WireGuard is an easy to use VPN that provides a secure connection between two parties using public key authentication.

Installation[edit]

Suppose that we have two sites, Site-A and Site-B, that need to connect to each other on a private subnet.

On CentOS 8:

# curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
# yum -y install epel-release
# yum -y update
# yum install wireguard-dkms wireguard-tools

Ensure that you have the latest kernel and kernel development packages so that DKMS is able to build the wireguard kernel module.

Create a wg0.conf file in /etc/wireguard, then generate a new WireGuard key with wg genkey.

# mkdir /etc/wireguard && cd /etc/wireguard
# (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
# wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Connecting to a Remote Site[edit]

Run the installation steps above on both local and remote sites. Define that local IP address for each site under the Interface section:

Eg. Site-A:

[Interface]
PrivateKey = (private-key)
ListenPort = 5555
SaveConfig = true
Address = 192.168.1.1/24

Site-B:

[Interface]
PrivateKey = (private-key)
ListenPort = 5555
SaveConfig = true
Address = 192.168.1.2/24


To have Site-A peer with Site-B, define a [Peer] section on the Site-A configuration with the following fields:

PublicKey = (site-B-public-key)
AllowedIPs = 192.168.1.2/32
Endpoint = (site-B-endpoint-IP):5555

Similarly with Site-B:

PublicKey = (site-A-public-key)
AllowedIPs = 192.168.1.1/32
Endpoint = (site-A-endpoint-IP):5555

Start WireGuard on both sites:

# systemctl start wg-quick@wg0
# systemctl enable wg-quick@wg0
# ip a show wg0
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.1.2/24 scope global wg0
       valid_lft forever preferred_lft forever

Once WireGuard establishes a connection, you should be able to ping the remote site's internal IP address.

Usage[edit]

Once configured, start the WireGuard service. WireGuard connections can be monitored with wg or wg show.

# wg show
interface: wg0
  public key: (public-key)
  private key: (hidden)
  listening port: 5555

peer: (peer-public-key)
  endpoint: 10.1.1.1:5555
  allowed ips: 192.168.1.1/32
  latest handshake: 55 seconds ago
  transfer: 68.72 KiB received, 218.09 KiB sent
  persistent keepalive: every 30 seconds

To add an additional peer:

# wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips 192.168.1.X/32

Config changes only happen when the service is restarted or stopped.

Troubleshooting[edit]

Missing Kernel Module[edit]

If the kernel module isn't loading, ensure that you have the proper kernel development package installed for the running kernel. Reinstall the wireguard-dkms package to trigger a kernel module rebuild. Alternatively, trigger DKMS to rebuild the module with:

# dkms build -m wireguard/0.0.20191012

Connection Timeout[edit]

If your WireGuard connections are dropping or becomes unresponsive, add a PersistentKeepalive under the Peer section. Eg:

[Peer]
PublicKey = private-key
AllowedIPs = 192.168.1.1/32
Endpoint = endpoint:5555
PersistentKeepalive = 30

See Also[edit]