Install and Configure WireGuard on AlmaLinux 9: Best Guide

In this comprehensive tutorial, we will guide you through the process of Install and Configure WireGuard on AlmaLinux 9. You’ll learn how to set up both the VPN server and the client. WireGuard is a modern, secure, and remarkably simple VPN solution that utilizes state-of-the-art cryptography. Originally designed for the Linux kernel, it boasts cross-platform compatibility, running seamlessly on Windows, macOS, BSD, iOS, and Android devices. Its speed, security, and ease of configuration make it an attractive alternative to older VPN protocols. This guide provides a step-by-step approach to getting WireGuard up and running on your AlmaLinux 9 system.

Before we dive into the specifics, let’s ensure your system is prepared.

To successfully Install and Configure WireGuard on AlmaLinux 9, it’s essential to log in to your server as a non-root user with sudo privileges. A basic firewall should also be configured. For detailed instructions on these preliminary steps, refer to our guide on Initial Server Setup with AlmaLinux 9.

Additionally, your SELinux configuration must be set to permissive mode. If you need assistance with this, please consult our guide on How To Disable SELinux on AlmaLinux.

Now, let’s proceed with the WireGuard VPN setup on AlmaLinux 9.

Step 1. Enable Wireguard Kernel Module on AlmaLinux 9

This is the first essential step to Install and Configure WireGuard on AlmaLinux 9.

First, enable the ‘wireguard’ kernel module on your server using the following command:

sudo modprobe wireguard

Next, verify that the module is enabled with:

lsmod | grep wireguard

If the module is active, you’ll see output similar to this:

wireguard              51200  0
curve25519             73728  1 wireguard
libcurve25519          49152  2 wireguard,curve25519
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  2 wireguard,ip6_udp_tunnel

To ensure the wireguard module loads automatically at boot, execute:

sudo echo wireguard > /etc/modules-load.d/wireguard.conf

Finally, install the ‘wireguard-tools’ package, which is crucial for managing the WireGuard server:

sudo dnf install wireguard-tools -y

Step 2. Generate WireGuard Server and Client Key Pair

This step of the Install and Configure WireGuard on AlmaLinux 9 process involves creating cryptographic keys for secure communication.

Generate WireGuard Server Key Pair

Generate the server private key and store it in /etc/wireguard/server.key:

wg genkey | sudo tee /etc/wireguard/server.key

**Output**
ENza44szdCUtNZpw9bBtBQZvuPilnjCRtiZr+TukC2w=

Set appropriate permissions on the private key:

sudo chmod 0400 /etc/wireguard/server.key

Generate the server public key and store it in /etc/wireguard/server.pub:

sudo cat /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub

**Output**
Rr7zWgTqE4K7VmlyDRw4Bg1yV2HFQ6QQ9sWCPdvI0z0=

Verify the keys:

# cat /etc/wireguard/server.key
# cat /etc/wireguard/server.pub

Generate WireGuard Client Key Pair

Here, we generate keys for the client. We’ll call this client "client1."

Create a directory to store client keys:

mkdir -p /etc/wireguard/clients

Generate the client private key and store it in /etc/wireguard/clients/client1.key:

wg genkey | sudo tee /etc/wireguard/clients/client1.key

**Output**
iICfUtMtAvTo+W73oQZRrMP7NSmxDxI2WnZtxtMRhGU=

Generate the client public key and store it in /etc/wireguard/clients/client1.pub:

cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub

**Output**
NV7SN5kqqefsmwr/eYZfw+/UHVR0SQXxBxD3N5B7fkk=

Verify the client keys:

# cat /etc/wireguard/clients/client1.key
# cat /etc/wireguard/clients/client1.pub

Step 3. Configure WireGuard Server on AlmaLinux 9

This stage of the Install and Configure WireGuard on AlmaLinux 9 process defines the server’s configuration.

Create and open the WireGuard server configuration file /etc/wireguard/wg0.conf:

sudo vi /etc/wireguard/wg0.conf

Add the following content to the file, replacing the example private key with your actual server private key:

[Interface]
# Wireguard Server private key - server.key
PrivateKey = ENza44szdCUtNZpw9bBtBQZvuPilnjCRtiZr+TukC2w=

# Wireguard interface will be run at 10.8.0.1
Address = 10.8.0.1/24

# Clients will connect to UDP port 51820
ListenPort = 51820

# Ensure any changes will be saved to the Wireguard config file
SaveConfig = true

Now, add the client peer configuration, replacing the example public key with the actual client public key:

[Peer]
# Wireguard client public key - client1.pub
PublicKey = NV7SN5kqqefsmwr/eYZfw+/UHVR0SQXxBxD3N5B7fkk=

# clients' VPN IP addresses you allow to connect
# possible to specify subnet ` [172.16.100.0/24]
AllowedIPs = 10.8.0.8/24

The AllowedIPs parameter defines which IP addresses the client is permitted to use. Save and close the file.

Step 4. Enable Port Forwarding on AlmaLinux 9

To continue to Install and Configure WireGuard on AlmaLinux 9, enable port forwarding, open /etc/sysctl.conf:

sudo vi /etc/sysctl.conf

Add these lines to the end of the file:

# Port Forwarding for IPv4
net.ipv4.ip_forward=1

# Port forwarding for IPv6
net.ipv6.conf.all.forwarding=1

Apply the changes:

sudo sysctl -p

**Output**
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Step 5. Configure Firewall For WireGuard on AlmaLinux 9

Determine the default network interface for internet access:

ip route show default

**Output**
default via ... dev eth0 proto ... metric 100

In this example, the interface is eth0. Modify the WireGuard server configuration file:

sudo vi /etc/wireguard/wg0.conf

Add the following lines to the [Interface] section, replacing eth0 with your actual interface:

PostUp = firewall-cmd --zone=public --add-masquerade
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

PostDown = firewall-cmd --zone=public --remove-masquerade
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT
PostDown = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

Open the UDP port 51820:

sudo firewall-cmd --add-port=51820/udp --permanent

Reload the firewall:

sudo firewall-cmd --reload

Verify the firewall rules:

sudo firewall-cmd --list-all

Step 6. Manage WireGuard Server on AlmaLinux 9

To finalize the Install and Configure WireGuard on AlmaLinux 9 procedure, start and enable the WireGuard service:

sudo systemctl start wg-quick@wg0.service
sudo systemctl enable wg-quick@wg0.service

Check the service status:

sudo systemctl status wg-quick@wg0.service

Verify the wg0 interface:

ip a show wg0

Alternatively, use the wg-quick command:

sudo wg-quick up /etc/wireguard/wg0.conf
sudo wg-quick down /etc/wireguard/wg0.conf

Step 7. Set up WireGuard Client

Install the wireguard-tools package on the client machine:

sudo dnf install wireguard-tools

Start and enable the systemd-resolved service:

sudo systemctl start systemd-resolved
sudo systemctl enable systemd-resolved

Configure NetworkManager to use systemd-resolved as the DNS backend. Edit /etc/NetworkManager/NetworkManager.conf:

sudo vi /etc/NetworkManager/NetworkManager.conf

Add the following to the [main] section:

[main]
dns=systemd-resolved

Remove /etc/resolv.conf and create a symlink:

rm -f /etc/resolv.conf
sudo ln -s /usr/lib/systemd/resolv.conf /etc/resolv.conf

Restart the NetworkManager service:

sudo systemctl restart NetworkManager

Create the WireGuard client configuration file:

sudo vi /etc/wireguard/wg-client1.conf

Add the following content, replacing the example keys and endpoint with your actual values:

[Interface]
# Define the IP address for the client - must be matched with wg0 on Wireguard Server
Address = 10.8.0.8/24

# Private key for the client - client1.key
PrivateKey = iICfUtMtAvTo+W73oQZRrMP7NSmxDxI2WnZtxtMRhGU=

# Run resolvectl command
PostUp = resolvectl dns %i 1.1.1.1 9.9.9.9; resolvectl domain %i ~.
PreDown = resolvectl revert %i

[Peer]
# Public key of the Wireguard server - server.pub
PublicKey = Rr7zWgTqE4K7VmlyDRw4Bg1yV2HFQ6QQ9sWCPdvI0z0=

# Allow all traffic to be routed via Wireguard VPN
AllowedIPs = 0.0.0.0/0

# Public IP address of the Wireguard Server
Endpoint = 192.168.5.59:51820

# Sending Keepalive every 25 sec
PersistentKeepalive = 25

Start the WireGuard client service:

wg-quick up wg-client1

Test the connection:

# ping -c5 10.8.0.1
# ping -c5 1.1.1.1

You have now completed the Install and Configure WireGuard on AlmaLinux 9 process!

Conclusion

WireGuard’s simplicity, speed, and strong encryption make it an excellent VPN choice. By following this guide, you can easily Install and Configure WireGuard on AlmaLinux 9 for secure internet access.

Alternative Solutions for Setting Up a VPN on AlmaLinux 9

While WireGuard offers a modern and efficient solution, other options exist for establishing a VPN on AlmaLinux 9. Here are two alternative approaches:

1. Using OpenVPN

OpenVPN is a well-established and widely supported VPN protocol. It’s known for its flexibility and strong security features. While potentially more complex to configure than WireGuard, it offers a robust alternative.

Explanation:

OpenVPN relies on SSL/TLS for key exchange and data encryption. This makes it highly secure and resistant to many attacks. OpenVPN can be configured in various ways, including routed VPN (where all traffic is routed through the VPN server) and bridged VPN (where clients appear on the same network as the server).

Steps to Install and Configure OpenVPN:

Install OpenVPN and Easy-RSA:
```
sudo dnf install openvpn easy-rsa
```

Prepare Easy-RSA:

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa
nano vars  # Edit the vars file with your organization's details
./easyrsa init-pki
./easyrsa build-ca nopass

Generate Server Certificate and Key:

./easyrsa build-server-full server nopass

Generate Client Certificates and Keys (for each client):
```
./easyrsa build-client-full client1 nopass
```
Generate Diffie-Hellman Parameters:
```
./easyrsa gen-dh
```

Copy Keys and Certificates to the OpenVPN Directory:

cp pki/ca.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/client1.crt /etc/openvpn/
cp pki/private/client1.key /etc/openvpn/

Create the OpenVPN Server Configuration File (/etc/openvpn/server.conf):

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Enable IP Forwarding (as shown in the WireGuard guide):

sudo vi /etc/sysctl.conf  # Add the ip forwarding lines
sudo sysctl -p

Configure Firewall:

sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

Start and Enable the OpenVPN Service:

sudo systemctl start openvpn@server.service
sudo systemctl enable openvpn@server.service

Configure the Client: Create a client configuration file (client1.ovpn) with the following content:
```
client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
verb 3
```
Replace your_server_ip with the public IP address of your AlmaLinux 9 server. Transfer the client1.ovpn, ca.crt, client1.crt, and client1.key files to the client device.
Connect the Client: Use the OpenVPN client software on the client device to connect to the VPN server using the client1.ovpn configuration file.

2. Using IPsec/L2TP

IPsec/L2TP is another VPN protocol that provides a secure tunnel for data transmission. It is often used when compatibility with older devices is required.

Explanation:

L2TP (Layer Two Tunneling Protocol) establishes a tunnel, and IPsec (Internet Protocol Security) provides the encryption. This combination offers a reasonable level of security and is supported by many operating systems.

Steps to Install and Configure IPsec/L2TP:

Install the Necessary Packages:
```
sudo dnf install xl2tpd strongswan
```

Configure IPsec (/etc/ipsec.conf):

config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no

conn L2TP-PSK
    auto=add
    keyexchange=ikev1
    authby=secret
    left=your_server_ip
    leftsubnet=0.0.0.0/0
    right=%any
    rightsubnet=0.0.0.0/0
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

Replace your_server_ip with the public IP address of your server.

Set the IPsec Pre-Shared Key (/etc/ipsec.secrets):
```
your_server_ip %any: PSK "your_secret_psk"
```
Replace your_server_ip with the public IP address of your server and your_secret_psk with a strong pre-shared key.

Configure L2TP (/etc/xl2tpd/xl2tpd.conf):

[global]
listen-addr = your_server_ip
port = 1701

[lns default]
ip range = 10.8.0.10-10.8.0.20
local ip = 10.8.0.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

Replace your_server_ip with the public IP address of your server.

Configure PPP Options (/etc/ppp/options.l2tpd.client):

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute

Set User Authentication (/etc/ppp/chap-secrets):
```
# Secrets for authentication using CHAP
# client  server  secret        IP addresses
username  l2tpd  password  *
```
Replace username and password with the desired username and password for the VPN client.

Enable IP Forwarding (as shown in the WireGuard guide):

sudo vi /etc/sysctl.conf  # Add the ip forwarding lines
sudo sysctl -p

Configure Firewall:

sudo firewall-cmd --permanent --add-port=1701/udp
sudo firewall-cmd --permanent --add-port=500/udp
sudo firewall-cmd --permanent --add-port=4500/udp
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

Start and Enable Services:

sudo systemctl start strongswan
sudo systemctl enable strongswan
sudo systemctl start xl2tpd
sudo systemctl enable xl2tpd

Configure the Client: Configure your client device (Windows, macOS, Android, iOS) to connect to an L2TP/IPsec VPN. Use the server’s IP address, the pre-shared key, the username, and the password you configured earlier.

These alternative solutions provide flexibility in choosing the VPN protocol that best suits your needs and environment on AlmaLinux 9. Each protocol has its strengths and weaknesses, and careful consideration should be given to security, performance, and compatibility when making a selection. The most important element in any of these options is a strong and secure key and password creation and management policy.

Install and Configure WireGuard on AlmaLinux 9: Best Guide

Step 1. Enable Wireguard Kernel Module on AlmaLinux 9

Step 2. Generate WireGuard Server and Client Key Pair

Generate WireGuard Server Key Pair

Generate WireGuard Client Key Pair

Step 3. Configure WireGuard Server on AlmaLinux 9

Step 4. Enable Port Forwarding on AlmaLinux 9

Step 5. Configure Firewall For WireGuard on AlmaLinux 9

Step 6. Manage WireGuard Server on AlmaLinux 9

Step 7. Set up WireGuard Client

Conclusion

Alternative Solutions for Setting Up a VPN on AlmaLinux 9

1. Using OpenVPN

2. Using IPsec/L2TP

Share this:

Related posts:

Leave a Reply Cancel reply