CentOSRHEL Based

How To Install WireGuard on CentOS Stream 10

r00t

Install WireGuard on CentOS Stream 10

WireGuard has emerged as one of the most efficient and secure VPN solutions available today. Unlike traditional VPN protocols, WireGuard offers improved performance, simplified configuration, and enhanced security features. When implemented on CentOS Stream 10, you can create a robust, reliable VPN server that meets modern networking demands while leveraging the stability of the Red Hat ecosystem.

This comprehensive guide will walk you through every step of installing and configuring WireGuard on CentOS Stream 10, from basic setup to advanced configurations and troubleshooting.

Table of Contents

Prerequisites

Before beginning the WireGuard installation process, ensure your system meets these requirements:

System Requirements:

  • A server running CentOS Stream 10
  • Root or sudo privileges
  • A stable internet connection
  • At least 1GB RAM (2GB recommended for optimal performance)
  • Minimum 10GB disk space

Network Requirements:

  • A public IP address or properly configured port forwarding
  • UDP port 51820 available (default WireGuard port)
  • No existing conflicts with other VPN services

Knowledge Requirements:

  • Basic Linux command-line skills
  • Fundamental networking concepts
  • Understanding of firewall management

Before proceeding, update your system packages to ensure you’re working with the latest software:

sudo dnf update -y
sudo systemctl reboot

Understanding WireGuard Technology

WireGuard represents a paradigm shift in VPN technology, offering significant advantages over traditional protocols like OpenVPN and IPsec.

Core Technical Features:

  • Modern Cryptography: WireGuard implements state-of-the-art cryptographic principles including Curve25519 for key exchange, ChaCha20 for encryption, and Poly1305 for authentication.
  • Minimal Codebase: Unlike traditional VPNs with hundreds of thousands of lines of code, WireGuard consists of approximately 4,000 lines, making it easier to audit and less vulnerable to security issues.
  • Kernel Implementation: Running directly in the Linux kernel space, WireGuard achieves exceptional performance with minimal overhead.
  • Simple Configuration: Similar to SSH’s approach, WireGuard uses a straightforward configuration mechanism with easy key generation and management.

Performance Benefits:

  • Faster connection establishment
  • Lower latency
  • Higher throughput
  • Better battery life on mobile devices
  • More reliable connections during network changes

This combination of security, simplicity, and performance makes WireGuard an excellent choice for modern VPN deployments on CentOS Stream 10.

Preparing Your CentOS Stream 10 Environment

Before installing WireGuard, you need to properly configure your CentOS Stream 10 environment with the necessary repositories and dependencies.

Repository Configuration

CentOS Stream 10 requires specific repositories to access WireGuard packages:

# Install EPEL repository
sudo dnf install epel-release -y

# Install ELRepo repository (if needed)
sudo dnf install https://www.elrepo.org/elrepo-release-10.el10.elrepo.noarch.rpm -y

Installing Dependencies

Several dependencies are required for WireGuard to function properly:

# Install necessary development tools
sudo dnf install gcc make kernel-devel kernel-headers -y

# Install additional required packages
sudo dnf install iptables qrencode -y

These packages provide the necessary tools for building kernel modules, managing network traffic, and generating QR codes for mobile client configuration.

Installing WireGuard Package

With your environment properly prepared, you can now install WireGuard on your CentOS Stream 10 system.

Installing WireGuard Tools

# Install WireGuard tools package
sudo dnf install wireguard-tools -y

In CentOS Stream 10, the WireGuard kernel module is typically included with the default kernel, but if needed, you can install it separately:

# Install WireGuard kernel module (if required)
sudo dnf install kmod-wireguard -y

Verifying Installation

After installation, verify that WireGuard was installed correctly:

# Check WireGuard version
wg --version

You should see output similar to:

wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

Ensure the kernel module is loaded properly:

sudo modprobe wireguard
lsmod | grep wireguard

If successful, you’ll see “wireguard” listed in the output.

Understanding WireGuard’s Key System

WireGuard utilizes public key cryptography for secure authentication and encryption, similar to SSH.

Public/Private Key Cryptography

In the WireGuard security model:

  • Each peer (server or client) has a private key that must be kept secret
  • Each peer also has a public key that is shared with other peers
  • The public key is mathematically derived from the private key
  • Connections are authenticated and encrypted using these key pairs

Security Considerations

For robust key management:

  • Generate unique keys for each server and client
  • Keep private keys confidential and restrict access
  • Store keys with appropriate file permissions (600 or stricter)
  • Never transmit private keys over insecure channels
  • Consider implementing a key rotation schedule

Generating WireGuard Keys

Now let’s generate the cryptographic keys required for your WireGuard server and clients.

Creating a Key Directory

First, create a secure directory for storing your WireGuard keys:

# Create keys directory with restrictive permissions
sudo mkdir -p /etc/wireguard/keys
sudo chmod 700 /etc/wireguard/keys
cd /etc/wireguard/keys

Generating Server Keys

Generate the server’s private and public keys:

# Set restrictive umask
sudo umask 077

# Generate server private key
sudo wg genkey | sudo tee server_private.key

# Generate server public key from private key
sudo cat server_private.key | sudo wg pubkey | sudo tee server_public.key

Generating Client Keys

Similarly, generate keys for each client that will connect to your server:

# Generate client private key
sudo wg genkey | sudo tee client1_private.key

# Generate client public key
sudo cat client1_private.key | sudo wg pubkey | sudo tee client1_public.key

Repeat this process for each client, incrementing the client number as needed.

Server Configuration Basics

With keys generated, let’s create the basic WireGuard server configuration.

Understanding Configuration Structure

WireGuard’s configuration consists of two main sections:

  • [Interface]: Defines the local WireGuard interface settings
  • [Peer]: Defines remote peers (clients) that can connect

Creating Basic Configuration File

Create the server configuration file:

sudo nano /etc/wireguard/wg0.conf

Add this basic configuration:

[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820

# Client configuration will be added below

Replace <server_private_key> with the content of your server private key file:

sudo cat /etc/wireguard/keys/server_private.key

This configuration:

  • Sets the server’s private key for encryption
  • Assigns an internal VPN IP address (10.0.0.1/24)
  • Configures WireGuard to listen on port 51820

Detailed Server Configuration

Now, let’s enhance the basic configuration with routing and firewall settings for a complete server setup.

Configuring IP Forwarding

For the VPN to function correctly, enable IP forwarding:

# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Complete Server Configuration

Create a comprehensive server configuration:

sudo nano /etc/wireguard/wg0.conf

Add the following content:

[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820

# NAT routing
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client 1
[Peer]
PublicKey = <client1_public_key>
AllowedIPs = 10.0.0.2/32

Replace:

  • <server_private_key> with your server’s private key
  • <client1_public_key> with your client’s public key
  • eth0 with your actual network interface name (check with ip a)

Understanding Configuration Parameters

Key parameters explained:

Interface Section:

  • PrivateKey: Server’s private key for encryption
  • Address: Internal IP address and subnet for the WireGuard interface
  • ListenPort: UDP port WireGuard listens on (default 51820)

PostUp/PostDown Scripts:

  • Execute when the interface is brought up or down
  • Configure NAT and routing to allow clients to access the internet
  • Add and remove necessary iptables rules

Peer Section:

  • PublicKey: Client’s public key for authentication
  • AllowedIPs: IP addresses that will be routed to this peer

Client Configuration Management

Managing client configurations efficiently is essential for a well-maintained WireGuard server.

Creating Client Configuration Files

For each client, create a dedicated configuration file:

sudo nano /etc/wireguard/client1.conf

Add the following content:

[Interface]
PrivateKey = <client1_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <server_public_key>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Replace:

  • <client1_private_key> with the client’s private key
  • <server_public_key> with the server’s public key
  • <server_public_ip> with your server’s public IP address

Understanding Client Configuration

Important client parameters:

Interface Section:

  • PrivateKey: Client’s private key
  • Address: Client’s VPN IP address
  • DNS: DNS servers for the client to use when connected

Peer Section:

  • PublicKey: Server’s public key
  • Endpoint: Server’s public IP address and port
  • AllowedIPs: Traffic to these IP ranges routes through the VPN
  • 0.0.0.0/0, ::/0 routes all traffic through the VPN
  • PersistentKeepalive: Keeps the connection alive (useful behind NAT)

Generating QR Codes for Mobile Clients

For mobile clients, generate a QR code from the configuration:

# Install qrencode if not already installed
sudo dnf install qrencode -y

# Generate QR code
sudo qrencode -t ansiutf8 < /etc/wireguard/client1.conf

This QR code can be scanned directly by the WireGuard mobile app.

Firewall Configuration

Proper firewall configuration is crucial for a secure and functional WireGuard VPN.

Configuring Firewalld

CentOS Stream 10 typically uses firewalld by default:

# Allow WireGuard UDP port
sudo firewall-cmd --permanent --add-port=51820/udp

# Enable masquerading (NAT)
sudo firewall-cmd --permanent --add-masquerade

# Apply changes
sudo firewall-cmd --reload

Setting Up Proper Zones

For more advanced firewalld configurations with zones:

# Create WireGuard zone
sudo firewall-cmd --permanent --new-zone=wireguard

# Add WireGuard interface to zone
sudo firewall-cmd --permanent --zone=wireguard --add-interface=wg0

# Configure zone settings
sudo firewall-cmd --permanent --zone=wireguard --set-target=ACCEPT
sudo firewall-cmd --reload

This creates a dedicated firewall zone for WireGuard traffic, improving security and manageability.

Network Address Translation and Routing

Configuring NAT and routing is essential for forwarding client traffic through your server.

Setting Up NAT for Client Traffic

NAT allows clients to access the internet through your server:

# Enable IP forwarding (if not done already)
sudo sysctl -w net.ipv4.ip_forward=1

# Configure NAT with iptables
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Replace eth0 with your actual outbound network interface.

Understanding AllowedIPs Parameter

The AllowedIPs parameter serves two purposes:

  1. Controls which traffic is routed through the tunnel
  2. Acts as an access control list

Common configurations include:

  • 10.0.0.2/32: Only route traffic for the specific VPN IP
  • 0.0.0.0/0: Route all IPv4 traffic through the tunnel
  • 0.0.0.0/0, ::/0: Route all IPv4 and IPv6 traffic through the tunnel

Split Tunneling vs. Full Tunneling

Configure your setup based on your tunneling needs:

Split Tunneling (route only specific traffic through VPN):

AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

Full Tunneling (route all traffic through VPN):

AllowedIPs = 0.0.0.0/0, ::/0

The choice depends on whether you want all client traffic or just specific traffic to pass through the VPN.

Starting and Managing WireGuard Service

Now let’s configure WireGuard to run as a systemd service for reliable operation.

Starting WireGuard Manually

You can start WireGuard manually using wg-quick:

sudo wg-quick up wg0

This command reads /etc/wireguard/wg0.conf and configures the interface accordingly.

Configuring WireGuard as a Systemd Service

For automatic startup, configure WireGuard as a systemd service:

# Enable WireGuard to start at boot
sudo systemctl enable wg-quick@wg0

# Start the service
sudo systemctl start wg-quick@wg0

# Check status
sudo systemctl status wg-quick@wg0

The systemd instance name must match the configuration file name (without the .conf suffix).

Managing the WireGuard Service

Common service management commands:

# Stop WireGuard
sudo systemctl stop wg-quick@wg0

# Restart WireGuard
sudo systemctl restart wg-quick@wg0

# View service status
sudo systemctl status wg-quick@wg0

Viewing Service Logs

Monitor WireGuard logs to troubleshoot issues:

# View WireGuard logs
sudo journalctl -u wg-quick@wg0

# Follow logs in real-time
sudo journalctl -fu wg-quick@wg0

This helps identify connection problems and configuration issues.

Client Setup Process

Now let’s explore the process of setting up WireGuard clients on various platforms.

Transferring Configuration Securely

Securely transfer client configuration files to their respective devices:

# Option 1: Using QR codes (for mobile devices)
sudo qrencode -t ansiutf8 < /etc/wireguard/client1.conf

# Option 2: Using SCP (for desktop clients)
scp /etc/wireguard/client1.conf user@client-ip:~/wireguard-config.conf

Always ensure configuration is transferred through a secure channel.

Installing WireGuard Client Software

Install WireGuard client software on different platforms:

Linux:

# Ubuntu/Debian
sudo apt install wireguard

# Fedora/CentOS
sudo dnf install wireguard-tools

Windows/macOS/Mobile:

  • Download from official website (Windows)
  • Install from App Store (macOS, iOS, Android)

Importing Client Configuration

Import the configuration on each client:

Linux:

sudo cp wireguard-config.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf
sudo wg-quick up wg0

Windows/macOS/Mobile:

  • Open the WireGuard application
  • Click “Add Tunnel” or “+”
  • Import the configuration file or scan the QR code

Testing the Connection

After setting up both server and client, it’s important to verify that the connection works properly.

Verifying Connection Status

Check the connection status on the server:

sudo wg show

This displays all active connections, showing:

  • Public keys of connected peers
  • Latest handshake times
  • Data transferred
  • Allowed IPs

Expected output should look similar to:

interface: wg0
public key: UtjqCJ57DeAscYKRfp7cFGiQqdONRn69u249Fa4O6BE=
private key: (hidden)
listening port: 51820

peer: bnwfQcC8/g2i4vvEqcRUM2e6Hi3Nskk6G9t4r26nFVM=
allowed ips: 10.0.0.2/32
latest handshake: 2 minutes ago
transfer: 14.32 MiB received, 3.46 MiB sent

Testing Basic Connectivity

Test basic connectivity from the client:

# Ping the server's VPN IP
ping 10.0.0.1

# Check internet connectivity
ping 8.8.8.8

Successful pings indicate that the VPN tunnel is working correctly.

Troubleshooting Common Issues

Even with careful setup, you might encounter issues. Here are solutions to common problems.

Connection Failures

If clients cannot connect to the server:

  1. Verify firewall settings: Ensure UDP port 51820 is open
  2. Check server logs: sudo journalctl -u wg-quick@wg0
  3. Verify the public IP is correct in client configuration
  4. Check if NAT/port forwarding is configured correctly
  5. Try restarting the WireGuard service

Firewall and NAT Issues

If clients connect but cannot access the internet:

  1. Verify IP forwarding is enabled: cat /proc/sys/net/ipv4/ip_forward
  2. Check NAT configuration: sudo iptables -t nat -L -v
  3. Verify PostUp scripts executed properly
  4. Look for conflicting firewall rules

DNS Resolution Problems

If websites don’t load or DNS isn’t working:

  1. Verify DNS settings in client configuration
  2. Try alternative DNS servers (1.1.1.1, 8.8.8.8)
  3. Check if your ISP or network is blocking DNS requests

Advanced Configuration Options

For more complex deployments, consider these advanced configuration options.

Multi-Client Setups with Proper Routing

For multiple clients with tailored routing:

# Server configuration
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820

# Client 1 (full tunnel)
[Peer]
PublicKey = <client1_public_key>
AllowedIPs = 10.0.0.2/32

# Client 2 (access to internal network only)
[Peer]
PublicKey = <client2_public_key>
AllowedIPs = 10.0.0.3/32

This allows different routing configurations for each client.

Implementing Access Controls

Set up access controls using WireGuard’s capabilities and firewall rules:

# Limit client to specific services
sudo iptables -A FORWARD -i wg0 -s 10.0.0.2 -d 192.168.1.100 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -s 10.0.0.2 -j DROP

This example allows a client to access only HTTP on a specific internal server.

Security Best Practices

Implement these security best practices to enhance your WireGuard deployment.

Regular Key Rotation Strategies

Regularly rotate keys to maintain security:

  1. Create a schedule for key rotation (e.g., quarterly)
  2. Generate new keys for affected peers
  3. Update configurations on both server and clients
  4. Restart WireGuard to apply changes

Securing Configuration Files

Protect your configuration files:

# Set proper permissions
sudo chmod 600 /etc/wireguard/*.conf
sudo chmod 700 /etc/wireguard/

# Restrict access to root only
sudo chown -R root:root /etc/wireguard/

This prevents unauthorized access to sensitive configuration data.

Keeping WireGuard Updated

Regularly update WireGuard to receive security patches:

sudo dnf update wireguard-tools -y

Configure automatic updates for security-related packages:

sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer

This ensures you’re protected against newly discovered vulnerabilities.

Upgrading and Maintaining Your WireGuard Installation

Ensure long-term reliability with proper maintenance practices.

Backup Strategies for Configurations

Implement a backup strategy for your WireGuard configuration:

# Create a backup directory
sudo mkdir -p /backup/wireguard

# Back up configuration files
sudo cp -r /etc/wireguard/* /backup/wireguard/

Store backups securely, potentially off-site for disaster recovery.

Performance Monitoring

Monitor WireGuard performance:

# View current connections and statistics
sudo wg show

# Install monitoring tools
sudo dnf install iftop -y

# Monitor WireGuard interface traffic
sudo iftop -i wg0

This helps identify potential performance bottlenecks.

Congratulations! You have successfully installed WireGuard. Thanks for using this tutorial for installing the WireGuard on your CentOS Stream 10 system. For additional or useful information, we recommend you check the official WireGuard website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button