WireGuard is an easy to use VPN that provides a secure connection between two parties using public key authentication.
Installation[edit | edit source]
Suppose that we have two sites, Site-A and Site-B, that need to connect to each other on a private subnet.
On CentOS 8:
# curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo # yum -y install epel-release # yum -y update # yum install wireguard-dkms wireguard-tools
Ensure that you have the latest kernel and kernel development packages so that DKMS is able to build the wireguard kernel module.
wg0.conf file in
/etc/wireguard, then generate a new WireGuard key with
# mkdir /etc/wireguard && cd /etc/wireguard # (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) # wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Connecting to a Remote Site[edit | edit source]
Run the installation steps above on both local and remote sites. Define that local IP address for each site under the Interface section:
[Interface] PrivateKey = (private-key) ListenPort = 5555 SaveConfig = true Address = 192.168.1.1/24
[Interface] PrivateKey = (private-key) ListenPort = 5555 SaveConfig = true Address = 192.168.1.2/24
To have Site-A peer with Site-B, define a
[Peer] section on the Site-A configuration with the following fields:
PublicKey = (site-B-public-key) AllowedIPs = 192.168.1.2/32 Endpoint = (site-B-endpoint-IP):5555
Similarly with Site-B:
PublicKey = (site-A-public-key) AllowedIPs = 192.168.1.1/32 Endpoint = (site-A-endpoint-IP):5555
Start WireGuard on both sites:
# systemctl start wg-quick@wg0 # systemctl enable wg-quick@wg0 # ip a show wg0 6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 192.168.1.2/24 scope global wg0 valid_lft forever preferred_lft forever
Once WireGuard establishes a connection, you should be able to ping the remote site's internal IP address.
Usage[edit | edit source]
Once configured, start the WireGuard service. WireGuard connections can be monitored with
# wg show interface: wg0 public key: (public-key) private key: (hidden) listening port: 5555 peer: (peer-public-key) endpoint: 10.1.1.1:5555 allowed ips: 192.168.1.1/32 latest handshake: 55 seconds ago transfer: 68.72 KiB received, 218.09 KiB sent persistent keepalive: every 30 seconds
To add an additional peer:
# wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips 192.168.1.X/32
Config changes only happen when the service is restarted or stopped.
Troubleshooting[edit | edit source]
Missing Kernel Module[edit | edit source]
If the kernel module isn't loading, ensure that you have the proper kernel development package installed for the running kernel. Reinstall the
wireguard-dkms package to trigger a kernel module rebuild. Alternatively, trigger DKMS to rebuild the module with:
# dkms build -m wireguard/0.0.20191012
Connection Timeout[edit | edit source]
If your WireGuard connections are dropping or becomes unresponsive, add a
PersistentKeepalive under the
Peer section. Eg:
[Peer] PublicKey = private-key AllowedIPs = 192.168.1.1/32 Endpoint = endpoint:5555 PersistentKeepalive = 30
See Also[edit | edit source]