WireGuard – A Fast, Modern and Secure VPN Tunnel for Linux

[‘

n

WireGuard is a modern, secure, cross-platform and general-purpose VPN implementation that uses state-of-the-art cryptography. It aims to be speedy, simpler, leaner and more functional than IPsec and it intends to be more performant than OpenVPN.

n

It is designed for use in various circumstances and can be deployed on embedded interfaces, fully loaded backbone routers, and supercomputers alike; and runs on Linux, Windows, macOS, BSD, iOS, and Android operating systems.

n

Recommended Read: 13 Best VPN Services with Lifetime Subscription

n

It presents an extremely basic yet powerful interface that aims to be simple, as easy to configure and deploy as SSH. Its key features include a simple network interface, crypto key routing, built-in roaming and container support.

n

Note that at the time of writing, it is under heavy development: some of its parts are working toward a stable 1.0 release, while others are already there (working fine).

n

In this article, you will learn how to install and configure WireGuard in Linux to create a VPN tunnel between two Linux hosts.

n

Testing Environment

n

For this guide, our setup (hostname and public IP) is as follows:

n

Node 1 : tecmint-appserver1: tt10.20.20.4rnNode 2 : tecmint-dbserver1: tt10.20.20.3rn

n

How to Install WireGuard in Linux Distributions

n

Log into your both nodes and install WireGuard using the following appropriate command for your Linux distributions as follows.

n

Install WireGuard in RHEL 8

n

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmrn$ sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpmsrn$ sudo yum copr enable jdoss/wireguardrn$ sudo yum install wireguard-dkms wireguard-toolsrn

n

Install WireGuard in CentOS 8

n

$ sudo yum install epel-releasern$ sudo yum config-manager --set-enabled PowerToolsrn$ sudo yum copr enable jdoss/wireguardrn$ sudo yum install wireguard-dkms wireguard-toolsrn

n

Install WireGuard in RHEL/CentOS 7

n

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmrn$ sudo curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.reporn$ sudo yum install wireguard-dkms wireguard-toolsrn

n

Install WireGuard in Fedora

n

$ sudo dnf install wireguard-toolsrn

n

Install WireGuard in Debian

n

# echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.listrn# printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstablern# apt updatern# apt install wireguardrn

n

Install WireGuard in Ubuntu

n

$ sudo add-apt-repository ppa:wireguard/wireguardrn$ sudo apt-get updatern$ sudo apt-get install wireguardrn

n

Install WireGuard in OpenSUSE

n

$ sudo zypper addrepo -f obs://network:vpn:wireguard wireguardrn$ sudo zypper install wireguard-kmp-default wireguard-toolsrn

n

Configuring a WireGuard VPN Tunnel Between Two Linux Hosts

n

When the installation of wireguard is complete on both nodes, you can reboot your nodes or add the wireguard module from the Linux kernel using the following command on both nodes.

n

$ sudo modprobe wireguardrnORrn# modprobe wireguardrn

n

Next, generate base64-encoded public and private keys using the wg utility on both nodes as shown.

n

---------- On Node 1 ---------- rn$ umask 077rn$ wg genkey >private_appserver1rnrn---------- On Node 2 ----------rn$ umask 077rn$ wg genkey >private_dbserver1rn$ wg pubkey < private_dbserver1rn

n

Generate Keys on Both Nodes
Generate Keys on Both Nodes

n

Next, you need to create a network interface (e.g wg0) for wiregaurd on the peers as shown below. Then assign IP addresses to the new network interface created (for this guide, we will use the network 192.168.10.0/24).

n

---------- On Node 1 ---------- rn$ sudo ip link add dev wg0 type wireguardrn$ sudo ip addr add 192.168.10.1/24 dev wg0rnrn---------- On Node 2 ----------rn$ sudo ip link add dev wg0 type wireguardrn$ sudo ip addr add 192.168.10.2/24 dev wg0rn

n

To view the attached network interfaces on the peers and their IP addresses, use the following IP command.

n

$ ip adrn

n

View Network Interfaces with IP Addresses
View Network Interfaces with IP Addresses

n

Next, assign the private key for each peer to the wg0 network interface and bring up the interface as shown.

n

---------- On Node 1 ---------- rn$ sudo wg set wg0 private-key ./private_appserver1rn$ sudo ip link set wg0 uprnrn---------- On Node 2 ----------rn$ sudo wg set wg0 private-key ./private_dbserver1rn$ sudo ip link set wg0 uprn

n

Now that both links are up each with private keys associated with them, run the wg utility without any arguments to retrieve the configuration of WireGuard interfaces on the peers. Then create your wireguard VPN tunnel as follows.

n

The peer (public key), allowed-ips (network/subnet mask) and endpoint (public ip:port) are of the opposite peer.

n

----------  On Node1 (Use the IPs and Public Key of Node 2) ---------- rn$ sudo wgrn$ sudo wg set wg0 peer MDaeWgZVULXP4gvOj4UmN7bW/uniQeBionqJyzEzSC0= allowed-ips 192.168.10.0/24  endpoint  10.20.20.3:54371rnrn----------  On Node2 (Use the IPs and Public Key of Node 1) ----------rn$ sudo wgrn$ sudo wg set wg0 peer 6yNLmpkbfsL2ijx7z996ZHl2bNFz9Psp9V6BhoHjvmk= allowed-ips 192.168.10.0/24 endpoint  10.20.20.4:42930rn

n

Create Wireguard VPN Tunnel Between Linux Machines
Create Wireguard VPN Tunnel Between Linux Machines

n

Testing WireGuard VPN Tunnel Between Linux Systems

n

Once the wireguard VPN tunnel has been created, ping the opposite peer using the address of the wireguard network interface. Then run the wg utility once again to confirm a handshake between the peers as shown.

n

---------- On Node 1 ----------rn$ ping 192.168.10.2rn$ sudo wgrnrn---------- On Node 2 ----------rn$ ping 192.168.10.1rn$ sudo wgrn

n

Test Wireguard VPN Tunnel Between Linux Machines
Test Wireguard VPN Tunnel Between Linux Machines

n

That’s it for now! WireGuard is a modern, secure, simple yet powerful and easy-to-configure VPN solution for the future. It is undergoing heavy development thus work in progress. You can get more information especially about its internal inner workings and other configuration options from the WireGuard homepage.

n

‘]