Home » Blog » Setting Up a WireGuard VPN Server on Rocky Linux

Information

Setting Up a WireGuard VPN Server on Rocky Linux

Benhcmark Administrator

03/11/2025

1 View 0

SaveSavedRemoved 0

How to Set Up a WireGuard VPN Server on Rocky Linux: A Comprehensive Guide

In today’s digital landscape, securing your internet traffic is more critical than ever. A Virtual Private Network (VPN) creates an encrypted tunnel for your data, protecting it from prying eyes and ensuring your privacy. While many commercial VPN services exist, setting up your own provides unparalleled control and security. WireGuard has emerged as a modern, high-performance VPN solution, praised for its simplicity, speed, and state-of-the-art cryptography.

This guide provides a step-by-step walkthrough for installing and configuring a secure WireGuard VPN server on Rocky Linux, giving you a fast, private, and reliable connection for all your devices.

What Makes WireGuard a Superior Choice?

Before we dive in, it’s worth understanding why WireGuard is gaining so much popularity. Unlike older protocols like OpenVPN or IPsec, WireGuard is designed for ease of use and high performance. It features a significantly smaller codebase, which makes it easier to audit and less prone to security vulnerabilities. Its modern cryptographic primitives ensure robust encryption without sacrificing speed.

Prerequisites

To get started, you will need the following:

• A server running a fresh installation of Rocky Linux 8 or 9.
• Root or sudo access to the server.
• A basic understanding of the Linux command line.

Step 1: Update Your System and Install Prerequisites

First, it’s always a best practice to ensure your system is fully up to date. Open your terminal and run the following commands:

sudo dnf update -y
sudo dnf upgrade -y

WireGuard is not included in the default Rocky Linux repositories. We need to enable the Extra Packages for Enterprise Linux (EPEL) repository, which contains the necessary packages.

sudo dnf install epel-release -y

Step 2: Install WireGuard Tools

With the EPEL repository enabled, you can now install the WireGuard package, which includes the necessary kernel module and management tools.

sudo dnf install wireguard-tools -y

This single command installs everything you need to create and manage your VPN server.

Step 3: Generate Server Keys

WireGuard uses public-key cryptography to secure connections. Each peer (the server and each client) has a private key and a public key. The private key must be kept secret, while the public key is shared to establish a secure connection.

Let’s generate the key pair for our server.

1. Navigate to the WireGuard configuration directory:

   cd /etc/wireguard/
   

2. Set secure permissions for the directory so only the root user can access it:

   sudo chmod 700 /etc/wireguard
   umask 077
   

3. Generate the private and public keys:
   bash
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

   This command generates a privatekey file (your server’s secret) and a publickey file. You can view them using the cat command (e.g., sudo cat privatekey), but be careful not to share the private key.

Step 4: Create the WireGuard Server Configuration

Now we will create the main configuration file for our VPN server. This file, wg0.conf, defines the server’s network interface, IP address, and connection rules.

Create and open the file with a text editor like nano:

sudo nano /etc/wireguard/wg0.conf

Paste the following configuration into the file. You will need to replace YOUR_SERVER_PRIVATE_KEY with the content of your privatekey file.

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = firewall-cmd --add-port=51820/udp; firewall-cmd --add-masquerade
PostDown = firewall-cmd --remove-port=51820/udp; firewall-cmd --remove-masquerade
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE_KEY

# Add client configurations below this line
# [Peer]
# PublicKey = CLIENT_PUBLIC_KEY
# AllowedIPs = 10.0.0.2/32

Let’s break down this configuration:

• [Interface]: This section defines the server’s virtual network interface.
• Address: This sets the private IP address for your WireGuard server within the VPN. All connected clients will be on this subnet.
• SaveConfig: When set to true, any changes made via the wg command will be saved to this file.
• PostUp / PostDown: These are crucial firewall commands that run when the VPN starts and stops. PostUp opens the WireGuard port (51820/udp) and enables IP masquerading (NAT), which allows VPN clients to access the internet through the server’s IP address. PostDown reverts these changes.
• ListenPort: The port WireGuard listens on. The default, 51820, is a good choice.
• PrivateKey: This is where you paste the contents of your /etc/wireguard/privatekey file.

Save and close the file (Ctrl+X, then Y, then Enter in nano).

Step 5: Enable IP Forwarding

For your server to route traffic from your VPN clients to the internet, you must enable IP forwarding.

1. Open the system control configuration file:

   sudo nano /etc/sysctl.conf
   

2. Add the following line to enable IPv4 forwarding:

   net.ipv4.ip_forward = 1
   

3. Save the file and apply the changes without rebooting:
   bash
sudo sysctl -p


Step 6: Start and Enable the WireGuard Service

Your server is now configured. Let’s start the WireGuard service and enable it to launch automatically on boot.

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

You can check the status of the service to ensure it’s running correctly:

sudo systemctl status wg-quick@wg0

You can also use the wg command to see the interface status, public key, and listening port:

sudo wg show

Step 7: Configure a Client Peer

Your server is running, but it won’t accept any connections until you add a client (a “peer”). For each device you want to connect (e.g., a laptop or smartphone), you must generate a key pair and add its public key to the server.

On the client device (or on the server on behalf of the client):

1. Install WireGuard tools just as you did on the server.
2. Generate a key pair for the client:
   bash
wg genkey | tee client_privatekey | wg pubkey > client_publickey

   Keep the client_privatekey safe on the client device. You will need the client_publickey for the server configuration.

Back on the server:

1. Add the client as a peer to your server configuration. Replace CLIENT_PUBLIC_KEY with the actual public key you just generated for the client.
   bash
sudo wg set wg0 peer CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2/32

   This command tells the server to accept connections from this client and assign it the internal IP address 10.0.0.2.

Finally, create the client’s configuration file. On the client device, create a wg0.conf file with the following content:

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Key Client Settings:

• PrivateKey: The client’s private key.
• Address: The IP address assigned to this client by the server.
• DNS: Use a public DNS resolver like Cloudflare’s (1.1.1.1) or Google’s (8.8.8.8) for privacy.
• PublicKey: The server’s public key (from /etc/wireguard/publickey on the server).
• Endpoint: The public IP address of your server and the WireGuard port.
• AllowedIPs = 0.0.0.0/0: This is a critical setting that routes all of the client’s internet traffic through the VPN.
• PersistentKeepalive: Helps maintain the connection, especially behind NAT firewalls.

Once this file is created, you can activate the connection using the WireGuard client application on your laptop or by importing the configuration on your mobile device. Congratulations, you now have a private, high-performance VPN server

Source: https://kifarunix.com/install-wireguard-vpn-server-on-rocky-linux/