In this tutorial, we will show you how to install Wireguard VPN on Rocky Linux 9. For those of you who didn’t know, WireGuard is a new, open-source VPN protocol that aims to provide a more secure, faster, and simpler VPN experience. It uses the latest in cryptography and has a small, easy-to-audit codebase. It is lightweight and has minimal overhead, it runs on a wide range of platforms, and it’s designed to be very fast.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘
sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of Wireguard VPN on Rocky Linux. 9.
- A server running one of the following operating systems: Rocky Linux 9.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- An active internet connection. You’ll need an internet connection to download the necessary packages and dependencies for Wireguard VPN.
non-root sudo useror access to the
root user. We recommend acting as a
non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install Wireguard VPN on Rocky Linux 9
Step 1. The first step is to update your system to the latest version of the package list. To do so, run the following commands:
sudo dnf check-update sudo dnf install dnf-utils sudo dnf install epel-release elrepo-release
Step 2. Enable Wireguard Kernel Module.
Now enable the Wirguard kernel module using the following command below:
sudo echo wireguard > /etc/modules-load.d/wireguard.conf
Step 3. Installing Wireguard VPN on Rocky Linux 9.
By default, Wireguard is available on Rocky Linux 9 AppStream repository. Now run the following command below to install the latest version of Wireguard on your Rocky Linux system:
sudo dnf install wireguard-tools
Step 4. Generating Server and Client Key Pair.
Generating Server Key Pair
Now run ‘
wg genkey‘ command to generate the server private key ‘
/etc/wireguard/server.key‘. Then, change the default permission to ‘
0400‘ to disable write and execute from others and groups:
wg genkey | sudo tee /etc/wireguard/server.key sudo chmod 0400 /etc/wireguard/server.key
After that, run the below command to generate the public key for the Wireguard server ‘
sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub
Verify both the Wireguard server’s public and private keys:
cat /etc/wireguard/server.key cat /etc/wireguard/server.pub
- Generating Client Key Pair
Now run the following command to create a new directory ‘
/etc/wireguard/clients‘. This directory will be used to store client key pairs:
mkdir -p /etc/wireguard/clients wg genkey | tee /etc/wireguard/clients/client1.key cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub
Verify both client’s public and private keys:
cat /etc/wireguard/clients/client1.key cat /etc/wireguard/clients/client1.pub
Step 5. Configure Wireguard Server.
Now create a new WireGuard configuration file in the
/etc/wireguard directory. You can create the file by running the following command in the terminal:
Add the following lines:
[Interface] # Wireguard Server private key - server.key PrivateKey = G0detzbW8wqTQDbU/KITGMeyzWVohVZsi2o4w= # Wireguard interface will be run at 10.8.0.1 Address = 10.8.0.1/24 # Clients will connect to UDP port 51820 ListenPort = 51820 # Ensure any changes will be saved to the Wireguard config file SaveConfig = true
Next, add the following lines to define the client-peer connection:
[Peer] # Wireguard client public key - client1.pub PublicKey = meYl4na+QK4185xOkimp0iXYo1jGyiyI0okT0= # clients' VPN IP addresses you allow to connect # possible to specify subnet ⇒ [172.16.100.0/24] AllowedIPs = 10.8.0.8/24
Step 6. Enable Port Forwarding.
To configure forwarding and allow route traffic from the WireGuard network, open and edit the file
Add the following lines to the bottom of the line:
# Port Forwarding for IPv4 net.ipv4.ip_forward=1 # Port forwarding for IPv6 net.ipv6.conf.all.forwarding=1
Save the file and exit the file, then run the below ‘
sysctl‘ command to apply the changes on the ‘
sudo sysctl -p
Step 7. Configure Firewall.
Now we allow WireGuard traffic on UDP port 51820:
sudo firewall-cmd --add-port=51820/udp --permanent sudo firewall-cmd --reload
Verify firewalld rules via the below firewall-cmd command:
sudo firewall-cmd --list-all
Step 8. Starting Wireguard Server.
WireGuard can be configured to run as a
systemd service using it’s built-in
wg-quick script. Run the below
systemctl command utility to start and enabled the Wireguard server:
sudo systemctl start firstname.lastname@example.org sudo systemctl enable email@example.com
Step 9. Connect WireGuard Clients.
The WireGuard client application is available on multiple operating systems. You can either set up another Rocky Linux server as a peer or download the WireGuard client application to connect your iOS, Android, macOS, Linux, or Windows operating system.
Congratulations! You have successfully installed Wireguard. Thanks for using this tutorial for installing Wireguard VPN on your Rocky Linux 9 system. For additional help or useful information, we recommend you check the official Wireguard website.