV8eeFE= endpoint: 203.0.113.1:51820 allowed ips: 10.8.0.0/24 latest handshake: 1 second ago transfer: 6.50 KiB received, 15.41 KiB sent
You can also check the status on the server again, and you will receive similar output.
Verify that your peer is using the VPN by using the ip route and ip -6 route commands. If you are using the VPN as a gateway for all your Internet traffic, check which interface will be used for traffic destined to CloudFlare’s 1.1.1.1 and 2606:4700:4700::1111 DNS resolvers.
If you are only using WireGuard to access resources on the VPN, substitute a valid IPv4 or IPv6 address like the gateway itself into these commands. For example 10.8.0.1 or fd0d:86fa:c3bc::1.
ip route get 1.1.1.1
Output1.1.1.1 dev wg0 table 51820 src 10.8.0.2 uid 1000 cache
Notice the wg0 device is used and the IPv4 address 10.8.0.2 that you assigned to the peer. Likewise, if you are using IPv6, run the following:
ip -6 route get 2606:4700:4700::1111
Output2606:4700:4700::1111 dev wg0 table 51820 src fd0d:86fa:c3bc::2 metric 1024 pref medium
Again note the wg0 interface, and the IPv6 address fd0d:86fa:c3bc::2 that you assigned to the peer.
If your peer has a browser installed, you can also visit ipleak.net and ipv6-test.com to confirm that your peer is routing its traffic over the VPN.
Once you are ready to disconnect from the VPN on the peer, use the wg-quick command:
sudo wg-quick down wg0
You will receive output like the following indicating that the VPN tunnel is shut down:
Output[#] ip link delete dev wg0
If you set the AllowedIPs on the peer to 0.0.0.0/0 and ::/0 (or to use ranges other than the ones that you chose for the VPN), then your output will resemble the following:
Output [#] ip rule delete table 200 from 137.184.109.48 [#] ip route delete table 200 default via 137.184.96.1 [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip -6 rule delete table 51820 [#] ip -6 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] umount /etc/resolv.conf [#] nft -f /dev/fd/63
To reconnect to the VPN, run the wg-quick up wg0 command again on the peer. If you would like to completely remove a peer’s configuration from the WireGuard Server, you can run the following command, being sure to substitute the correct public key for the peer that you want to remove:
sudo wg set wg0 peer PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= remove
Typically you will only need to remove a peer configuration if the peer no longer exists, or if its encryption keys are compromised or changed. Otherwise it is better to leave the configuration in place so that the peer can reconnect to the VPN without requiring that you add its key and allowed-ips each time.
Conclusion
In this tutorial you installed the WireGuard package and tools on both the server and client Rocky Linux 8 systems. You set up firewall rules for WireGuard, and configured kernel settings to allow packet forwarding using the sysctl command on the server. You learned how to generate private and public WireGuard encryption keys, and how to configure the server and peer (or peers) to connect to each other.
If your network uses IPv6, you also learned how to generate a unique local address range to use with peer connections. Finally, you learned how to limit which traffic should go over the VPN by restricting the network prefixes that the peer can use, as well as how to use the WireGuard Server as a VPN gateway to handle all Internet traffic for peers.
If you would like to learn more about WireGuard, including how to configure more advanced tunnels, or use WireGuard with containers, visit the official WireGuard documentation.