{"id":167804,"date":"2026-05-20T23:07:17","date_gmt":"2026-05-20T20:07:17","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=167804"},"modified":"2026-05-21T01:40:05","modified_gmt":"2026-05-20T22:40:05","slug":"wireguard-vpn-fedora","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/wireguard-vpn-fedora\/","title":{"rendered":"Setup WireGuard VPN on Fedora 44 \/ 43 \/ 42"},"content":{"rendered":"\n
WireGuard ships in the upstream Linux kernel and has been the default modern VPN choice on Fedora for years. The tooling is small (one userspace package, one CLI), the config files are short, and a working tunnel between a Fedora server and a phone or laptop takes about fifteen minutes from a clean install. There is no daemon to keep running, no certificate chain to renew, and the protocol’s resistance to traffic analysis makes it the right pick for both remote-worker access and personal “always-on” mobile VPNs.<\/p>\n\n\n\n
This guide installs WireGuard tooling on Fedora, generates server and client keypairs, writes the two configuration files, opens the right firewalld port, brings the wg0 interface up, and shows how to render the client config as a QR code that a phone WireGuard app can import in a single scan. Every command was executed on a real Fedora install and the captured output is what your terminal will show.<\/p>\n\n\n\n<\/figure>\n\n\n\n
What you will have at the end<\/h2>\n\n\n\n
\n
A Fedora server running WireGuard on UDP\/51820 as the VPN endpoint.<\/li>\n\n\n\n
A 10.99.99.0\/24 private network with the server at 10.99.99.1 and one phone client at 10.99.99.2.<\/li>\n\n\n\n
firewalld zone configured to accept WireGuard traffic and masquerade outbound from the VPN subnet.<\/li>\n\n\n\n
A client config you can render as a QR code, then scan from the WireGuard mobile app to import in one tap.<\/li>\n\n\n\n
A systemd unit so the tunnel comes back automatically after reboot.<\/li>\n<\/ul>\n\n\n\n
The same shape works for laptop clients; only the import step differs (paste the config file into \/etc\/wireguard\/wg0.conf<\/code> on the laptop and run wg-quick up wg0<\/code> there).<\/p>\n\n\n\n
Install WireGuard tooling and supporting packages<\/h2>\n\n\n\n
WireGuard itself is built into the Linux kernel that ships with Fedora, so there is no kernel module to install. Only the userspace tools (wg<\/code> and wg-quick<\/code>), the QR code renderer, and firewalld are needed:<\/p>\n\n\n\n
Verify the userspace tooling and the in-kernel module:<\/p>\n\n\n\n
wg --version\nrpm -q wireguard-tools qrencode firewalld\nmodinfo wireguard | head -2<\/code><\/pre>\n\n\n\n
The modinfo<\/code> line confirms the kernel module is present even before you bring an interface up. WireGuard has been in-tree since Linux 5.6, so every supported Fedora release has it.<\/p>\n\n\n\n
Generate keypairs for the server and the phone client<\/h2>\n\n\n\n
WireGuard uses Curve25519 keypairs for both authentication and encryption. Generate one pair per peer:<\/p>\n\n\n\n
cd \/etc\/wireguard\numask 077\nsudo bash -c 'wg genkey | tee server.key | wg pubkey > server.pub'\nsudo bash -c 'wg genkey | tee phone.key | wg pubkey > phone.pub'\nsudo ls -l<\/code><\/pre>\n\n\n\n
The command output is shown above.<\/p>\n\n\n\n<\/figure>\n\n\n\n
Private keys live in the .key<\/code> files (mode 600) and public keys in the .pub<\/code> files. Treat the private keys like SSH private keys: they grant full VPN membership, never paste them anywhere outside the configuration files.<\/p>\n\n\n\n
Write the server configuration<\/h2>\n\n\n\n
Open \/etc\/wireguard\/wg0.conf<\/code> in your editor and write the server-side config. Substitute the real key values from the files you just generated:<\/p>\n\n\n\n
[Interface]\nAddress = 10.99.99.1\/24\nListenPort = 51820\nPrivateKey = <contents of \/etc\/wireguard\/server.key>\n\n# Forward and masquerade outbound traffic from VPN clients\nPostUp = firewall-cmd --zone=public --add-masquerade\nPostUp = sysctl -w net.ipv4.ip_forward=1\nPostDown = firewall-cmd --zone=public --remove-masquerade\n\n[Peer]\n# Phone client\nPublicKey = <contents of \/etc\/wireguard\/phone.pub>\nAllowedIPs = 10.99.99.2\/32<\/code><\/pre>\n\n\n\n
The AllowedIPs<\/code> in the server’s [Peer]<\/code> stanza is the source filter, not a route: it tells the server which inbound IPs from this peer are legitimate. One address per phone.<\/p>\n\n\n\n
Open the firewall and bring the interface up<\/h2>\n\n\n\n
Open UDP\/51820 in firewalld and turn on masquerading for the outbound interface. The PostUp lines in the config will reapply masquerade on every interface bring-up, but you need the permanent firewalld rules so the port survives a reboot:<\/p>\n\n\n\n
Now bring the tunnel up. wg-quick<\/code> reads the configuration file, sets the interface address, applies the peer list, and runs the PostUp hooks:<\/p>\n\n\n\n
sudo wg-quick up wg0\nsudo wg show wg0\nip -4 addr show wg0<\/code><\/pre>\n\n\n\n
The command output is shown above.<\/p>\n\n\n\n<\/figure>\n\n\n\n
The interface is now listening for inbound peer handshakes. To make it come back automatically after a reboot, enable the unit:<\/p>\n\n\n\n
Write the phone client configuration<\/h2>\n\n\n\n
The phone config is the mirror of the server config. Save it as \/tmp\/wg-phone.conf<\/code> on the server (you will not keep it there long, just long enough to QR-encode it):<\/p>\n\n\n\n
AllowedIPs = 0.0.0.0\/0, ::\/0<\/strong>: route ALL phone traffic through the tunnel. Drop to 10.99.99.0\/24<\/code> for split tunneling (only LAN reachable through VPN, regular internet stays direct).<\/li>\n\n\n\n
Endpoint<\/strong>: the public address the phone connects to. Use a hostname behind dynamic DNS if your server’s IP changes.<\/li>\n\n\n\n
PersistentKeepalive = 25<\/strong>: sends a keepalive packet every 25 seconds. Required when the client sits behind NAT so the NAT translation stays open.<\/li>\n<\/ul>\n\n\n\n
Render the phone config as a QR code<\/h2>\n\n\n\n
The WireGuard mobile app imports configurations from QR codes. qrencode<\/code> can render straight to the terminal in ANSI block characters; the phone scans the screen and the entire config flows across in one go:<\/p>\n\n\n\n
The command output is shown above.<\/p>\n\n\n\n<\/figure>\n\n\n\n
Open the WireGuard app on the phone, tap Add Tunnel<\/strong>, choose Create from QR code<\/strong>, scan the terminal. The tunnel imports with the right name, keys, and routes. Toggle it on and you are routing through the Fedora server. Toggle off when not needed.<\/p>\n\n\n\n
If terminal QR is awkward (font scaling, SSH session colour issues), write to a PNG instead and scan that:<\/p>\n\n\n\n
sudo qrencode -o \/tmp\/wg-phone-qr.png < \/tmp\/wg-phone.conf\n# Then copy the PNG off the server (sftp, paste in chat, etc.) and scan<\/code><\/pre>\n\n\n\n
Once the phone has the config, delete the working copy and the QR PNG from the server. The private key has already moved to the phone; leaving copies on the server adds risk without benefit:<\/p>\n\n\n\n
Keep \/etc\/wireguard\/phone.pub<\/code>; the server still references it via the [Peer]<\/code> stanza.<\/p>\n\n\n\n
Verify end-to-end connectivity<\/h2>\n\n\n\n
From the phone, after the toggle is on, check that traffic exits via the server’s public IP:<\/p>\n\n\n\n
\n
Open a browser to https:\/\/api.ipify.org<\/code>. The reported IP should match your Fedora server’s WAN IP, not the phone’s mobile-carrier IP.<\/li>\n\n\n\n
From the server, sudo wg show wg0<\/code> should now show a non-zero latest handshake<\/code> timestamp and traffic counters that go up when you browse on the phone.<\/li>\n\n\n\n
From the phone, ping 10.99.99.1<\/code>. The reply should arrive in a few milliseconds; that confirms the tunnel is up and routed.<\/li>\n<\/ul>\n\n\n\n
Add a laptop client<\/h2>\n\n\n\n
Repeat the keypair + config pattern on a laptop, with the laptop generating its own keypair locally so the private key never leaves that device:<\/p>\n\n\n\n
# On the laptop\nsudo dnf install -y wireguard-tools # Fedora laptop\n# or: sudo apt install wireguard # Ubuntu\/Debian\n# or: brew install wireguard-tools # macOS\ncd \/etc\/wireguard\numask 077\nsudo bash -c 'wg genkey | tee laptop.key | wg pubkey'<\/code><\/pre>\n\n\n\n
Send only<\/em> the laptop’s public key back to the Fedora server, then on the server append a new [Peer]<\/code> stanza pointing at 10.99.99.3\/32<\/code>, reload the config, and the laptop joins:<\/p>\n\n\n\n
# On the server\nsudo wg set wg0 peer <LAPTOP-PUBLIC-KEY> allowed-ips 10.99.99.3\/32\nsudo wg-quick save wg0 # persists the runtime change to \/etc\/wireguard\/wg0.conf<\/code><\/pre>\n\n\n\n
The laptop config mirrors the phone config except Address = 10.99.99.3\/32<\/code> and a different private key.<\/p>\n\n\n\n
Troubleshooting<\/h2>\n\n\n\n
Handshake never completes<\/h3>\n\n\n\n
If wg show<\/code> reports a peer with latest handshake: (none)<\/code> after a minute of trying:<\/p>\n\n\n\n
\n
From the phone, try a different network. Many corporate Wi-Fi networks block UDP\/51820.<\/li>\n\n\n\n
Confirm the Endpoint<\/code> in the phone config is reachable: nc -uvz vpn.example.com 51820<\/code> from another machine.<\/li>\n\n\n\n
Check the server’s firewall: sudo firewall-cmd --list-all<\/code> must show 51820\/udp<\/code> in the ports list.<\/li>\n\n\n\n
Verify the PublicKey in the server’s [Peer]<\/code> stanza matches the phone’s actual public key. A copy-paste typo here is the most common cause.<\/li>\n<\/ul>\n\n\n\n
Tunnel comes up but the phone has no internet<\/h3>\n\n\n\n
Ping 10.99.99.1<\/code> from the phone: if that works but external IPs do not, the server is not forwarding or masquerading. Verify:<\/p>\n\n\n\n
sudo sysctl net.ipv4.ip_forward # must be 1\nsudo firewall-cmd --query-masquerade # must be yes<\/code><\/pre>\n\n\n\n
Persist ip_forward<\/code> across reboots:<\/p>\n\n\n\n
![\"dnf](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-wg-install-fedora.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"wg](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-wg-keygen-fedora.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"wg-quick](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-wg-up-fedora.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"qrencode](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-wg-qrencode-fedora.png\" "\\"\\"")
<\/figure>\n\n\n\n