WireGuard is an easy to use VPN that provides a secure connection between two parties using public key authentication.
Suppose that we have two sites, Site-A and Site-B, that need to connect to each other on a private subnet.
On CentOS 8:
# curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo # yum -y install epel-release # yum -y update # yum install wireguard-dkms wireguard-tools
Ensure that you have the latest kernel and kernel development packages so that DKMS is able to build the wireguard kernel module.
wg0.conf file in
/etc/wireguard, then generate a new WireGuard key with
# mkdir /etc/wireguard && cd /etc/wireguard # (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) # wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Connecting to a Remote Site
Run the installation steps above on both local and remote sites. Define that local IP address for each site under the Interface section:
[Interface] PrivateKey = (private-key) ListenPort = 5555 SaveConfig = true Address = 192.168.1.1/24
[Interface] PrivateKey = (private-key) ListenPort = 5555 SaveConfig = true Address = 192.168.1.2/24
To have Site-A peer with Site-B, define a
[Peer] section on the Site-A configuration with the following fields:
PublicKey = (site-B-public-key) AllowedIPs = 192.168.1.2/32 Endpoint = (site-B-endpoint-IP):5555
Similarly with Site-B:
PublicKey = (site-A-public-key) AllowedIPs = 192.168.1.1/32 Endpoint = (site-A-endpoint-IP):5555
Start WireGuard on both sites:
# systemctl start wg-quick@wg0 # systemctl enable wg-quick@wg0 # ip a show wg0 6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 192.168.1.2/24 scope global wg0 valid_lft forever preferred_lft forever
Once WireGuard establishes a connection, you should be able to ping the remote site's internal IP address.
Once configured, start the WireGuard service. WireGuard connections can be monitored with
# wg show interface: wg0 public key: (public-key) private key: (hidden) listening port: 5555 peer: (peer-public-key) endpoint: 10.1.1.1:5555 allowed ips: 192.168.1.1/32 latest handshake: 55 seconds ago transfer: 68.72 KiB received, 218.09 KiB sent persistent keepalive: every 30 seconds
To add an additional peer:
# wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips 192.168.1.X/32
Config changes only happen when the service is restarted or stopped.
Missing Kernel Module
If the kernel module isn't loading, ensure that you have the proper kernel development package installed for the running kernel. Reinstall the
wireguard-dkms package to trigger a kernel module rebuild. Alternatively, trigger DKMS to rebuild the module with:
# dkms build -m wireguard/0.0.20191012
If your WireGuard connections are dropping or becomes unresponsive, add a
PersistentKeepalive under the
Peer section. Eg:
[Peer] PublicKey = private-key AllowedIPs = 192.168.1.1/32 Endpoint = endpoint:5555 PersistentKeepalive = 30