Installing WireGuard VPN on Rocky Linux 8

WireGuard is a lightweight and fast VPN solution based on modern cryptography. Rocky has an ideal structure for creating a secure and high-performance tunnel on servers running on Linux 8. In this guide, you will learn the complete installation of WireGuard, creation of key pairs, private IPv4/IPv6 address structure, firewalld NAT rules and client connection from start to finish.

📝 What Will You Learn in This Guide?

How to install WireGuard
Generate private/public key for server and client
Determine private IP address ranges
How to configure wg0.conf
IP forwarding, NAT and firewalld rules
Adding a peer (client) and running the VPN tunnel

WireGuard is faster than traditional VPNs and easy to manage thanks to its simple design. This guide has been prepared especially for system administrators who want to provide secure internet access in unreliable networks (hotel, cafe WiFi, hotspot, etc.).

WireGuard authenticates with the public/private key pair, completely different from the complex TLS/certificate structure of other VPN solutions, OpenVPN & IPSec. This provides both a faster and much simpler installation.

🔑 WireGuard VPN Installation Steps

Follow the steps below on your Rocky Linux 8 server, one by one.

1. Add Repositories and Install WireGuard

On Rocky Linux 8, WireGuard packages are not included by default. EPEL and ELRepo are required.

sudo dnf install elrepo-release epel-release -y
sudo dnf install kmod-wireguard wireguard-tools -y

2. Creating a Server Key Pair

Private Key (kept secret)

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

Public Key

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

These two keys define the identity of the VPN tunnel.

3. Determining Private IPv4/IPv6 Ranges

In this example:

IPv4: 10.10.0.0/24

IPv6: fd0a:b6c4:d8e2::/64

Server IPs:

10.10.0.1/24

fd0a:b6c4:d8e2::1/64

4. Server Configuration (wg0.conf)

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = SUNUCU_PRIVATE_KEY
Address = 10.10.0.1/24, fd0a:b6c4:d8e2::1/64
ListenPort = 51820
SaveConfig = true

5. Turning on IP Forwarding

sudo vi /etc/sysctl.conf

Add:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Activate:

sudo sysctl -p

6. Firewalld NAT Rules

Open WireGuard port:

sudo firewall-cmd --zone=public --add-port=51820/udp --permanent

Add wg0 interface to internal zone:

sudo firewall-cmd --zone=internal --add-interface=wg0 --permanent

NAT (Masquerade) enable:

sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.10.0.0/24 masquerade' --permanent
sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv6 source address=fd0a:b6c4:d8e2::/64 masquerade' --permanent

Load rules:

sudo firewall-cmd --reload

7. Starting the WireGuard Service

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service

👥Client (Peer) Configuration

1. Client Keys

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

2. Client Configuration (wg0.conf)

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = PEER_PRIVATE_KEY
Address = 10.10.0.2/24
Address = fd0a:b6c4:d8e2::2/64
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = 203.0.113.10:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

3. Add Peer to Server

sudo wg set wg0 peer PEER_PUBLIC_KEY allowed-ips 10.10.0.2/32,fd0a:b6c4:d8e2::2/128
sudo systemctl restart wg-quick@wg0.service

Start the client:

sudo wg-quick up wg0

📂 Important Files (Table)

File	Description
/etc/wireguard/private.key	Private key — NEVER shared
/etc/wireguard/public.key	Public key — shared via peer
/etc/wireguard/wg0.conf	WireGuard configuration
/etc/sysctl.conf	IP forward settings

❓ Frequently Asked Questions (FAQ)

1. Why is WireGuard fast?

The code base is small and uses modern cryptography. Therefore, it is low latency and efficient.

2. Can I use iptables instead of firewalld?

Yes, but Rocky Linux uses firewalld by default. It is easier to manage.

3. What does AllowedIPs = 0.0.0.0/0 mean?

It routes all traffic through VPN. You use the server like a gateway.

4. Can I add more than one peer?

Yes, an unlimited number of peers can be added as long as each one is assigned a unique IP.

🏁 Result

By following this guide, you have successfully completed the WireGuard VPN installation, NAT configuration, IPv4/IPv6 tunneling and client connection steps on Rocky Linux 8. You can now route all your traffic encrypted, even on unsecured networks.

If you are looking for high-performance cloud infrastructure, you can try this setup on GenixNode. 🚀

📝 What Will You Learn in This Guide?​

🔑 WireGuard VPN Installation Steps​

1. Add Repositories and Install WireGuard​

2. Creating a Server Key Pair​

Private Key (kept secret)​

Public Key​

3. Determining Private IPv4/IPv6 Ranges​

4. Server Configuration (wg0.conf)​

5. Turning on IP Forwarding​

6. Firewalld NAT Rules​

Open WireGuard port:​

Add wg0 interface to internal zone:​

NAT (Masquerade) enable:​

Load rules:​

7. Starting the WireGuard Service​

👥Client (Peer) Configuration​

1. Client Keys​

2. Client Configuration (wg0.conf)​

3. Add Peer to Server​

📂 Important Files (Table)​

❓ Frequently Asked Questions (FAQ)​

🏁 Result​