WireGuard VPN server on AlmaLinux

Today I am going to share how I configured WireGuard VPN server on AlmaLinux 8 with iptables firewall.

WireGuard VPN server on AlmaLinux 8

First, two extra repositories have to be added to the system and system needs to be updated:

dnf install -y epel-release elrepo-release
dnf update

Then install WireGuard:

dnf install kmod-wireguard wireguard-tools

Now add forwarding to this AlmaLinux system:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sysctl -p

WireGuard works with server private and public encryption keys so we need create that. First we create configuration directory and then the keys:

mkdir /etc/wireguard
umask 077 | wg genkey | tee /etc/wireguard/wireguard.key
wg pubkey < /etc/wireguard/wireguard.key > /etc/wireguard/wireguard.pub.key

Now you can check the content of the keys which will be used in interface wg0 configuration:

cat /etc/wireguard/wireguard.key 
cat /etc/wireguard/wireguard.pub.key

Now we will create configuration for the wg0 interface.

The WireGuard VPN server will listen on port 51820 (enable this port on your firewall) and will use the IP 10.10.10.1 for the VPN network.
It will use DNS servers listed in the DNS line.
It will run add-nat-routing.sh script to configure iptables firewall after every interface start and remove-nat-routing.sh while stopping. So, let’s configure:

vi /etc/wireguard/wg0.conf

[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = <server private key content from /etc/wireguard/wireguard.key>
SaveConfig = true
DNS	   = 8.8.8.8,10.10.10.1,1.1.1.1
PostUp = /etc/wireguard/add-nat-routing.sh
PostDown = /etc/wireguard/remove-nat-routing.sh

Now we need to create the PostUp and PostDown scripts:

touch /etc/wireguard/add-nat-routing.sh
chmod 755 /etc/wireguard/add-nat-routing.sh
vi /etc/wireguard/add-nat-routing.sh

iptables -t nat -I POSTROUTING 1 -s 10.10.10.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i wg0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 51820 -j ACCEPT

touch /etc/wireguard/remove-nat-routing.sh
chmod 755 /etc/wireguard/remove-nat-routing.sh
vi /etc/wireguard/remove-nat-routing.sh

iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
iptables -D INPUT -i wg0 -j ACCEPT
iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 51820 -j ACCEPT

Now we can enable and start our WireGuard VPN server:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
# or
# wg-quick up wg0

Now check if your WireGuard VPN server is listening on configured port:

ss -ln | grep 51820

You should see something like this:

udp   UNCONN 0      0           0.0.0.0:51820            0.0.0.0:*
udp   UNCONN 0      0              [::]:51820               [::]:*

Congrats! Your WireGuard VPN server is now configured and accepting connections.

Note: Before your WireGuard VPN client can connect to this server, you must add it like so:

wg set wg0 peer <client public key> allowed-ips 10.10.10.<client VPN network IP>

Please see my WireGuard VPN client settings post to learn how to connect to this WireGuard VPN server.

Leave a Reply

Your email address will not be published.