How To Install Wireguard VPN on Rocky Linux 9

In this tutorial, we will show you how to install Wireguard VPN on Rocky Linux 9. For those of you who didn’t know, WireGuard is a new, open-source VPN protocol that aims to provide a more secure, faster, and simpler VPN experience. It uses the latest in cryptography and has a small, easy-to-audit codebase. It is lightweight and has minimal overhead, it runs on a wide range of platforms, and it’s designed to be very fast.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of Wireguard VPN on Rocky Linux. 9.

Prerequisites

• A server running one of the following operating systems: Rocky Linux 9.
• It’s recommended that you use a fresh OS install to prevent any potential issues.
• SSH access to the server (or just open Terminal if you’re on a desktop).
• An active internet connection. You’ll need an internet connection to download the necessary packages and dependencies for Wireguard VPN.
• A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install Wireguard VPN on Rocky Linux 9

Step 1. The first step is to update your system to the latest version of the package list. To do so, run the following commands:

sudo dnf check-update
sudo dnf install dnf-utils
sudo dnf install epel-release elrepo-release

Step 2. Enable Wireguard Kernel Module.

Now enable the Wirguard kernel module using the following command below:

sudo echo wireguard > /etc/modules-load.d/wireguard.conf

Step 3. Installing Wireguard VPN on Rocky Linux 9.

By default, Wireguard is available on Rocky Linux 9 AppStream repository. Now run the following command below to install the latest version of Wireguard on your Rocky Linux system:

sudo dnf install wireguard-tools

Step 4. Generating Server and Client Key Pair.

• Generating Server Key Pair

Now run ‘wg genkey‘ command to generate the server private key ‘/etc/wireguard/server.key‘. Then, change the default permission to ‘0400‘ to disable write and execute from others and groups:

wg genkey | sudo tee /etc/wireguard/server.key
sudo chmod 0400 /etc/wireguard/server.key

After that, run the below command to generate the public key for the Wireguard server ‘/etc/wireguard/server.pub‘:

sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub

Verify both the Wireguard server’s public and private keys:

cat /etc/wireguard/server.key
cat /etc/wireguard/server.pub

• Generating Client Key Pair

Now run the following command to create a new directory ‘/etc/wireguard/clients‘. This directory will be used to store client key pairs:

mkdir -p /etc/wireguard/clients
wg genkey | tee /etc/wireguard/clients/client1.key
cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub

Verify both client’s public and private keys:

cat /etc/wireguard/clients/client1.key
cat /etc/wireguard/clients/client1.pub

Step 5. Configure Wireguard Server.

Now create a new WireGuard configuration file in the /etc/wireguard directory. You can create the file by running the following command in the terminal:

nano /etc/wireguard/wg0.conf

Add the following lines:

[Interface]
# Wireguard Server private key - server.key
PrivateKey = G0detzbW8wqTQDbU/KITGMeyzWVohVZsi2o4w=
# Wireguard interface will be run at 10.8.0.1
Address = 10.8.0.1/24
# Clients will connect to UDP port 51820
ListenPort = 51820
# Ensure any changes will be saved to the Wireguard config file
SaveConfig = true

Next, add the following lines to define the client-peer connection:

[Peer]
# Wireguard client public key - client1.pub
PublicKey = meYl4na+QK4185xOkimp0iXYo1jGyiyI0okT0=
# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 10.8.0.8/24

Step 6. Enable Port Forwarding.

To configure forwarding and allow route traffic from the WireGuard network, open and edit the file /etc/sysctl.conf:

nano /etc/sysctl.conf

Add the following lines to the bottom of the line:

# Port Forwarding for IPv4
net.ipv4.ip_forward=1
# Port forwarding for IPv6
net.ipv6.conf.all.forwarding=1

Save the file and exit the file, then run the below ‘sysctl‘ command to apply the changes on the ‘/etc/sysctl.conf' file:

sudo sysctl -p

Step 7. Configure Firewall.

Now we allow WireGuard traffic on UDP port 51820:

sudo firewall-cmd --add-port=51820/udp --permanent
sudo firewall-cmd --reload

Verify firewalld rules via the below firewall-cmd command:

sudo firewall-cmd --list-all

Step 8. Starting Wireguard Server.

WireGuard can be configured to run as a systemd service using it’s built-in wg-quick script. Run the below systemctl command utility to start and enabled the Wireguard server:

sudo systemctl start wg-quick@wg0.service
sudo systemctl enable wg-quick@wg0.service

Step 9. Connect WireGuard Clients.

The WireGuard client application is available on multiple operating systems. You can either set up another Rocky Linux server as a peer or download the WireGuard client application to connect your iOS, Android, macOS, Linux, or Windows operating system.

Congratulations! You have successfully installed Wireguard. Thanks for using this tutorial for installing Wireguard VPN on your Rocky Linux 9 system. For additional help or useful information, we recommend you check the official Wireguard website.