How-To WireGuard Server Setup on Fedora 40 (Lab Environment)

1. System Preparation

Disable SELinux

To disable SELinux for greater flexibility in a lab environment:

sudo sed -i 's/enforcing/disabled/g' /etc/selinux/config

Remove firewalld and Install iptables

For a more traditional firewall setup:

sudo dnf -y remove firewalld
sudo dnf install -y iptables iptables-services

Install Additional Tools

To ensure the server has necessary monitoring, network, and development tools:

sudo dnf install -y rsyslog htop make gcc libtool libyaml-devel openssl-devel wget mlocate tcpdump ethtool psmisc vim net-tools iptables iptables-services bind-utils nmap tar telnet

2. WireGuard Installation

Install WireGuard from the Fedora repositories:

sudo dnf install -y wireguard-tools

3. Generate Keys for WireGuard

Generate server and client keys on the server:

cd /etc/wireguard
umask 077
wg genkey | tee server_privatekey | wg pubkey > server_publickey
wg genkey | tee client_privatekey | wg pubkey > client_publickey

4. Configure the WireGuard Server

Create the server configuration file at /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24                     # VPN subnet for the server
ListenPort = 51820                        # Port WireGuard listens on
PrivateKey = <contents of server_privatekey>  # Server's private key

# Client configuration on the server side
[Peer]
PublicKey = <contents of client_publickey>    # Client's public key
AllowedIPs = 10.0.0.2/32                      # IP assigned to the client

Ensure this configuration file has restricted permissions:

sudo chmod 600 /etc/wireguard/wg0.conf

5. Configure the WireGuard Client

On the client side, create a configuration file (example: wg0-client.conf):

[Interface]
PrivateKey = <contents of client_privatekey>  # Client's private key
Address = 10.0.0.2/24                         # IP assigned to this client in the VPN subnet
DNS = 10.24.32.1                              # Internal DNS server

[Peer]
PublicKey = <contents of server_publickey>    # Server's public key
Endpoint = yourdomain.com:51820               # Server's domain or IP and port
AllowedIPs = 0.0.0.0/0, ::/0                  # Routes all traffic through VPN
PersistentKeepalive = 25                      # Keeps the connection alive (useful for mobile)

6. Enable IP Forwarding

Enable IP forwarding by modifying /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Add or confirm the following line is present:

net.ipv4.ip_forward = 1

Apply the change:

sudo sysctl -p

7. Set Up iptables Rules

Flush Existing Rules

To clear any existing rules:

sudo iptables -F

Set Up NAT Masquerading

Assuming the public-facing network interface is enp1s0, use:

sudo iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

Save the iptables rules to make them persistent:

sudo service iptables save

8. Enable and Start WireGuard

To start WireGuard and ensure it runs at boot:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

9. Check WireGuard Status

To verify WireGuard is running correctly:

sudo systemctl status wg-quick@wg0