sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
sudo yum install kmod-wireguard wireguard-toolssudo chmod 0700 /etc/wireguard
sudo touch /etc/wireguard/privatekey /etc/wireguard/publickey /etc/wireguard/wg0.conf
sudo chmod 0600 /etc/wireguard/privatekey /etc/wireguard/publickey /etc/wireguard/wg0.conf
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
for peer in 1 2 3; do sudo touch /etc/wireguard/psk.${peer} ; done
for peer in 1 2 3; do sudo chmod 0600 /etc/wireguard/psk.${peer} ; done
for peer in 1 2 3; do wg genpsk | sudo tee /etc/wireguard/psk.${peer} ; donesudo tee /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = <IP to be set on wg0 interface>
ListenPort = <A port to listen on>
PrivateKey = <The content of server:/etc/wireguard/privatekey>
EOFsudo tee -a /etc/wireguard/wg0.conf <<EOF
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOFsudo tee -a /etc/wireguard/wg0.conf <<EOF
[Peer]
PublicKey = <The content of peer:/etc/wireguard/publickey>
AllowedIPs = <IP of peer's wg0 interface or even '0.0.0.0/0' if security does not matter>
PresharedKey = <The content of server:/etc/wireguard/psk.<peer>>
EOFsudo tee -a /etc/wireguard/wg0.conf <<EOF
[Interface]
PrivateKey = <The content of peer:/etc/wireguard/privatekey>
Address = <IP of peer's wg0 interface>
[Peer]
PublicKey = <The content of server:/etc/wireguard/publickey>
PresharedKey = <The content of server:/etc/wireguard/psk.<peer>>
Endpoint = <The external IP of server>:<The port defined in server:/etc/wireguard/wg0.conf>
AllowedIPs = <Comma separated list of IPs and networks to be reached through this tunnel, e.g. the server's internal IP, the DMZ internal network or even 0.0.0.0>
PersistentKeepalive = 20
EOFDMZ Server Internet Firewall/NAT Peer/Client
external IP: 1.2.3.4/32 x.y.z.a
192.126.1.0/24 internal IP: 192.168.1.2/24 10.1.2.3/24
wireguard IP: 172.16.0.1 172.16.0.2[Interface]
Address = 172.16.0.1
ListenPort = 51820
PrivateKey = gMotnK1iONbBSWwi6/padwDPnd1MlHuUS/I7tj+x+3g=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = 7FuoQ9rXq4bK3EsJo9tTATNpEu301j+tlhXSqB2sPkE=
PresharedKey = JC1hducZ9ovx0Ucie18QvpofTLWcm9I4rdULPqFB9y5=
AllowedIPs = 172.16.0.2/32[Interface]
PrivateKey = GOwsCfX5pQ/okfKdDtZAbo0QpXga6xbGzfXshFFVBnk=
Address = 172.16.0.2
[Peer]
PublicKey = B2K22l+ncwRumirn9iFd5LJfhxUj/uIc6neikhUOXzo=
PresharedKey = JC1hducZ9ovx0Ucie18QvpofTLWcm9I4rdULPqFB9y5=
Endpoint = 1.2.3.4:51820
AllowedIPs = 192.168.1.0/24
PersistentKeepalive = 20After restarting wireguard, eg. by sudo systemctl restart wg-quick@wg0.service all peer traffic to 192.168.1.0/24 will go through wireguard VPN tunnel.
Don’t forget to open the firewall on server side for incoming wireguard traffic on specified port/UDP, for example create a firewalld service like this:
<?xml version="1.0" encoding="utf-8"?>
<!-- /etc/firewalld/services/wireguard.xml -->
<service>
<short>WireGuard</short>
<description>Wireguard is a simple, fast and modern VPN</description>
<port protocol="udp" port="55555"/>
</service>On setups without masquerading don’t forget to add wireguard network interface on server side to a firewalld zone, else ip forward won’t work.