Photo excerpted from [Thin Ethernet Ramble (TS 10:38)][2] by [High Treason][3]
Virtual Private Networks (VPNs) are used extensively. Nowadays there are different solutions available which allow users access to any kind of resource while maintaining their confidentiality and privacy.
Lately, one of the most commonly used VPN protocols is WireGuard because of its simplicity, speed and the security it offers. WireGuard’s implementation started in the Linux kernel but currently it is available in other platforms such as iOS and Android among others.
WireGuard uses UDP as its transport protocol and it bases the communication between peers upon Critokey Routing (CKR). Each peer, either server or client, has a pair of keys (public and private) and there is a link between public keys and allowed IPs to communicate with. For further information about WireGuard please visit its [page][4].
This article describes how to set up WireGuard between two peers: PeerA and PeerB. Both nodes are running Fedora Linux and both are using NetworkManager for a persistent configuration.
## **WireGuard set up and networking configuration**
You are only three steps away from having a persistent VPN connection between PeerA and PeerB:
1. Install the required packages.
2. Generate key pairs.
3. Configure the WireGuard interfaces.
### **Installation**
Install the _wireguard-tools_ package on both peers (PeerA and PeerB):
```
$ sudo -i
# dnf -y install wireguard-tools
```
This package is available in the Fedora Linux updates repository. It creates a configuration directory at _/etc/wireguard/_. This is where you will create the keys and the interface configuration file.
### **Generate the key pairs**
Next, use the _wg_ utility to generate both public and private keys on each node:
```
# cd /etc/wireguard
# wg genkey | tee privatekey | wg pubkey > publickey
```
### **Configure the WireGuard interface on PeerA**
WireGuard interfaces use the names: _wg0_, _wg1_ and so on. Create the configuration for the WireGuard interface. For this, you need the following items:
* The IP address and MASK you want to configure in the PeerA node.
The last step is about importing the interface profile into NetworkManager. As I mentioned before, this allows the WireGuard interface to have a persistent configuration after reboots.
```
# nmcli con import type wireguard file /etc/wireguard/wg0.conf
The above output shows that interface _wg0_ is connected. It is now able to communicate with one peer whose VPN IP address is 172.16.1.254.
### **Verify connectivity between peers**
After executing the procedure described earlier both peers can communicate to each other through the VPN connection as demonstrated in the following ICMP test:
```
[root@peerb ~]# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.566 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=1.33 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=1.67 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=1.47 ms
```
In this scenario, if you capture UDP traffic on port 60001 on PeerA you will see the communication relying on WireGuard protocol and the encrypted data:
![Capture of UDP traffic between peers relying on WireGuard protocol][5]
## Conclusion
Virtual Private Networks (VPNs) are very common. Among a wide variety of protocols and tools for deploying a VPN, WireGuard is a simple, lightweight and secure choice. It allows secure point-to-point connections between peers based on CryptoKey routing and the procedure is very straight-forward. In addition, NetworkManager supports WireGuard interfaces allowing persistent configurations after reboots.
