WireGuard is a modern, secure, and efficient VPN solution. This guide provides a comprehensive walkthrough of setting up a WireGuard server on CentOS 9 and configuring an Android client to connect. We'll cover the entire process, from server installation to client configuration, ensuring a secure and reliable VPN connection.
Installing WireGuard on CentOS 9
Before beginning, ensure your CentOS 9 system is updated:
sudo dnf update -y
Next, install the necessary packages:
sudo dnf install wireguard-tools -y
This installs the wg command-line tool, essential for managing WireGuard interfaces.
Generating Server Keys and Configuration
We'll now generate the server's private and public keys. Keep the private key secure; it should never be shared.
sudo wg genkey | tee privatekey | wg pubkey > publickey
This command generates a private key (privatekey) and its corresponding public key (publickey). The tee command duplicates the output to both the file and the terminal.
Now, let's create the server configuration file (/etc/wireguard/wg0.conf):
sudo nano /etc/wireguard/wg0.conf
Paste the following configuration, replacing placeholders with your actual values:
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = <paste your privatekey here>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <your_server_public_ip> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <your_server_public_ip> -j MASQUERADE
[Peer]
PublicKey = <paste your client's publickey here> # This will be generated later
AllowedIPs = 10.8.0.2/32
Remember to replace <paste your privatekey here> with the contents of your privatekey file and <your_server_public_ip> with your server's public IP address. The PostUp and PostDown commands configure iptables for NAT, allowing traffic from the client to reach the internet.
Enabling and Starting WireGuard
Enable and start the WireGuard interface:
sudo wg-quick up wg0
Verify the interface is up and running:
sudo wg show
You should see the WireGuard interface wg0 with its IP address and peer information.
Android Client Configuration
Now, let's configure the Android client. You'll need a WireGuard client app (many are available on the Google Play Store). We'll use the configuration generated in the previous steps.
-
Generate Client Keys: On your server, generate the client's keys:
sudo wg genkey | tee client_privatekey | wg pubkey > client_publickey -
Add Client to Server Configuration: Add the client's public key to your server's
/etc/wireguard/wg0.conffile under the[Peer]section:[Peer] PublicKey = <paste your client_publickey here> AllowedIPs = 10.8.0.2/32 -
Create Client Configuration: Create a configuration file for your Android client (e.g.,
client.conf):[Interface] PrivateKey = <paste your client_privatekey here> Address = 10.8.0.2/32 DNS = 8.8.8.8 #Optional Google DNS [Peer] PublicKey = <paste your server's publickey here> AllowedIPs = 0.0.0.0/0 Endpoint = <your_server_public_ip>:51820
Replace the placeholders with your client's private key, your server's public key, and your server's public IP address and port. The AllowedIPs = 0.0.0.0/0 allows all traffic from the client to route through the VPN. You can customize this for more granular control.
- Import Configuration into Android Client: Import the
client.conffile into your chosen Android WireGuard app.
Troubleshooting
- Connectivity Issues: Check your firewall settings on both the server and any routers involved. Ensure port 51820 is open.
- Key Errors: Double-check that you have copied the correct keys and that the keys are correctly formatted.
- IP Address Conflicts: Verify that the IP addresses in the server and client configurations are unique within their respective subnets.
This detailed guide enables a secure VPN connection between your CentOS 9 server and your Android device. Remember to keep your private keys secure and update your configurations as needed. Always prioritize security best practices when setting up and managing VPN connections.
