CentOS Stream 8
Sponsored Link

WireGuard : Configure Client (CentOS)2021/06/23
 
Install WireGuard which is the simple yet fast and modern VPN software.
This example is based on the environment like follows.
First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server from WireGuard client via internet are forwared to local IP address of WireGuard server. 
  +------------------------+
  | [  WireGuard Server  ] |172.16.100.1 (VPN IP)
  |      dlp.srv.world     +--------+
  |                        |wg0     |
  +-----------+------------+        |
          eth0|10.0.0.30/24         |
              |                     |
              |       Local Network |
       +------+-----+               |
-------|  Router#1  |---------------|-----
       +------+-----+               |
              |                     |
    Internet  |  Internet           |
              |                     |
       +------+-----+               |
-------|  Router#2  |---------------|-----
       +------+-----+               |
              |       Local Network |
              |                     |
          eth0|192.168.10.30/24     |
  +-----------+------------+        |
  |  [ WireGuard Client ]  |wg0     |
  |                        +--------+
  |                        |172.16.100.5 (VPN IP)
  +------------------------+
[1]
Transfer files or notify contents of [Private key for client] and [Public key for server] generated on WireGuard server to target Client computer.
[2] Install WireGuard.
# install from EPEL, ELRepo

[root@client ~]#
dnf --enablerepo=epel,elrepo -y install wireguard-tools kmod-wireguard
# confirm the kernel version of kmod-wireguard built

# kmod-wireguard from ELRepo is built on specific kernel version

[root@client ~]#
rpm -ql kmod-wireguard 

/etc/depmod.d/kmod-wireguard.conf
/lib/modules/4.18.0-305.el8.x86_64
/lib/modules/4.18.0-305.el8.x86_64/extra
/lib/modules/4.18.0-305.el8.x86_64/extra/wireguard
/lib/modules/4.18.0-305.el8.x86_64/extra/wireguard/wireguard.ko
/usr/share/doc/kmod-wireguard-1.0.20210606
/usr/share/doc/kmod-wireguard-1.0.20210606/GPL-v2.0.txt
/usr/share/doc/kmod-wireguard-1.0.20210606/greylist.txt
# confirm current kernel version

[root@client ~]#
uname -a

Linux dlp.srv.world 4.18.0-310.el8.x86_64 #1 SMP Tue Jun 8 00:24:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# if the version of kmod-wireguard and current kernel version do not match, install the kernel of matched version

[root@client ~]#
dnf -y install kernel-4.18.0-305.el8.x86_64
# confirm installed kernels

[root@client ~]#
grubby --info=ALL 

index=0
kernel="/boot/vmlinuz-4.18.0-310.el8.x86_64"
args="ro crashkernel=auto resume=/dev/mapper/cs-swap rd.lvm.lv=cs/root rd.lvm.lv=cs/swap console=ttyS0,115200n8 $tuned_params"
root="/dev/mapper/cs-root"
initrd="/boot/initramfs-4.18.0-310.el8.x86_64.img $tuned_initrd"
title="CentOS (4.18.0-310.el8.x86_64) 8"
id="54f4bd7df8464337a3009215fdef55fb-4.18.0-310.el8.x86_64"
index=1
kernel="/boot/vmlinuz-4.18.0-305.el8.x86_64"
args="ro crashkernel=auto resume=/dev/mapper/cs-swap rd.lvm.lv=cs/root rd.lvm.lv=cs/swap console=ttyS0,115200n8 $tuned_params"
root="/dev/mapper/cs-root"
initrd="/boot/initramfs-4.18.0-305.el8.x86_64.img $tuned_initrd"
title="CentOS Linux (4.18.0-305.el8.x86_64) 8"
id="54f4bd7df8464337a3009215fdef55fb-4.18.0-305.el8.x86_64"
.....
.....
# change to the kernel that version is the same with kmod-wireguard

[root@client ~]#
grubby --set-default-index=1
# confirm and set wireguard module loaded

[root@client ~]#
grubby --default-index

1
[root@client ~]#
echo "wireguard" > /etc/modules-load.d/wireguard.conf
[root@client ~]#
reboot

[3] Configure WireGuard.
[root@client ~]#
umask 077
# create a new config

# [wg0.conf] ⇒ [(VPN interface name).conf]

# VPN interface name ⇒ any name you like

[root@client ~]#
vi /etc/wireguard/wg0.conf 
[Interface]
# specify private key for client generated on WireGuard server
PrivateKey = uHd/504vB6m9AlBRIsf8x0+oESwvT29NNfw8o28QxHk=
# IP address for VPN interface
Address = 172.16.100.5

[Peer]
# specify public key for server generated on WireGuard server
PublicKey = C8N7dSeUDtIVGVqD9hxVTbX9zZpqYOdeiPnFU782iQw=
# IP addresses you allow to connect
# on the example below, set WireGuard server's VPN IP address and real local network
AllowedIPs = 172.16.100.1, 10.0.0.0/24
# specify server's global IP address:port
# (acutually, example of IP below is for private range, replace to your own global IP)
EndPoint = 172.29.10.100:51820
# start up VPN interface

[root@client ~]#
wg-quick up wg0 

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.16.100.5 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 172.16.100.1/32 dev wg0
[#] ip -4 route add 10.0.0.0/24 dev wg0
[root@client ~]#
ip addr 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:16:61:49 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.30/24 brd 192.168.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::e38e:e34:9b82:29a2/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.100.5/32 scope global wg0
       valid_lft forever preferred_lft forever
# confirm connection state

[root@client ~]#
wg show 

interface: wg0
  public key: ma2n4UkzUAcWp4E6z4R0RbF0cBwDXr4yEOxBXRx9zwc=
  private key: (hidden)
  listening port: 45623

peer: C8N7dSeUDtIVGVqD9hxVTbX9zZpqYOdeiPnFU782iQw=
  endpoint: 172.29.10.100:51820
  allowed ips: 172.16.100.1/32, 10.0.0.0/24
  latest handshake: 1 minute, 9 seconds ago
  transfer: 316 B received, 404 B sent
[4] After VPN session is successfully established, Verify access to local network of WireGuard server.
[root@client ~]#
ping -c 3 10.0.0.30 

PING 10.0.0.30 (10.0.0.30) 56(84) bytes of data.
64 bytes from 10.0.0.30: icmp_seq=1 ttl=64 time=2.42 ms
64 bytes from 10.0.0.30: icmp_seq=2 ttl=64 time=1.99 ms
64 bytes from 10.0.0.30: icmp_seq=3 ttl=64 time=1.88 ms

--- 10.0.0.30 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.589/1.768/1.889/0.133 ms
[root@client ~]#
ping -c 3 10.0.0.10 

PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=3.30 ms
64 bytes from 10.0.0.10: icmp_seq=2 ttl=63 time=1.89 ms
64 bytes from 10.0.0.10: icmp_seq=3 ttl=63 time=1.87 ms

--- 10.0.0.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.350/1.754/2.063/0.300 ms
Matched Content