Keep updated on COVID-19 NETWORK STATUS +27 21 554 3096 SUPPORT BLOG MY LOGIN
WireGuard and HOSTAFRICA logo with CentOS 7 text
Linux

Install Wireguard VPN Server And Client On Centos 7

Install WireGuard VPN server on CentOS 7, and client on Linux and Windows

WireGuard is a free alternative to OpenVPN with great encryption, speed, and simplicity. The lightweight, secure, and cross-platform VPN relies on advanced cryptography technologies in addition to supporting Windows, Linux, MacOS, BSD, Android, and iOS operating systems.

WireGuard installation is quite easy, and you only need to follow a few steps. Once installed, you can establish a connection by first exchanging the matching keys between the server and the client. This means that only a client machine with a public key corresponding to the server’s key will connect. Unlike the client-server models, the WireGuard is a peer to peer VPN. The operation depends on the configuration, and this determines if the peer will operate like the traditional server or client.

Contents

How to install and configure the WireGuard server on CentOS 7
Step 1. Update the system and install WireGuard
Step 2. Configure VPN server on CentOS 7
Step 3. Configure the WireGuard server interface on CentOS 7

How to set up WireGuard client on:
CentOS 7
Step 1. Install WireGuard on client machine
Step 2. Generate keys for the client on CentOS 7
Step 3. Configure client interface on CentOS 7
Step 4. Add the client peer to the VPN server

Windows
Step 1. Install WireGuard
Step 2. Add empty tunnel
Step 3. Add the client peer to the server
Step 4. Return to the client machine and activate

Ubuntu 18.04
Step 1. Install WireGuard client on Ubuntu 18.04
Step 2. Generate key pair for Ubuntu client
Step 3. Configure WireGuard VPN client interface on Ubuntu 18.04
Step 4. Add the peer (client) to the VPN server

Debian 9
Step 1. Install WireGuard
Step 2. Generate keys for the client on Debian 9
Step 3. Configure WireGuard VPN client interface on Debian 9
Step 4. Add the peer (client) to the VPN server on Debian 9

How to install WireGuard server on CentOS 7

Prerequisites

  • CentOS 7 running on a Cloud Server
  • An account with sudo privileges
  • If you prefer to use root, sudo commands will still work. Alternatively, simply leave out the sudo prefix when you copy and paste all commands.

Step 1. Update the system and install WireGuard

sudo yum update

Then, reboot your CentOS server

shutdown -r now

Set up the EPEL repository

This step will install the WireGuard-tools package from the EPEL repository. This provides the wg binaries that control the WireGuard server.

sudo yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm

Enter Y when prompted and proceed

terminal output

sudo yum install yum-plugin-elrepo

terminal output

Once complete, we will now install the WireGuard VPN on CentOS 7 cloud system.

sudo yum install kmod-wireguard wireguard-tools

Type y at the two prompts to install the packages

A successful installation will return the following output

terminal output

Step 2. Configure VPN server on CentOS 7

We will now generate the key pairs for the server and client.

Create a directory for the WireGuard on the server.

sudo mkdir -p /etc/wireguard/

The system will save the public and private key pair in this directory. To generate the keys, run the command below on the server.

sudo wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

This will return an output such as below and display the public key.

terminal output

Step 3. Configure the WireGuard server interface on CentOS 7

We will now create the configuration file for the interface wg0 which will be routing the VPN traffic. In this step, you will specify the IP subnet for the VPN network. For this article, we will use 10.10.0.1/24. When choosing the subnet, ensure that it is different from the office or home network to avoid conflicts.

First, find the name of your server’s public NIC using the command

sudo ip a

You will get an output similar to below. Look for the NIC that contains YOUR_PUBILC_IP. In this case below, it is ens3

terminal output

Next, run the following cat command to display your server_private.key

sudo cat /etc/wireguard/server_private.key

Now, we will use GNU nano Text Editor. To automatically create the configuration file, open it as a blank file in the nano editor by running

sudo nano /etc/wireguard/wg0.conf

Finally, add the configuration text from the code block below to the new file and insert the server_private.key you just displayed in the PrivateKey field: your server_private.key here.

NOTE: replace all instances of ens3 with your own public NIC you found above.

[Interface]
PrivateKey = your server_private.key here
Address = 10.10.0.1/24
Address = fd86:ea04:1111::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
SaveConfig = true

It should look as such with your own values added.

terminal output

Press ctrl+O to Save and ctrl+X to Exit.

Enable user rights with this command below, so that only allowed users can read the file

sudo chmod 600 /etc/wireguard/{server_public.key,wg0.conf}

Configure firewall rules

Use the following command by inserting the port 51820 specified in screenshot above in the ListenPort field

sudo firewall-cmd --permanent --add-port=51820/udp --zone=public

alternative command

sudo iptables -I INPUT 1 -p udp --dport 51820 -j ACCEPT

Verify settings

sudo iptables -L

 

For NAT to work, we will enable forwarding for both IP4 and IP6 in the file /etc/sysctl.conf file as below.

Use a text editor to open the file configuration file and enable the following commands.

net.ipv4.ip_forward=1

and

net.ipv6.conf.all.forwarding=1

By default, the lines are disabled; to enable them, launch the editor as below, navigate to each line, and remove the # sign at the beginning of the command to uncomment so it looks as such below.

sudo nano /etc/sysctl.conf

terminal output

Save and exit.
We are now ready to bring up the wg0 interface. To do this, use the wg-quick command as follows

sudo wg-quick up wg0

Output

terminal output

You can now use the wg command to see active interfaces and connected peers.

sudo wg

Since we have not configured the client, the output should be as shown below.

terminal output

This shows that we have successfully configured our server interface.

Lastly, to enable WireGuard on system boot, run the command below on both the server and the client.

sudo systemctl enable wg-quick@wg0

Set up WireGuard VPN client on CentOS 7

For most operating systems, the installation process for the WireGuard is the same for both the server and client. The only difference is the configuration file. In this article, we will learn how to configure a client in CentOS 7, Windows, Ubuntu 18.04 and Debian 9.

We will start by installing WireGuard on your client machine (can be your PC, server, etc), after which we will generate the key pair for the client and finally do the configuration.

Step 1. Install WireGuard on client machine

sudo yum update
sudo yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
sudo yum install yum-plugin-elrepo
sudo yum install kmod-wireguard wireguard-tool

Step 2. Generate keys for the client on CentOS 7

Create the WireGuard directory.

sudo mkdir -p /etc/wireguard/

If running as a sudo user you may not have access to the WireGuard directory.
Use the following command to grant access to the logged-in user.

sudo chmod go+rx /etc/wireguard/

To generate key pair, run

sudo wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

This will generate the keys and save them in the WireGuard directory. You can use the cat command to view the keys.

sudo cat /etc/wireguard/client_private.key

Step 3. Configure client interface on CentOS 7

In this step, we will create the configuration file /etc/wireguard/wg0.conf on the client device. Please note that the file name and location are similar to that in the server and the only difference is the contents.

You will need to replace the text fields PrivateKey, PublicKey, and Endpoint with your own values.

You can obtain your client_private.key by running the cat command from the client’s WireGuard directory.

sudo cat client_private.key

Or run the command from anywhere by specifying the full file path

sudo cat /etc/wireguard/client_private.key

PublicKey is the server_public.key on the VPN server. Obtain it by using the cat command on the server.

sudo cat server_public.key

terminal output

Now, use GNU nano Text Editor to open a new blank configuration file with the command below

sudo nano /etc/wireguard/wg0.conf

Insert the text from the code block below and replace the PrivateKey, PublicKey, and Endpoint with your own values.

[Interface]
Address = 10.10.0.2/32
Address = fd86:ea04:1111::2/128
SaveConfig = true
PrivateKey = your client_private.key here
DNS = 1.1.1.1

[Peer]
PublicKey = your server_public.key here
Endpoint = your server public ip:51820
AllowedIPs = 0.0.0.0/0, ::/0

Below is our configuration file in the editor.

terminal output

Save the file and exit.

Set the right permissions for your configuration file wg0.conf hence making it secure.

chmod 600 /etc/wireguard/wg0.conf

Step 4. Add the client peer to the VPN server

We will now add the client_public.key to the server using the following syntax.

sudo wg set wg0 peer client_public.key allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

To do this, go to the server and run the command below with your own client_public.key inserted. As an example, it will look like this:

sudo wg set wg0 peer pYEKlKZY3qqliTyl3I0HqNSPV/XD7zYQVELFIB+mYA4= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

terminal output

To confirm the addition, run the following command on the server.

sudo wg

terminal output

This shows that we have successfully added the peer.

Check connections
We will now start the interface on the client using the wg-quick command.

sudo wg-quick up wg0

This will give the following output;
terminal output

When both server and client interfaces are up, you can check the status using the wg command.

On the server

sudo wg

terminal output

On the client machine

sudo wg

terminal output

This shows that we have successfully added the peer to the server and established a connection.  Note that you can turn the interfaces on and off using

sudo wg-quick up wg0

to enable and

sudo wg-quick down wg0

to disable.

To enable the WireGuard on system boot, run the command below on both the server and the client.

sudo systemctl enable wg-quick@wg0

Switch your cloud server to HOSTAFRICA and get 80% off for 3 months!

sign up now

How to set up WireGuard client in Windows

Step 1. Install WireGuard

Download the WireGuard installer for Windows and install it on your Windows machine. Once complete, it will give you the following output.

terminal output

Step 2. Add empty tunnel

Give it a name.

Add the configuration text below with your own values in PublicKey and Endpoint fields.

[Interface]
PrivateKey = your client private key will already be here
Address = 10.10.0.2/32
Address = fd86:ea04:1111::2/128
DNS = 1.1.1.1

[Peer]
PublicKey = your server_public.key here
Endpoint = your server public ip:51820
AllowedIPs = 0.0.0.0/0, ::/0

PublicKey is the server_public.key on the VPN CentOS server. Obtain it by running the cat command on the server.

sudo cat /etc/wireguard/server_public.key

Then return to the client machine and insert the value in the PublicKey field.

Windows WIreGuard VPN client window config

 

Click Save

Step 3. Add the client peer to the server

Now, you need to add the windows client Public key and IP address to the server.

terminal output

Run the command below, replace client public key in the command below with your client Public key generated in the tunnel window above (highlighted in the red box).

sudo wg set wg0 peer client public key allowed-ips 10.10.0.2

Step 4. Return to the client machine

Click Activate on the windows machine.

terminal output

If successful, the client becomes Active and you will start seeing received and sent traffic.

How to set up WireGuard client on Ubuntu 18.04

Step 1. Install WireGuard client on Ubuntu 18.04

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard

Restart client computer and confirm that it is working

sudo modprobe wireguard
lsmod | grep wireguard

If successful, it will give the output below.

terminal output

Step 2. Generate key pair for Ubuntu client

This follows the same process as that of the server.

sudo chmod go+rx /etc/wireguard
cd /etc/wireguard

Run the following to generate the VPN client keys;

umask 077
sudo wg genkey | sudo tee client_private.key | wg pubkey | sudo tee client_public.key

terminal output

Now that we have the key, we will go to the next step and configure the client.

Step 3. Configure WireGuard VPN client interface on Ubuntu 18.04

The process is similar to that of the server apart from the information in the configuration files. We will call our interface wg0 and use the configuration file to define the private network, our client public key, and the server’s public key and IP address.

You will need to add your own values to the PrivateKey, PublicKey, and Endpoint fields in the code block further down.

The client’s PrivateKey can be obtained by running the cat command from the client’s WireGuard directory.

sudo cat client_private.key

terminal output

PublicKey is the server_public.key on the VPN server. Go to the server and obtain the key by running the cat command;

sudo cat server_public.key

Once you have all the details, you can now create the client configuration file. The command below will open a blank file in GNU nano Text Editor.

sudo nano /etc/wireguard/wg0.conf

Insert the text from the code block below with your own values.

[Interface]
Address = 10.10.0.2/32
Address = fd86:ea04:1111::2/128
SaveConfig = true
PrivateKey = your client_private.key here
DNS = 1.1.1.1

[Peer]
PublicKey = your server_public.key here
Endpoint = your server public ip:51820
AllowedIPs = 0.0.0.0/0, ::/0

Below is our configuration file in the editor.

terminal output

Save the file and exit.

Set the right permissions for your configuration file wg0.conf, hence making it secure.

sudo chmod 600 /etc/wireguard/wg0.conf

Step 4. Add the peer (client) to the VPN server

We will now add the client_public.key to the server using the following syntax.

sudo wg set wg0 peer client_public.key allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

To do this, go to the server and run the command below with your own client_public.key inserted. As an example, it will look like this:

sudo wg set wg0 peer E6AoavHk75/IwG7RVFegOkV4JIdje0U8kJnbkySqsiI= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

terminal output

To confirm the addition, run the following command on the server.

sudo wg

terminal output

This shows that we have successfully added the peer.

Check connections
We will now start the interface on the client using the wg-quick command.

sudo wg-quick up wg0

If you get an error about missing resolvconf, install it using the command below, and then try to start the interface again.

sudo apt install resolvconf

This will give the following output;

terminal output

You can check the status of the interface using the wg command

sudo wg

terminal output

Similarly, you can go to the server and check its status.

sudo wg

terminal output

To see if the client can ping the server run;

ping 10.10.0.1

terminal output

This shows that we have successfully added the peer to the server and established a connection. Note that you can turn the interfaces on and off using

sudo wg-quick up wg0

to enable and

sudo wg-quick down wg0

to disable.

To enable WireGuard on system boot, run the command below on both the server and the client.

sudo systemctl enable wg-quick@wg0

How to Install WireGuard client on Debian 9

Make sure you have sudo privileges and that it is installed with the following commands

su
apt-get install sudo -y

If you prefer to use root, sudo commands will still work as is. Alternatively, simply leave out the sudo prefix when you copy and paste all commands.

Step 1. Install WireGuard

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools

If successful, you will see the following output.

terminal output

Enable the WireGuard kernel module and check the status

sudo modprobe wireguard && lsmod | grep wireguard

terminal output

Step 2. Generate keys for the client on Debian 9

We will now generate a private and public key, which we will add to the configuration files.

sudo wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key

terminal output

Step 3. Configure WireGuard VPN client interface on Debian 9

The process is similar to that of the server apart from the information in the configuration files. We will call our interface wg0 and use the configuration file to define the private network, our client private key, and the server’s public key and IP address.

You will need to add your own values to the PrivateKey, PublicKey, and Endpoint fields in the code block further down.

The client’s PrivateKey can be obtained by running the cat command from the client’s WireGuard directory.

sudo cat client_private.key

Or run the command from anywhere by specifying the full file path

sudo cat /etc/wireguard/client_private.key

terminal output

PublicKey is the server_public.key on the VPN server. Go to the server and obtain the key by running the cat command;

sudo cat server_public.key

Once you have all the details, you can now create the client configuration file. The command below will open a blank file in GNU nano Text Editor.

sudo nano /etc/wireguard/wg0.conf

Insert the text from the code block below with your own values.

[Interface]
Address = 10.10.0.2/32
Address = fd86:ea04:1111::2/128
SaveConfig = true
PrivateKey = your client_private.key here
DNS = 1.1.1.1

[Peer]
PublicKey = your server_public.key here
Endpoint = your server public ip:51820
AllowedIPs = 0.0.0.0/0, ::/0

Below is our configuration file in the editor.

terminal output

Save the file and exit.

Set the right permissions for your configuration file wg0.conf, hence making it secure.

sudo chmod 600 /etc/wireguard/wg0.conf

Step 4. Add the peer (client) to the VPN server on Debian 9

We will now add the client_public.key to the server using the following syntax.

sudo wg set wg0 peer client_public.key allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

To do this, go to the server and run the command below with your own client_public.key inserted. as an example, it will look like this:

sudo wg set wg0 peer E6AoavHk75/IwG7RVFegOkV4JIdje0U8kJnbkySqsiI= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

terminal output

To confirm the addition, run the following command on the server.

sudo wg

terminal output

This shows that we have successfully added the peer.

Check connections
We will now start the interface on the client using the wg-quick command.

sudo wg-quick up wg0

If you get an error about missing resolvconf, install it using the command below, and then try to start the interface again.

sudo apt install resolvconf

This will give the following output;

terminal output

You can check the status of the interface using the wg command

sudo wg

terminal output

Similarly, you can go to the server and check its status.

sudo wg

terminal output

To see if the client can ping the server run;

ping 10.10.0.1

terminal output

This shows that we have successfully added the peer to the server and established a connection. Note, that you can turn the interfaces on and off by running:

sudo wg-quick up wg0

to enable, and

sudo wg-quick down wg0

to disable.

To enable WireGuard on system boot, run the command below on both the server and the client.

sudo systemctl enable wg-quick@wg0

 

Now you should be all set up. We hope this helped.

Happy hosting!

 

Visit our other blogs if you have other OS requirements:

How to install WireGuard VPN server on Ubuntu 18.04, and client on Linux and Windows.

 

How to Install WireGuard VPN Server on Debian 9, and client on Linux and Windows.

Switch your cloud server to HOSTAFRICA and get 80% off for 3 months!

sign up now

 

> Back to top of page

Share this article:
categories
Backup Business Cloud Cybersecurity DNS Domain Name Domains E-mail Entertainment Hosting https Linux Networks New Technologies News Our Portfolio PHP Security Servers Site Builder Software SSL certificates Technology VPS Web Design Web Development Web Tutorials Windows WordPress
Copyright © 2021 HOSTAFRICA - All rights reserved.

By visiting this website, you agree to its terms of use, which can be accessed by clicking on the following link: Website Terms of use
We Accept: EFT, Debit Cards, Credit Cards and Mobile Payments
Accepted payment methods