WireGuard : Configure Server2021/06/23 |
|
Install WireGuard which is the simple yet fast and modern VPN software.
This example is based on the environment like follows.
First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server
from WireGuard client via internet are forwared to local IP address of WireGuard server.
+------------------------+
| [ WireGuard Server ] |172.16.100.1 (VPN IP)
| dlp.srv.world +--------+
| |wg0 |
+-----------+------------+ |
eth0|10.0.0.30/24 |
| |
| Local Network |
+------+-----+ |
-------| Router#1 |---------------|-----
+------+-----+ |
| |
Internet | Internet |
| |
+------+-----+ |
-------| Router#2 |---------------|-----
+------+-----+ |
| Local Network |
| |
eth0|192.168.10.30/24 |
+-----------+------------+ |
| [ WireGuard Client ] |wg0 |
| +--------+
| |172.16.100.5 (VPN IP)
+------------------------+
|
| [1] | Install WireGuard. |
|
# install from EPEL, ELRepo
[root@dlp ~]#
dnf --enablerepo=epel,elrepo -y install wireguard-tools kmod-wireguard # confirm the kernel version of kmod-wireguard built # kmod-wireguard from ELRepo is built on specific kernel version [root@dlp ~]# rpm -ql kmod-wireguard /etc/depmod.d/kmod-wireguard.conf /lib/modules/4.18.0-305.el8.x86_64 /lib/modules/4.18.0-305.el8.x86_64/extra /lib/modules/4.18.0-305.el8.x86_64/extra/wireguard /lib/modules/4.18.0-305.el8.x86_64/extra/wireguard/wireguard.ko /usr/share/doc/kmod-wireguard-1.0.20210606 /usr/share/doc/kmod-wireguard-1.0.20210606/GPL-v2.0.txt /usr/share/doc/kmod-wireguard-1.0.20210606/greylist.txt # confirm current kernel version [root@dlp ~]# uname -a Linux dlp.srv.world 4.18.0-310.el8.x86_64 #1 SMP Tue Jun 8 00:24:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux # if the version of kmod-wireguard and current kernel version do not match, install the kernel of matched version
[root@dlp ~]#
dnf -y install kernel-4.18.0-305.el8.x86_64
# confirm installed kernels [root@dlp ~]# grubby --info=ALL index=0 kernel="/boot/vmlinuz-4.18.0-310.el8.x86_64" args="ro crashkernel=auto resume=/dev/mapper/cs-swap rd.lvm.lv=cs/root rd.lvm.lv=cs/swap console=ttyS0,115200n8 $tuned_params" root="/dev/mapper/cs-root" initrd="/boot/initramfs-4.18.0-310.el8.x86_64.img $tuned_initrd" title="CentOS (4.18.0-310.el8.x86_64) 8" id="54f4bd7df8464337a3009215fdef55fb-4.18.0-310.el8.x86_64" index=1 kernel="/boot/vmlinuz-4.18.0-305.el8.x86_64" args="ro crashkernel=auto resume=/dev/mapper/cs-swap rd.lvm.lv=cs/root rd.lvm.lv=cs/swap console=ttyS0,115200n8 $tuned_params" root="/dev/mapper/cs-root" initrd="/boot/initramfs-4.18.0-305.el8.x86_64.img $tuned_initrd" title="CentOS Linux (4.18.0-305.el8.x86_64) 8" id="54f4bd7df8464337a3009215fdef55fb-4.18.0-305.el8.x86_64" ..... ..... # change to the kernel that version is the same with kmod-wireguard [root@dlp ~]# grubby --set-default-index=1
# confirm and set wireguard module loaded [root@dlp ~]# grubby --default-index 1 [root@dlp ~]# echo "wireguard" > /etc/modules-load.d/wireguard.conf
|
| [2] | Configure WireGuard. It needs Firewalld is running for the example of settings below. |
|
[root@dlp ~]#
umask 077
# generate private key for server [root@dlp ~]# wg genkey | tee /etc/wireguard/server.key SLHWNxUmoTXL1eUh4s0MvYEqlC0YuJYltmhLX2n8X0I= # generate public key for server [root@dlp ~]# cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub C8N7dSeUDtIVGVqD9hxVTbX9zZpqYOdeiPnFU782iQw= # generate private key for client [root@dlp ~]# wg genkey | tee /etc/wireguard/client.key uHd/504vB6m9AlBRIsf8x0+oESwvT29NNfw8o28QxHk= # generate public key for client [root@dlp ~]# cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub ma2n4UkzUAcWp4E6z4R0RbF0cBwDXr4yEOxBXRx9zwc= # confirm network interface [root@dlp ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:76:3b:03 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global noprefixroute enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::e38e:e34:9b82:29a2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# confirm firewalld active zone [root@dlp ~]# firewall-cmd --get-active-zone public interfaces: eth0 # create a new config # [wg0.conf] ⇒ [(VPN interface name).conf] # VPN interface name ⇒ any name you like [root@dlp ~]# vi /etc/wireguard/wg0.conf [Interface] # specify generated private key for server PrivateKey = SLHWNxUmoTXL1eUh4s0MvYEqlC0YuJYltmhLX2n8X0I= # IP address for VPN interface Address = 172.16.100.1 # UDP port WireGuard server listens ListenPort = 51820 # possible to set any commands after WireGuard starts/stops # set routing rules like follows to access to local network via VPN session # [--zone=***] ⇒ firewalld active zone name # [wg0] ⇒ VPN interface name # [eth0] ⇒ Ethernet interface name PostUp = firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE; firewall-cmd --add-port=51820/udp PostDown = firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE; firewall-cmd --remove-port=51820/udp [Peer] # specify public key for client PublicKey = ma2n4UkzUAcWp4E6z4R0RbF0cBwDXr4yEOxBXRx9zwc= # clients' VPN IP addresses you allow to connect # possible to specify subnet ⇒ [172.16.100.0/24] AllowedIPs = 172.16.100.5, 172.16.100.6 # [wg-quick@wg0] ⇒ [wg-quick@(VPN interface name)] [root@dlp ~]# systemctl enable --now wg-quick@wg0
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:76:3b:03 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global noprefixroute enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::e38e:e34:9b82:29a2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.16.100.1/32 scope global wg0
valid_lft forever preferred_lft forever
|
| Sponsored Link |