WireGuard

WireGuard is not designed for censorship circumvention. Nevertheless, because it is new, it may not yet be blocked by censorship firewalls.

Server

SSH, PuTTY, or Xshell into your server. Get the server up to date. On CentOS:

yum update -y

On Debian or Ubuntu:

apt update
apt upgrade -y

Download the Angristan WireGuard install script from GitHub. On CentOS, you may need to do yum install wget before this will work.

wget https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

Set the execution bit.

chmod +x wireguard-install.sh

Run the script.

./wireguard-install.sh

Accept the defaults unless you have some reason to change them. For example, on a NAT IPv4 server, you’ll need to use one of your 20 allocated ports as the server’s WireGuard port. Or you may have pre-opened a certain port for WireGuard in your firewall.

I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: YY.YY.YY.YY
Public interface: eth0
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 63978
First DNS resolver to use for the clients: 176.103.130.130
Second DNS resolver to use for the clients (optional): 176.103.130.131

Okay, that was all I needed. We are ready to setup your WireGuard server now. You will be able to generate a client at the end of the installation. Press any key to continue...

The script installs software for a couple of minutes. Then it asks you to name the first client. You can call the client something like windows. The actual name is up to you.

Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: windows
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2

The file wg0-client-windows.conf will be created, containing the configuration for your client. Copy the contents of that file to your Windows clipboard.

cat wg0-client-windows.conf

The script has stored the server’s WireGuard configuration in /etc/wireguard/wg0.conf. This file includes the IP masquerading rules for iptables or firewalld. The script has also created a systemd service file named /lib/systemd/system/wg-quick@.service. You can check the status of the service with the command:

systemctl status wg-quick@wg0

Client

Download the WireGuard for Windows client installer from the WireGuard site. Run the installer.

After the install is done, launch WireGuard.

  1. Click Add Tunnel >Add empty tunnel.
  2. Give the tunnel a name.
  3. Replace the contents of the tunnel definition with the contents of your wg0-client-windows.conf file from the server.
  4. Click Save.
  5. Click Activate.

Now open a browser and surf the web over your VPN.

Error: Unknown device type

Sometimes systemctl status wg-quick@wg0 shows Error: Unknown device type. There are various solutions. The solution that worked for me came from Meer-Web. Start with the command:

modprobe wireguard

If it returns a result like this:

modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.18.0-193.14.2.el8_2.x86_64

Then proceed with this solution. Get the version number:

dkms status

We will use as an example 1.0.20200729. Substitute your version number into the commands that follow:

dkms build wireguard/1.0.20200729
dkms install wireguard/1.0.20200729
modprobe wireguard

The last command no longer returns an error. So continue:

systemctl restart wg-quick@wg0
systemctl status wg-quick@wg0