WireGuard : Configure Client (CentOS)2021/06/23 |
Install WireGuard which is the simple yet fast and modern VPN software.
This example is based on the environment like follows.
First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server
from WireGuard client via internet are forwared to local IP address of WireGuard server.
+------------------------+ | [ WireGuard Server ] |172.16.100.1 (VPN IP) | dlp.srv.world +--------+ | |wg0 | +-----------+------------+ | eth0|10.0.0.30/24 | | | | Local Network | +------+-----+ | -------| Router#1 |---------------|----- +------+-----+ | | | Internet | Internet | | | +------+-----+ | -------| Router#2 |---------------|----- +------+-----+ | | Local Network | | | eth0|192.168.10.30/24 | +-----------+------------+ | | [ WireGuard Client ] |wg0 | | +--------+ | |172.16.100.5 (VPN IP) +------------------------+ |
[1] |
Transfer files or notify contents of
[Private key for client] and [Public key for server] generated on WireGuard server to target Client computer.
|
[2] | Install WireGuard. |
# install from EPEL, ELRepo
[root@client ~]#
dnf --enablerepo=epel,elrepo -y install wireguard-tools kmod-wireguard # confirm the kernel version of kmod-wireguard built # kmod-wireguard from ELRepo is built on specific kernel version [root@client ~]# rpm -ql kmod-wireguard /etc/depmod.d/kmod-wireguard.conf /lib/modules/4.18.0-305.el8.x86_64 /lib/modules/4.18.0-305.el8.x86_64/extra /lib/modules/4.18.0-305.el8.x86_64/extra/wireguard /lib/modules/4.18.0-305.el8.x86_64/extra/wireguard/wireguard.ko /usr/share/doc/kmod-wireguard-1.0.20210606 /usr/share/doc/kmod-wireguard-1.0.20210606/GPL-v2.0.txt /usr/share/doc/kmod-wireguard-1.0.20210606/greylist.txt # confirm current kernel version [root@client ~]# uname -a Linux dlp.srv.world 4.18.0-310.el8.x86_64 #1 SMP Tue Jun 8 00:24:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux # if the version of kmod-wireguard and current kernel version do not match, install the kernel of matched version
[root@client ~]#
dnf -y install kernel-4.18.0-305.el8.x86_64
# confirm installed kernels [root@client ~]# grubby --info=ALL index=0 kernel="/boot/vmlinuz-4.18.0-310.el8.x86_64" args="ro crashkernel=auto resume=/dev/mapper/cs-swap rd.lvm.lv=cs/root rd.lvm.lv=cs/swap console=ttyS0,115200n8 $tuned_params" root="/dev/mapper/cs-root" initrd="/boot/initramfs-4.18.0-310.el8.x86_64.img $tuned_initrd" title="CentOS (4.18.0-310.el8.x86_64) 8" id="54f4bd7df8464337a3009215fdef55fb-4.18.0-310.el8.x86_64" index=1 kernel="/boot/vmlinuz-4.18.0-305.el8.x86_64" args="ro crashkernel=auto resume=/dev/mapper/cs-swap rd.lvm.lv=cs/root rd.lvm.lv=cs/swap console=ttyS0,115200n8 $tuned_params" root="/dev/mapper/cs-root" initrd="/boot/initramfs-4.18.0-305.el8.x86_64.img $tuned_initrd" title="CentOS Linux (4.18.0-305.el8.x86_64) 8" id="54f4bd7df8464337a3009215fdef55fb-4.18.0-305.el8.x86_64" ..... ..... # change to the kernel that version is the same with kmod-wireguard [root@client ~]# grubby --set-default-index=1
# confirm and set wireguard module loaded [root@client ~]# grubby --default-index 1 [root@client ~]# echo "wireguard" > /etc/modules-load.d/wireguard.conf
|
[3] | Configure WireGuard. |
[root@client ~]#
umask 077
# create a new config # [wg0.conf] ⇒ [(VPN interface name).conf] # VPN interface name ⇒ any name you like [root@client ~]# vi /etc/wireguard/wg0.conf [Interface] # specify private key for client generated on WireGuard server PrivateKey = uHd/504vB6m9AlBRIsf8x0+oESwvT29NNfw8o28QxHk= # IP address for VPN interface Address = 172.16.100.5 [Peer] # specify public key for server generated on WireGuard server PublicKey = C8N7dSeUDtIVGVqD9hxVTbX9zZpqYOdeiPnFU782iQw= # IP addresses you allow to connect # on the example below, set WireGuard server's VPN IP address and real local network AllowedIPs = 172.16.100.1, 10.0.0.0/24 # specify server's global IP address:port # (acutually, example of IP below is for private range, replace to your own global IP) EndPoint = 172.29.10.100:51820 # start up VPN interface [root@client ~]# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 172.16.100.5 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 172.16.100.1/32 dev wg0 [#] ip -4 route add 10.0.0.0/24 dev wg0[root@client ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:16:61:49 brd ff:ff:ff:ff:ff:ff inet 192.168.0.30/24 brd 192.168.0.255 scope global noprefixroute enp1s0 valid_lft forever preferred_lft forever inet6 fe80::e38e:e34:9b82:29a2/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 172.16.100.5/32 scope global wg0 valid_lft forever preferred_lft forever # confirm connection state [root@client ~]# wg show interface: wg0 public key: ma2n4UkzUAcWp4E6z4R0RbF0cBwDXr4yEOxBXRx9zwc= private key: (hidden) listening port: 45623 peer: C8N7dSeUDtIVGVqD9hxVTbX9zZpqYOdeiPnFU782iQw= endpoint: 172.29.10.100:51820 allowed ips: 172.16.100.1/32, 10.0.0.0/24 latest handshake: 1 minute, 9 seconds ago transfer: 316 B received, 404 B sent |
[4] | After VPN session is successfully established, Verify access to local network of WireGuard server. |
[root@client ~]# ping -c 3 10.0.0.30 PING 10.0.0.30 (10.0.0.30) 56(84) bytes of data. 64 bytes from 10.0.0.30: icmp_seq=1 ttl=64 time=2.42 ms 64 bytes from 10.0.0.30: icmp_seq=2 ttl=64 time=1.99 ms 64 bytes from 10.0.0.30: icmp_seq=3 ttl=64 time=1.88 ms --- 10.0.0.30 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 1.589/1.768/1.889/0.133 ms[root@client ~]# ping -c 3 10.0.0.10 PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. 64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=3.30 ms 64 bytes from 10.0.0.10: icmp_seq=2 ttl=63 time=1.89 ms 64 bytes from 10.0.0.10: icmp_seq=3 ttl=63 time=1.87 ms --- 10.0.0.10 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 1.350/1.754/2.063/0.300 ms |
Sponsored Link |
|