LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

How to Set Up WireGuard VPN on CentOS 8

How to setup WireGuard VPN on CentOS 8

WireGuard is a modern VPN solution that runs on state-of-the-art cryptography such as the Noise protocol framework, and Curve25519. It provides a much faster experience and outperforms its competitors, such as IPsec and OpenVPN. It provides all this power in a simple and easy to use framework. All it takes to start a VPN connection is the exchange of public keys, just like SSH keys.

WireGuard is available on multiple platforms, including Windows, macOS, iOS, Android, and Linux. Today, we will guide you on how to install and set up WireGuard VPN on your CentOS 8 machine. Let us get started.

Before we start with the installation, make sure that you have root access on your CentOS 8 server.

1) Add the repositories

To install WireGuard VPN, you will have to add the Epel and Elrepo repositories to your server. To do that, run the following command in the terminal:

‘sudo dnf install epel-release elrepo-release’

2) Install WireGuard

Now to install WireGuard, run this command:

‘sudo dnf install kmod-wireguard wireguard-tools’

If you are prompted for anything during the installation, press ‘y’.

After the installation is done, we will be able to run a WireGuard VPN server on our machine. Now it is time to configure it, so the traffic goes through it.

3) Configuration

To configure the WireGuard, we will be using the command line tools “wg” and “wg-quick” provided by the WireGuard packages.

To store the configuration, you need to manually a “/etc/wireguard” directory, or you can run this command:

‘sudo mkdir /etc/wireguard’        

4) Generate the keys

We need to generate WireGuard private and public keys now. These will be used to start a VPN connection. The private key should always be kept somewhere safe and should never be shared with any third-party.

To generate the keys, run the following command:

‘wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey’

5) Create a configuration file

Now, we need to create a new configuration file, do that with the following command:

‘cd /etc/wireguard/ && sudo nano wg0.conf’

In this file, you need to paste the following:

[Interface, could be named anything you want]

Address = [A list of IP addresses for the wg0 interface such as]

SaveConfig = true

ListenPort = [Port number you want WireGuard to listen to]

PrivateKey = [Your private key, run ‘sudo cat /etc/wireguard/privatekey’]

PostUp = firewall-cmd –zone=public –add-port [ListenPort]/udp && firewall-cmd –zone=public –add-masquerade

PostDown   = firewall-cmd –zone=public –remove-port [ListenPort]/udp && firewall-cmd –zone=public –remove-masquerade

6) Change permission for the configuration file

You need to make sure that the configuration file and the private key cannot be accessed by anyone other than the admin. Run the command:

‘sudo chmod 600 /etc/wireguard/{privatekey, wg0.conf}’

To check the interface state and the configuration for your WireGuard server, you can run the commands:

‘sudo wg show wg0’ or ‘sudo wg-quick show wg0’

7) Enable to wg0 to start at boot

Run the command:

‘sudo systemctl enable wg-quick@wg0’

8) Enable IP forwarding

This is the last step in the set up of your WireGuard VPN. We need to create a new config file. Run the command:

‘sudo nano /etc/sysctl.d/99-custom.conf’

And paste the following into the file:


Now, we need to save the file and apply the changes, do that by running this command:

‘sudo sysctl -p /etc/sysctl.d/99-custom.conf’

With that, the configuration of the WireGuard VPN is complete on your CentOS 8 server.

Have you used WireGuard before? Share your experiences and feedback in the comments section below!

Jon Biloh

1 Comment

  1. From my experience the server needs a reboot to bring up the tunnel successfully.

    October 6, 2020 @ 6:37 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *