# dnf install -y wireguard-tools# cd /etc/wireguard
# wg genkey | tee privatekey | wg pubkey > publickey# cat << EOF > /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.1.254/32
SaveConfig = true
ListenPort = 60001
PrivateKey = ---- your generated privatekey
# Client
[Peer]
PublicKey = ---- CLIENT PUBLIC KEY
AllowedIPs = 172.16.1.2/32
EOF# firewall-cmd --add-port=60001/udp --permanent --zone=public --permanent
# firewall-cmd --reload# nmcli con import type wireguard file /etc/wireguard/wg0.conf# cd /etc/wireguard
# wg genkey | tee privatekey | wg pubkey > publickeyConfigurations look almost the same with the difference that there's no ListenPort directive on the client and the addition of the endpoint directive which is the public ip:port of the wireguard server.
# cat << EOF > /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.1.2/24
PrivateKey = ---- your generated privatekey
[Peer]
PublicKey = ------ SERVER PUBLIC KEY
endpoint = SERVER_PUBLIC_IP:PORT
AllowedIPs = 172.16.1.0/24
EOF# nmcli con import type wireguard file /etc/wireguard/wg0.confIn order to keep things clean we'll create a new zone for our Wireguard VPN
Create the zone
# firewall-cmd --new-zone=wireguard --permanentRemove the wireguard interface from the public zone
# firewall-cmd --zone=public --remove-interface=sotolito --permanentAdd the wireguard interface to the zone
# firewall-cmd --zone=wireguard --add-interface=wg0 --permanentAllow forwarding to the zone
# firewall-cmd --zone=wireguard --add-forward --permanentDon't forget to reload baby!!
# firewall-cmd --reload