AlmaLinuxRHEL Based

How To Install Wireguard on AlmaLinux 9

Install Wireguard on AlmaLinux 9

In today’s interconnected world, secure communication is paramount. Whether you’re a system administrator, a privacy-conscious individual, or a business owner, setting up a reliable Virtual Private Network (VPN) is crucial. This guide will walk you through the process of installing WireGuard, a cutting-edge VPN protocol, on AlmaLinux 9, a robust and community-driven enterprise Linux distribution.

1. Introduction to WireGuard and AlmaLinux 9

What is WireGuard?

WireGuard is a modern VPN protocol that has gained significant traction in recent years. It stands out from traditional VPN solutions like OpenVPN and IPsec due to its simplicity, speed, and strong security foundations. WireGuard’s lean codebase, typically around 4,000 lines, makes it easier to audit and less prone to vulnerabilities compared to its more complex counterparts.

Key advantages of WireGuard include:

  • Blazing fast performance with low latency
  • Strong, state-of-the-art cryptography
  • Simple configuration and deployment
  • Cross-platform compatibility

Why use AlmaLinux 9?

AlmaLinux is a free, open-source Linux distribution that serves as a stable, community-driven alternative to CentOS. It’s binary compatible with Red Hat Enterprise Linux (RHEL), making it an excellent choice for enterprise environments. AlmaLinux 9, the latest major release, brings several improvements and features that make it an ideal platform for hosting VPN servers:

  • Long-term support and stability
  • Regular security updates
  • Extensive package repositories
  • Active community support

Purpose of this Guide

By following this comprehensive tutorial, you’ll learn how to set up a secure, high-performance VPN using WireGuard on AlmaLinux 9. We’ll cover everything from system preparation to troubleshooting common issues, ensuring you have a fully functional and secure VPN solution by the end of this guide.

2. Prerequisites

Before we dive into the installation process, let’s ensure you have everything needed to successfully set up WireGuard on AlmaLinux 9.

System Requirements

  • An AlmaLinux 9 server with root or sudo privileges
  • Basic familiarity with Linux command-line operations
  • A text editor of your choice (e.g., nano, vim, or gedit)

Network Considerations

Your AlmaLinux 9 server should have:

  • A static public IP address, or
  • A dynamic DNS setup if using a dynamic IP
  • Unrestricted access to UDP port 51820 (default for WireGuard)

Firewall and SELinux Configuration

AlmaLinux 9 uses firewalld as its default firewall management tool. We’ll need to configure it to allow WireGuard traffic. Additionally, while SELinux provides enhanced security, it can sometimes interfere with new services. For this guide, we’ll ensure it’s in permissive mode to avoid potential conflicts.

3. Step-by-Step Guide to Installing WireGuard on AlmaLinux 9

3.1 Update the System

Before we begin, it’s crucial to ensure your AlmaLinux 9 system is up-to-date. Open a terminal and run the following commands:

sudo dnf update -y
sudo reboot

The system will update and reboot. Once it’s back online, reconnect and proceed with the next steps.

3.2 Install Required Repositories

WireGuard isn’t available in the default AlmaLinux 9 repositories. We need to add the EPEL (Extra Packages for Enterprise Linux) and ELRepo repositories to access the necessary packages:

sudo dnf install epel-release elrepo-release -y

This command installs both repositories, giving us access to a wide range of additional software packages, including WireGuard.

3.3 Install WireGuard Kernel Module

With the repositories in place, we can now install the WireGuard kernel module. This module is essential for WireGuard to function at the system level:

sudo dnf install kmod-wireguard -y
sudo modprobe wireguard

To verify that the WireGuard module has been successfully loaded, run:

lsmod | grep wireguard

If the module is loaded correctly, you should see “wireguard” in the output.

3.4 Install WireGuard Tools

Next, we’ll install the WireGuard tools, which provide the necessary utilities for configuring and managing WireGuard interfaces:

sudo dnf install wireguard-tools -y

3.5 Configure Firewall for WireGuard

We need to open the default WireGuard port (UDP 51820) in the firewall to allow incoming VPN connections:

sudo firewall-cmd --add-port=51820/udp --permanent
sudo firewall-cmd --reload

Additionally, we need to enable IP forwarding to allow traffic to pass through our VPN server. Add the following line to the sysctl configuration:


echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

These commands enable IP forwarding and apply the changes immediately.

4. Configuring the WireGuard Server

4.1 Generate Server Keys

WireGuard uses public-key cryptography for authentication. Let’s generate the server’s private and public keys:

sudo mkdir /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | sudo tee server_private.key | wg pubkey | sudo tee server_public.key

This sequence of commands creates a directory for WireGuard configurations, sets restrictive permissions, generates a private key, and derives the corresponding public key from it.

4.2 Create Server Configuration File

Now, let’s create and edit the main WireGuard configuration file:


sudo nano /etc/wireguard/wg0.conf

Add the following content to the file, replacing <server_private_key> with the actual private key from the server_private.key file:


[Interface]
PrivateKey = <server_private_key>
Address = 10.8.0.1/24
ListenPort = 51820

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client configurations will be added here later

This configuration sets up the server interface, specifies the VPN subnet (10.8.0.0/24), and includes iptables rules for NAT and forwarding.

4.3 Start and Enable WireGuard Service

With the configuration in place, we can now start the WireGuard service:

sudo wg-quick up wg0

To ensure WireGuard starts automatically on system boot, enable the service:

sudo systemctl enable wg-quick@wg0.service

5. Setting Up a Client to Connect to the Server

5.1 Generate Client Keys

On the client machine (which can be any device that supports WireGuard), generate a pair of keys:

wg genkey | tee client_private.key | wg pubkey > client_public.key

5.2 Configure Client Connection

Create a new file named wg0-client.conf on the client device with the following content:

[Interface]
PrivateKey = <client_private_key>
Address = 10.8.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <server_public_key>
Endpoint = <server_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Replace <client_private_key> with the content of the client’s private key file, <server_public_key> with the server’s public key, and <server_ip> with your AlmaLinux 9 server’s public IP address.

5.3 Connecting Client to Server

To establish the VPN connection from the client, use the following command:

sudo wg-quick up ./wg0-client.conf

This command brings up the WireGuard interface and establishes the VPN connection to your AlmaLinux 9 server.

6. Testing and Verifying the Setup

6.1 Check VPN Status on Server

To verify the WireGuard connection on the server side, use the following command:

sudo wg show

This will display information about active connections, including the client’s public key and IP address.

6.2 Verify Connectivity from Client Side

On the client machine, you can test the VPN connection by pinging the server’s VPN IP address:

ping 10.8.0.1

If the ping is successful, your WireGuard VPN is working correctly. You can further verify by checking your public IP address, which should now be the IP of your AlmaLinux 9 server:

curl ifconfig.me

7. Troubleshooting Common Issues

7.1 Firewall Issues

If you’re having trouble connecting, double-check your firewall settings:

sudo firewall-cmd --list-all

Ensure that UDP port 51820 is listed under the allowed ports. If not, add it again:

sudo firewall-cmd --add-port=51820/udp --permanent
sudo firewall-cmd --reload

7.2 SELinux Blocking Connections

If SELinux is causing issues, you can temporarily set it to permissive mode:

sudo setenforce 0

If this resolves the issue, you may need to create custom SELinux policies for WireGuard or consider leaving SELinux in permissive mode.

Congratulations! You have successfully installed Wireguard. Thanks for using this tutorial for installing Wireguard VPN on your AlmaLinux 9 system. For additional help or useful information, we recommend you check the official Wireguard website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button