WireGuard is a free, open-source VPN that uses cutting-edge encryption. WireGuard VPN establishes a connection between the devices via peer-to-peer networking. WireGuard is based on a server-client design, with the WireGuard server being in charge of routing client traffic to the defined networks. WireGuard is cross-platform, meaning it can run on Linux, Windows, Android, and Mac OS operating systems. Other similar systems, like as IPsec and OpenVPN, are slower, more difficult to deploy, and less efficient.

In this guide, we demonstrate how to set up WireGuard VPN on Rocky Linux 9 | AlmaLinux 9.

Advantages of Using WireGuard VPN

Here are the advantages of using WireGuard VPN:

• Security. WireGuard uses clever, modern cryptographic primitives with secure defaults, unlike other VPN applications.
• Deployment simplicity. WireGuard’s client and server components are both simple to set up. The platform app store offers ready-to-use client apps for desktops and mobile devices.
• Agility. Even while wandering across networks, WireGuard connects and reconnects quickly. In instances where conventional VPN protocols might fail, it maintains connectivity.
• Speed. Fast cryptography code is used by WireGuard. Furthermore, because its low-level component is embedded in the Linux kernel (on servers and desktops), it is quicker than userspace VPNs.

Install WireGuard VPN on Rocky Linux 9 | AlmaLinux 9

Installing WireGuard VPN server on Rocky Linux 9 | AlmaLinux 9 is outlined in the steps below.

Step 1: Setup Requirements

Make sure you have the following before setting up WireGuard VPN:

1. Rocky Linux 9 | AlmaLinux 9 installed.
2. A user with sudo privileges.

Step 2: System Update

Run the following command to ensure that your system packages are updated to the most recent stable versions.

sudo dnf update -y

Following system update, perform system reboot:

sudo reboot

Step 3: Install EPEL Repository

EPEL installation on Rocky Linux 9 | AlmaLinux 9. This will allow us to obtain the WireGuard packages that aren’t in the Rocky Linux | AlmaLinux repositories.

sudo dnf install -y epel-release elrepo-release

Step 4: Install WireGuard VPN server

Execute the following command to install WireGuard VPN and its dependencies:

$ sudo dnf install -y wireguard-tools
Last metadata expiration check: 0:05:01 ago on Thu 06 Feb 2025 09:18:07 PM EAT.
Dependencies resolved.
=====================================================================================================================================================
 Package                                Architecture                 Version                                   Repository                       Size
=====================================================================================================================================================
Installing:
 wireguard-tools                        x86_64                       1.0.20210914-3.el9                        appstream                       114 k
Installing dependencies:
 systemd-resolved                       x86_64                       252-46.el9_5.2.0.1                        baseos                          385 k

Transaction Summary
=====================================================================================================================================================
Install  2 Packages

Total download size: 499 k
Installed size: 1.0 M
Downloading Packages:
(1/2): systemd-resolved-252-46.el9_5.2.0.1.x86_64.rpm                                                                1.6 MB/s | 385 kB     00:00    
(2/2): wireguard-tools-1.0.20210914-3.el9.x86_64.rpm                                                                 430 kB/s | 114 kB     00:00    
-----------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                265 kB/s | 499 kB     00:01   

View the installed WireGuard version on your server.

$ sudo wg --version
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

Step 5: Configure WireGuard VPN

WireGuard uses the cryptokey routing mechanism to create VPN tunnels on your server by checking public keys linked to specific IP addresses. WireGuard requires a private key that matches a valid public key to enable VPN tunnel connections on a network interface. Follow these steps to set up a new WireGuard interface and create key pairs to use on your server.

Generate WireGuard Keys

Generate a new WireGuard server private and public key pair in the /etc/wireguard directory:

wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

Confirm that the private and public keys were generated:

$ sudo cat /etc/wireguard/server_private.key
oH+Xnl4FbTh7aq8H+fBJPMTMMswth36FSxyr+Ukk52U=
$ sudo cat /etc/wireguard/server_public.key
FdaVrQzQmscvsgXUIdJfrlFmpVj2Lr5KJWZqogR8jHI=

Modify the file permissions to grant only privileged users read access to the generated keys.

sudo chmod 600 /etc/wireguard/server_private.key /etc/wireguard/server_public.key

View your available server network interfaces and verify your main interface details:

$ ip ad 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:28:0f:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.183/24 brd 192.168.1.255 scope global dynamic noprefixroute enp1s0
       valid_lft 6385sec preferred_lft 6385sec
    inet6 fe80::5054:ff:fe28:fa1/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Based on the above output. enp1s0 is the main public network interface name and uses the public IP address 192.168.1.183 required by WireGuard to translate and forward network requests to the Internet.

Create Network Configuration for WireGuard

Create the WireGuard network configuration as shown below. Remember to use the private key provided by your server.

$ sudo vim /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <SERVER-PRIVATE-KEY>

Enable IP Forwarding

Allow packet routing for VPN clients to the relevant destinations by enabling IP forwarding on Rocky Linux 9 | AlmaLinux 9. In the file /etc/sysctl.conf, add the line net.ipv4.ip forward = 1 as shown below:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

Reload the sysctl configuration:

sudo sysctl -p

Start WireGuard VPN Server

Using the wg-quick command, start the WireGuard VPN server:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.16.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

Check to see if the Wireguard interface is operational:

$ ip addr show wg0
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.16.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

Manage WireGuard VPN Processes

The WireGuard wg-quick utility starts and manages VPN processes on your server. Follow the steps below to enable your WireGuard interface to start at boot time and allow VPN tunnels on your server using the wg-quick utility.

Start the WireGuard server wg0 interface.

sudo systemctl start [email protected]

Enable the WireGuard wg0 interface to automatically start at boot time.

sudo systemctl enable [email protected]

View the WireGuard interface status and verify that it’s active on your server.

$ systemctl status wg-quick@wg0
● [email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; preset: disabled)
     Active: active (exited) since Thu 2025-02-06 22:05:49 EAT; 19s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
   Main PID: 22414 (code=exited, status=0/SUCCESS)
        CPU: 35ms

Feb 06 22:05:49 rocky9.cloudspinx.com systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Feb 06 22:05:49 rocky9.cloudspinx.com wg-quick[22414]: [#] ip link add wg0 type wireguard
Feb 06 22:05:49 rocky9.cloudspinx.com wg-quick[22414]: [#] wg setconf wg0 /dev/fd/63
Feb 06 22:05:49 rocky9.cloudspinx.com wg-quick[22414]: [#] ip -4 address add 172.16.0.1/24 dev wg0
Feb 06 22:05:49 rocky9.cloudspinx.com wg-quick[22414]: [#] ip link set mtu 1420 up dev wg0
Feb 06 22:05:49 rocky9.cloudspinx.com systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Set Up Firewall Rules

FirewallD is available and active on Rocky Linux 9 servers by default. In the following steps, configure the firewall to allow network connections on the default WireGuard server port 51820.

View the firewalld status and verify that it’s active:

$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
     Active: active (running) since Thu 2025-02-06 21:15:15 EAT; 59min ago
       Docs: man:firewalld(1)
   Main PID: 16154 (firewalld)
      Tasks: 2 (limit: 36018)
     Memory: 26.4M
        CPU: 959ms
     CGroup: /system.slice/firewalld.service
             └─16154 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid

Feb 06 21:15:15 rocky9.cloudspinx.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 06 21:15:15 rocky9.cloudspinx.com systemd[1]: Started firewalld - dynamic firewall daemon.

If the firewalldstatus is inactive, run the following command to allow the SSH port 22 and enable the firewall.

sudo firewall-cmd --permanent --add-port=22/tcp && sudo firewall-cmd --reload

Allow the default WireGuard interface UDP port 51820 through the firewall.

sudo firewall-cmd --permanent --add-port=51820/udp

Reload firewalldto apply your configuration changes.

sudo firewall-cmd --reload

View all available firewalldport rules on your server and verify that the WireGuard port is available.

$ sudo firewall-cmd --list-ports
22/tcp 51820/udp

Setup WireGuard Client on Rocky Linux 9

After the WireGuard server has been configured successfully. On another Rocky Linux 9 machine, we’ll need to configure the WireGuard client.

Install Wireguard package on Rocky Linux 9 client:

sudo dnf install epel-release -y && sudo dnf install wireguard-tools -y

Set up the Rocky Linux 9 client machine’s private and public keys as follows:

wg genkey | sudo tee /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key

Configure the Rocky Linux 9 client’s WireGuard interface:

$ sudo vi /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <Client-private-key>
Address = 176.16.0.2/24

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip-address>:51820
AllowedIPs = 0.0.0.0/0

Run the command below on the VPN server to authorize the peer connection to the client PC:

sudo wg set wg0 peer <client-public-key> allowed-ips 176.16.0.2

Start the Wireguard interface on the client system with the following command:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.16.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x

Conclusion

WireGuard has been installed and configured as a VPN server on a Rocky Linux 9 | AlmaLinux 9 PC. This configuration allows you to browse the web securely by encrypting your traffic data. We hope you found this article useful. Cheers!

Related guides to check:

• Configure SSH Server on Rocky Linux 9 / AlmaLinux 9
• Install WordPress with Nginx on Rocky Linux 9|AlmaLinux 9
• Install FreePBX 16 on Rocky | AlmaLinux 9