WireGuard – A Fast, Modern and Secure VPN Tunnel for Linux

WireGuard is a modern, secure, cross-platform and general-purpose VPN implementation that uses state-of-the-art cryptography. It aims to be speedy, simpler, leaner and more functional than IPsec and it intends to be more performant than OpenVPN.

It is designed for use in various circumstances and can be deployed on embedded interfaces, fully loaded backbone routers, and supercomputers alike; and runs on Linux, Windows, macOS, BSD, iOS, and Android operating systems.

Recommended Read: 13 Best VPN Services with Lifetime Subscription

It presents an extremely basic yet powerful interface that aims to be simple, as easy to configure and deploy as SSH. Its key features include a simple network interface, crypto key routing, built-in roaming and container support.

Note that at the time of writing, it is under heavy development: some of its parts are working toward a stable 1.0 release, while others are already there (working fine).

In this article, you will learn how to install and configure WireGuard in Linux to create a VPN tunnel between two Linux hosts.

Testing Environment

For this guide, our setup (hostname and public IP) is as follows:

Node 1 : tecmint-appserver1: 		10.20.20.4
Node 2 : tecmint-dbserver1: 		10.20.20.3

How to Install WireGuard in Linux Distributions

Log into your both nodes and install WireGuard using the following appropriate command for your Linux distributions as follows.

Install WireGuard in RHEL 8

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
$ sudo yum copr enable jdoss/wireguard
$ sudo yum install wireguard-dkms wireguard-tools

Install WireGuard in CentOS 8

$ sudo yum install epel-release
$ sudo yum config-manager --set-enabled PowerTools
$ sudo yum copr enable jdoss/wireguard
$ sudo yum install wireguard-dkms wireguard-tools

Install WireGuard in RHEL/CentOS 7

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ sudo yum install wireguard-dkms wireguard-tools

Install WireGuard in Fedora

$ sudo dnf install wireguard-tools

Install WireGuard in Debian

# echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
# printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
# apt update
# apt install wireguard

Install WireGuard in Ubuntu

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard

Install WireGuard in OpenSUSE

$ sudo zypper addrepo -f obs://network:vpn:wireguard wireguard
$ sudo zypper install wireguard-kmp-default wireguard-tools

Configuring a WireGuard VPN Tunnel Between Two Linux Hosts

When the installation of wireguard is complete on both nodes, you can reboot your nodes or add the wireguard module from the Linux kernel using the following command on both nodes.

$ sudo modprobe wireguard
OR
# modprobe wireguard

Next, generate base64-encoded public and private keys using the wg utility on both nodes as shown.

---------- On Node 1 ---------- 
$ umask 077
$ wg genkey >private_appserver1

---------- On Node 2 ----------
$ umask 077
$ wg genkey >private_dbserver1
$ wg pubkey < private_dbserver1
Generate Keys on Both Nodes
Generate Keys on Both Nodes

Next, you need to create a network interface (e.g wg0) for wiregaurd on the peers as shown below. Then assign IP addresses to the new network interface created (for this guide, we will use the network 192.168.10.0/24).

---------- On Node 1 ---------- 
$ sudo ip link add dev wg0 type wireguard
$ sudo ip addr add 192.168.10.1/24 dev wg0

---------- On Node 2 ----------
$ sudo ip link add dev wg0 type wireguard
$ sudo ip addr add 192.168.10.2/24 dev wg0

To view the attached network interfaces on the peers and their IP addresses, use the following IP command.

$ ip ad
View Network Interfaces with IP Addresses
View Network Interfaces with IP Addresses

Next, assign the private key for each peer to the wg0 network interface and bring up the interface as shown.

---------- On Node 1 ---------- 
$ sudo wg set wg0 private-key ./private_appserver1
$ sudo ip link set wg0 up

---------- On Node 2 ----------
$ sudo wg set wg0 private-key ./private_dbserver1
$ sudo ip link set wg0 up

Now that both links are up each with private keys associated with them, run the wg utility without any arguments to retrieve the configuration of WireGuard interfaces on the peers. Then create your wireguard VPN tunnel as follows.

The peer (public key), allowed-ips (network/subnet mask) and endpoint (public ip:port) are of the opposite peer.

----------  On Node1 (Use the IPs and Public Key of Node 2) ---------- 
$ sudo wg
$ sudo wg set wg0 peer MDaeWgZVULXP4gvOj4UmN7bW/uniQeBionqJyzEzSC0= allowed-ips 192.168.10.0/24  endpoint  10.20.20.3:54371

----------  On Node2 (Use the IPs and Public Key of Node 1) ----------
$ sudo wg
$ sudo wg set wg0 peer 6yNLmpkbfsL2ijx7z996ZHl2bNFz9Psp9V6BhoHjvmk= allowed-ips 192.168.10.0/24 endpoint  10.20.20.4:42930
Create Wireguard VPN Tunnel Between Linux Machines
Create Wireguard VPN Tunnel Between Linux Machines

Testing WireGuard VPN Tunnel Between Linux Systems

Once the wireguard VPN tunnel has been created, ping the opposite peer using the address of the wireguard network interface. Then run the wg utility once again to confirm a handshake between the peers as shown.

---------- On Node 1 ----------
$ ping 192.168.10.2
$ sudo wg

---------- On Node 2 ----------
$ ping 192.168.10.1
$ sudo wg
Test Wireguard VPN Tunnel Between Linux Machines
Test Wireguard VPN Tunnel Between Linux Machines

That’s it for now! WireGuard is a modern, secure, simple yet powerful and easy-to-configure VPN solution for the future. It is undergoing heavy development thus work in progress. You can get more information especially about its internal inner workings and other configuration options from the WireGuard homepage.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Got something to say? Join the discussion.

This site uses Akismet to reduce spam. Learn how your comment data is processed.