WireGuard is a modern, high-performance VPN protocol built into the Linux kernel since version 5.6, offering significantly simpler configuration and better performance than older alternatives like OpenVPN or IPsec. On RHEL 8, WireGuard can be installed via the ELRepo kernel module or the wireguard-tools package from EPEL, with the kernel module provided by the elrepo-kernel repository. This tutorial covers server-side installation, key generation, interface configuration, IP forwarding, firewall masquerading, and enabling the service on boot. By the end you will have a fully functional WireGuard VPN server on RHEL 8 ready to accept peer connections.

Prerequisites

  • RHEL 8 server with a public IP address and a non-root sudo user
  • EPEL 8 and ELRepo repositories enabled
  • firewalld active (systemctl status firewalld)
  • A WireGuard client installed on your local machine (e.g. the official WireGuard app or wireguard-tools)
  • SELinux in enforcing mode (the default; no changes required for WireGuard)

Step 1 — Enable ELRepo and Install WireGuard

The ELRepo repository provides the kernel module for RHEL 8. Install the repository, the kernel extras module, and the userspace tools in one pass.

# Enable ELRepo
sudo dnf install -y https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

# Enable EPEL
sudo dnf install -y epel-release

# Install the kernel module and userspace tools
sudo dnf install -y kmod-wireguard wireguard-tools

# Verify the module loads
sudo modprobe wireguard
lsmod | grep wireguard

Step 2 — Generate Server and Client Key Pairs

WireGuard uses Curve25519 asymmetric key pairs. Generate a separate pair for the server and for each client. Keep private keys secret at all times.

mkdir -p ~/wg-keys && cd ~/wg-keys

# Server keys
wg genkey | tee server_private.key | wg pubkey > server_public.key

# Client keys (repeat for each peer)
wg genkey | tee client1_private.key | wg pubkey > client1_public.key

# Protect private keys
chmod 600 server_private.key client1_private.key

cat server_private.key   # copy this value for server config
cat client1_public.key   # copy this value for server [Peer] block

Step 3 — Create the Server Configuration

Create /etc/wireguard/wg0.conf with the server interface settings and a peer block for each client. Replace key placeholders with the values generated in the previous step.

sudo bash -c 'cat > /etc/wireguard/wg0.conf << "EOF"
[Interface]
Address     = 10.0.0.1/24
PrivateKey  = 
ListenPort  = 51820

# Bring up the PostUp/PreDown rules automatically
PostUp   = firewall-cmd --zone=public --add-masquerade
PreDown  = firewall-cmd --zone=public --remove-masquerade

[Peer]
# client1
PublicKey  = 
AllowedIPs = 10.0.0.2/32
EOF'

sudo chmod 600 /etc/wireguard/wg0.conf

Step 4 — Enable IP Forwarding

The server must forward packets between the WireGuard interface and the internet-facing NIC. Enable this persistently via sysctl.

# Enable immediately
sudo sysctl -w net.ipv4.ip_forward=1

# Persist across reboots
echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf

Step 5 — Configure firewalld and Open the WireGuard Port

WireGuard uses UDP. Open port 51820 and reload firewalld. The masquerade rule in the PostUp hook handles NAT for VPN clients automatically.

sudo firewall-cmd --permanent --add-port=51820/udp
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --list-all

Step 6 — Start WireGuard and Enable on Boot

Use wg-quick to bring up the interface and systemd to persist it across reboots. Verify the tunnel is active with wg show.

# Bring up the interface
sudo wg-quick up wg0

# Check tunnel status
sudo wg show

# Enable the service to start on boot
sudo systemctl enable wg-quick@wg0

# Generate a sample client config (fill in server public key and server IP)
cat > ~/client1.conf << "EOF"
[Interface]
Address    = 10.0.0.2/24
PrivateKey = 
DNS        = 1.1.1.1

[Peer]
PublicKey  = 
Endpoint   = :51820
AllowedIPs = 0.0.0.0/0
EOF

Conclusion

You now have a fully operational WireGuard VPN server on RHEL 8 with IP forwarding, firewall masquerading, and automatic startup on boot. WireGuard’s minimal codebase, modern cryptography (ChaCha20, Poly1305, Curve25519), and kernel-native implementation make it the recommended VPN solution for new deployments. Distribute the generated client config files to each peer and import them into the WireGuard client application of their choice.

Next steps: How to Install and Configure OpenVPN on RHEL 8, How to Harden SSH on RHEL 8, and How to Configure firewalld on RHEL 8.