GIMP (short for GNU Image Manipulation Program) is free and open-source image manipulation software. With many capabilities ranging from simple image editing to complex filters, scripting and even animation, it is a good alternative to popular commercial options.
Read on to learn how to install and use GIMP on Fedora. This article covers basic daily image editing.
Installing GIMP
GIMP is available in the official Fedora repository. To install it run:
sudo dnf install gimp
Single window mode
Once you open the application, it shows you the dark theme window with toolbox and the main editing area. Note that it has two window modes that you can switch between by selecting Windows -> Single Window Mode. By checking this option all components of the UI are displayed in a single window. Otherwise, they will be separate.
Loading an image
To load an image, go to File -> Open and choose your file and choose your image file.
Resizing an image
To resize the image, you have the option to resize based on a couple of parameters, including pixel and percentage — the two parameters which are often handy in editing images.
Let’s say we need to scale down the Fedora 30 background image to 75% of its current size. To do that, select Image -> Scale and then on the scale dialog, select percentage in the unit drop down. Next, enter 75 as width or height and press the Tab key. By default, the other dimension will automatically resize in correspondence with the changed dimension to preserve aspect ratio. For now, leave other options unchanged and press Scale.
The image scales to 0.75 percent of its original size.
Rotating images
Rotating is a transform operation, so you find it under Image -> Transform from the main menu, where there are options to rotate the image by 90 or 180 degrees. There are also options for flipping the image vertically or horizontally under the mentioned option.
Let’s say we need to rotate the image 90 degrees. After applying a 90-degree clockwise rotation and horizontal flip, our image will look like this:
Transforming an image with GIMP
Adding text
Adding text is very easy. Just select the A icon from the toolbox, and click on a point on your image where you want to add the text. If the toolbox is not visible, open it from Windows->New Toolbox.
As you edit the text, you might notice that the text dialog has font customization options including font family, font size, etc.
Adding text to image in GIMP
Saving and exporting
You can save your edit as as a GIMP project with the xcf extension from File -> Save or by pressing Ctrl+S. Or you can export your image in formats such as PNG or JPEG. To export, go to File -> Export As or hit Ctrl+Shift+E and you will be presented with a dialog where you can select the output image and name.
Everything in a PC, laptop, or server is represented as binary digits (a.k.a. bits, where each bit can only be 1 or 0). There are no characters like we use for writing or numbers as we write them anywhere in a computer’s memory or secondary storage such as disk drives. For general purposes, the unit of measure for groups of binary bits is the byte — eight bits. Bytes are an agreed-upon measure that helped standardize computer memory, storage, and how computers handled data.
There are various terms in use to specify the capacity of a disk drive (either magnetic or electronic). The same measures are applied to a computers random access memory (RAM) and other memory devices that inhabit your computer. So now let’s see how the numbers are made up.
Suffixes are used with the number that specifies the capacity of the device. The suffixes designate a multiplier that is to be applied to the number that preceded the suffix. Commonly used suffixes are:
Kilo = 103 = 1,000 (one thousand)
Mega = 106 = 1,000,000 (one million)
Giga = 109 = 1000,000,000 (one billion)
Tera = 1012 = 1,000,000,000,000 (one trillion)
As an example 500 GB (gigabytes) is 500,000,000,000 bytes.
The units that memory and storage are specified in advertisements, on boxes in the store, and so on are in the decimal system as shown above. However since computers only use binary bits, the actual capacity of these devices is different than the advertised capacity.
You saw that the decimal numbers above were shown with their equivalent powers of ten. In the binary system numbers can be represented as powers of two. The table below shows how bits are used to represent powers of two in an 8 bit Byte. At the bottom of the table there is an example of how the decimal number 109 can be represented as a binary number that can be held in a single byte of 8 bits (01101101).
Eight bit binary number
Bit 7
Bit 6
Bit 5
Bit 4
Bit 3
Bit 2
Bit 1
Bit 0
Power of 2
27
26
25
24
23
22
21
20
Decimal Value
128
64
32
16
8
4
2
1
Example Number
0
1
1
0
1
1
0
1
The example bit values comprise the binary number 01101101. To get the equivalent decimal value just add the decimal values from the table where the bit is set to 1. That is 64 + 32 + 8 + 4 + 1 = 109.
By the time you get out to 230 you have decimal 1,073,741,824 with just 31 bits (don’t forget the 20) You’ve got a large enough number to start specifying memory and storage sizes.
Now comes what you have been waiting for. The table below lists common designations as they are used for labeling decimal and binary values.
Decimal
Binary
KB (Kilobyte)
1KB = 1,000 bytes
KiB (Kibibyte)
1KiB = 1,024 bytes
MB (Megabyte)
1MB = 1,000,000 bytes
MiB (Mebibyte)
1MiB = 1,048,576 bytes
GB (Gigabyte)
1GB = 1,000,000,000 bytes
GiB (Gibibyte)
1 GiB (Gibibyte) = 1,073,741,824bytes
TB (Terabyte)
1TB = 1,000,000,000,000
TiB (Tebibyte)
1TiB = 1,099,511,627,776 bytes
Note that all of the quantities of bytes in the table above are expressed as decimal numbers. They are not shown as binary numbers because those numbers would be more than 30 characters long.
Most users and programmers need not be concerned with the small differences between the binary and decimal storage size numbers. If you’re developing software or hardware that deals with data at the binary level you may need the binary numbers.
As for what this means to your PC: Your PC will make use of the full capacity of your storage and memory devices. If you want to see the capacity of your disk drives, thumb drives, etc, the Disks utility in Fedora will show you the actual capacity of the storage device in number of bytes as a decimal number.
There are also command line tools that can provide you with more flexibility in seeing how your storage bytes are being used. Two such command line tools are du (for files and directories) and df (for file systems). You can read about these by typing man du or man df at the command line in a terminal window.
The Cockpit series continues to focus on some of the tools users and administrators can use to perform everyday tasks within the web user-interface. So far we’ve covered introducing the user-interface, storage and network management, and user accounts. Hence, this article will highlight how Cockpit handles software and services.
The menu options for Applications and Software Updates are available through Cockpit’s PackageKit feature. To install it from the command-line, run:
sudo dnf install cockpit-packagekit
For Fedora Silverblue, Fedora CoreOS, and other ostree-based operating systems, install the cockpit-ostree package and reboot the system:
On the main screen, Cockpit notifies the user whether the system is updated, or if any updates are available. Click the Updates Available link on the main screen, or Software Updates in the menu options, to open the updates page.
RPM-based updates
The top of the screen displays general information such as the number of updates and the number of security-only updates. It also shows when the system was last checked for updates, and a button to perform the check. Likewise, this button is equivalent to the command sudo dnf check-update.
Below is the Available Updates section, which lists the packages requiring updates. Furthermore, each package displays the name, version, and best of all, the severity of the update. Clicking a package in the list provides additional information such as the CVE, the Bugzilla ID, and a brief description of the update. For details about the CVE and related bugs, click their respective links.
Also, one of the best features about Software Updates is the option to only install security updates. Distinguishing which updates to perform makes it simple for those who may not need, or want, the latest and greatest software installed. Of course, one can always use Red Hat Enterprise Linux or CentOS for machines requiring long-term support.
The example below demonstrates how Cockpit applies RPM-based updates.
OSTree is used by rpm-ostree, a hybrid package/image based system… It atomically replicates a base OS and allows the user to “layer” the traditional RPM on top of the base OS if needed.
Because of this setup, Cockpit uses a snapshot-like layout for these operating systems. As seen in the demo below, the top of the screen displays the repository (fedora), the base OS image, and a button to Check for Updates.
Clicking the repository name (fedora in the demo below) opens the Change Repository screen. From here one can Add New Repository, or click the pencil icon to edit an existing repository. Editing provides the option to delete the repository, or Add Another Key. To add a new repository, enter the name and URL. Also, select whether or not to Use trusted GPG key.
There are three categories that provide details of its respective image: Tree, Packages, and Signature. Tree displays basic information such as the operating system, version of the image, how long ago it was released, and the origin of the image. Packages displays a list of installed packages within that image. Signature verifies the integrity of the image such as the author, date, RSA key ID, and status.
The current, or running, image displays a green check-mark beside it. If something happens, or an update causes an issue, click the Roll Back and Reboot button. This restores the system to a previous image.
Applications
The Applications screen displays a list of add-ons available for Cockpit. This makes it easy to find and install the plugins required by the user. At the time of this article, some of the options include the 389 Directory Service, Fleet Commander, and Subscription Manager. The demo below shows a complete list of available Cockpit add-ons.
Also, each item displays the name, a brief description, and a button to install, or remove, the add-on. Furthermore, clicking the item displays more information (if available). To refresh the list, click the icon at the top-right corner.
Subscription Management
Subscription managers allow admins to attach subscriptions to the machine. Even more, subscriptions give admins control over user access to content and packages. One example of this is the famous Red Hat subscription model. This feature works in relation to the subscription-manager command
The Subscriptions add-on can be installed via Cockpit’s Applications menu option. It can also be installed from the command-line with:
sudo dnf install cockpit-subscriptions
To begin, click Subscriptions in the main menu. If the machine is currently unregistered, it opens the Register System screen. Next, select the URL. You can choose Default, which uses Red Hat’s subscription server, or enter a Custom URL. Enter the Login, Password, Activation Key, and Organization ID. Finally, to complete the process, click the Register button.
The main page for Subscriptions show if the machine is registered, the System Purpose, and a list of installed products.
Services
To start, click the Services menu option. Because Cockpit uses systemd, we get the options to view System Services, Targets, Sockets, Timers, and Paths. Cockpit also provides an intuitive interface to help users search and find the service they want to configure. Services can also be filtered by it’s state: All, Enabled, Disabled, or Static. Below this is the list of services. Each row displays the service name, description, state, and automatic startup behavior.
For example, let’s take bluetooth.service. Typing bluetooth in the search bar automatically displays the service. Now, select the service to view the details of that service. The page displays the status and path of the service file. It also displays information in the service file such as the requirements and conflicts. Finally, at the bottom of the page, are the logs pertaining to that service.
Also, users can quickly start and stop the service by toggling the switch beside the service name. The three-dots to the right of that switch expands those options to Enable, Disable, Mask/Unmask the service
To learn more about systemd, check out the series in the Fedora Magazine starting with What is an init system?
In the next article we’ll explore the security features available in Cockpit.
This article shows you how to set up some powerful tools in your command line interpreter (CLI) shell on Fedora. If you use bash (the default) or zsh, Fedora lets you easily setup these tools.
Requirements
Some installed packages are required. On Workstation, run the following command:
Note: On Silverblue you need to restart before proceeding.
Fonts
You can give your terminal a new look by installing new fonts. Why not fonts that display characters and icons together?
Nerd-Fonts
Open a new terminal and type the following commands:
git clone https://github.com/ryanoasis/nerd-fonts ~/.nerd-fonts
cd .nerd-fonts sudo ./install.sh
Awesome-Fonts
On Workstation, install using the following command:
sudo dnf install fontawesome-fonts
On Silverblue, type:
sudo rpm-ostree install fontawesome-fonts
Powerline
Powerline is a statusline plugin for vim, and provides statuslines and prompts for several other applications, including bash, zsh, tmus, i3, Awesome, IPython and Qtile. You can find more information about powerline on the official documentation site.
Installation
To install powerline utility on Fedora Workstation, open a new terminal and run:
Note: On Silverblue, before proceeding you need restart.
Activating powerline
To make the powerline active by default, place the code below at the end of your ~/.bashrc file
if [ -f `which powerline-daemon` ]; then powerline-daemon -q POWERLINE_BASH_CONTINUATION=1 POWERLINE_BASH_SELECT=1 . /usr/share/powerline/bash/powerline.sh
fi
Finally, close the terminal and open a new one. It will look like this:
Oh-My-Zsh
Oh-My-Zsh is a framework for managing your Zsh configuration. It comes bundled with helpful functions, plugins, and themes. To learn how set Zsh as your default shell this article.
Installation
Type this in the terminal:
sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
Alternatively, you can type this:
sh -c "$(wget https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"
At the end, you see the terminal like this:
Congratulations, Oh-my-zsh is installed.
Themes
Once installed, you can select your theme. I prefer to use the Powerlevel10k. One advantage is that it is 100 times faster than powerlevel9k theme. To install run this line:
Close the terminal. When you open the terminal again, the Powerlevel10k configuration wizard will ask you a few questions to configure your prompt properly.
After finish Powerline10k configuration wizard, your prompt will look like this:
If you don’t like it. You can run the powerline10k wizard any time with the command p10k configure.
Enable plug-ins
Plug-ins are stored in .oh-my-zsh/plugins folder. You can visit this site for more information. To activate a plug-in, you need edit your ~/.zshrc file. Install plug-ins means that you are going create a series of aliases or shortcuts that execute a specific function.
For example, to enable the firewalld and git plugins, first edit ~/.zshrc:
plugins=(firewalld git)
Note: use a blank space to separate the plug-ins names list.
Then reload the configuration
source ~/.zshrc
To see the created aliases, use the command:
alias | grep firewall
Additional configuration
I suggest the install syntax-highlighting and syntax-autosuggestions plug-ins.
Colorls is a Ruby gem that beautifies the terminal’s ls command, with colors and font-awesome icons. You can visit the official site for more information.
Because it’s a ruby gem, just follow this simple step:
sudo gem install colorls
To keep up to date, just do:
sudo gem update colorls
To prevent type colorls everytime you can make aliases in your ~/.bashrc or ~/.zshrc.
alias ll='colorls -lA --sd --gs --group-directories-first'
alias ls='colorls --group-directories-first'
Also, you can enable tab completion for colorls flags, just entering following line at end of your shell configuration:
source $(dirname ($gem which colorls))/tab_complete.sh
If you ever attach to a WiFi system outside your home or office, you often see a portal page. This page may ask you to accept terms of service or some other agreement to get access. But what happens when you can’t connect through this kind of portal? This article shows you how to use NetworkManager on Fedora to deal with some failure cases so you can still access the internet.
How captive portals work
Captive portals are web pages offered when a new device is connected to a network. When the user first accesses the Internet, the portal captures all web page requests and redirects them to a single portal page.
The page then asks the user to take some action, typically agreeing to a usage policy. Once the user agrees, they may authenticate to a RADIUS or other type of authentication system. In simple terms, the captive portal registers and authorizes a device based on the device’s MAC address and end user acceptance of terms. (The MAC address is a hardware-based value attached to any network interface, like a WiFi chip or card.)
Sometimes a device doesn’t load the captive portal to authenticate and authorize the device to use the location’s WiFi access. Examples of this situation include mobile devices and gaming consoles (Switch, Playstation, etc.). They usually won’t launch a captive portal page when connecting to the Internet. You may see this situation when connecting to hotel or public WiFi access points.
You can use NetworkManager on Fedora to resolve these issues, though. Fedora will let you temporarily clone the connecting device’s MAC address and authenticate to the captive portal on the device’s behalf. You’ll need the MAC address of the device you want to connect. Typically this is printed somewhere on the device and labeled. It’s a six-byte hexadecimal value, so it might look like 4A:1A:4C:B0:38:1F. You can also usually find it through the device’s built-in menus.
Cloning with NetworkManager
First, open nm-connection-editor, or open the WiFI settings via the Settings applet. You can then use NetworkManager to clone as follows:
For Ethernet – Select the connected Ethernet connection. Then select the Ethernet tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.
For WiFi – Select the WiFi profile name. Then select the WiFi tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.
Bringing up the desired device
Once the Fedora system connects with the Ethernet or WiFi profile, the cloned MAC address is used to request an IP address, and the captive portal loads. Enter the credentials needed and/or select the user agreement. The MAC address will then get authorized.
Now, disconnect the WiFi or Ethernet profile, and change the Fedora system’s MAC address back to its original value. Then boot up the console or other device. The device should now be able to access the Internet, because its network interface has been authorized via your Fedora system.
Fedora 31 Workstation comes with a Firefox backend moved from X11 to Wayland by default. That’s just another step in the ongoing effort of moving to Wayland. This affects GNOME on Wayland only. This article helps you understand some changes and extra steps you may wish to take depending on your preferences.
There is a firefox-wayland package available to activate the Wayland backend on KDE and Sway desktop environments.
The Wayland architecture is completely different than X11. The team merged various aspects of Firefox internals to the new protocol where possible. However, some X11 features are missing completely. For such cases you can install and run firefox-x11 package as a fallback.
If you want to run the Flash plugin, you must install the firefox-x11 package, since Flash requires X11 and GTK 2. Wayland also has a slightly different drag and drop behavior and strict popup window hierarchy.
Generally, if you think Firefox is not behaving like you want, try the firefox-x11 package. In this case, ideally you should report the misbehavior in Bugzilla.
The Wayland architecture comes with many benefits, and overcomes many limitations of X11. For instance, it can deliver smoother rendering and better HiDPI and screen scale support. You can also enable EGL hardware acceleration on Intel and AMD graphics cards. This decreases your power consumption and also gives you partially accelerated video playback. To enable it, navigate to about:config, and search for layers.acceleration.force-enabled. Set this option to true and restart Firefox.
Brave users may wish to try the Firefox next-generation renderer, called WebRender, written in Rust. To do that, search for gfx.webrender.enabled and gfx.webrender.all in about:config. Set them to true, then cross your fingers and restart Firefox.
But don’t worry — even if Firefox crashes at start after these experiments, you can launch it in safe mode to reset these options. Start Firefox from a terminal using the following command:
Fedora 31 Workstation is the latest release of our free, leading-edge operating system. You can download it from the official website here right now. There are several new and noteworthy changes in Fedora 31 Workstation. Read more details below.
Fedora 30 Workstation includes the latest release of GNOME Desktop Environment for users of all types. GNOME 3.34 in Fedora 31 Workstation includes many updates and improvements, including:
Refreshed Background Chooser
Choosing your desktop background in Fedora Workstation is now easier. The newly redesigned background chooser allows you to quickly and easily see and change both your desktop and lock screen backgrounds
Custom Application Folders
Fedora 31 Workstation now allows you to easily create application folders in the Overview. Keep your application listing clutter free and well organized with this new feature:
Do you want the full details of everything in GNOME 3.34? Visit the release notes for even more details.
Fedora 31 is available now. You’ll likely want to upgrade your system to get the latest features available in Fedora. Fedora Workstation has a graphical upgrade method. Alternatively, Fedora offers a command-line method for upgrading Fedora 30 to Fedora 31.
Upgrading Fedora 30 Workstation to Fedora 31
Soon after release time, a notification appears to tell you an upgrade is available. You can click the notification to launch the GNOME Software app. Or you can choose Software from GNOME Shell.
Choose the Updates tab in GNOME Software and you should see a screen informing you that Fedora 31 is Now Available.
If you don’t see anything on this screen, try using the reload button at the top left. It may take some time after release for all systems to be able to see an upgrade available.
Choose Download to fetch the upgrade packages. You can continue working until you reach a stopping point, and the download is complete. Then use GNOME Software to restart your system and apply the upgrade. Upgrading takes time, so you may want to grab a coffee and come back to the system later.
Using the command line
If you’ve upgraded from past Fedora releases, you are likely familiar with the dnf upgrade plugin. This method is the recommended and supported way to upgrade from Fedora 30 to Fedora 31. Using this plugin will make your upgrade to Fedora 31 simple and easy.
1. Update software and back up your system
Before you do start the upgrade process, make sure you have the latest software for Fedora 30. This is particularly important if you have modular software installed; the latest versions of dnf and GNOME Software include improvements to the upgrade process for some modular streams. To update your software, use GNOME Software or enter the following command in a terminal.
sudo dnf upgrade --refresh
Additionally, make sure you back up your system before proceeding. For help with taking a backup, see the backup series on the Fedora Magazine.
2. Install the DNF plugin
Next, open a terminal and type the following command to install the plugin:
sudo dnf install dnf-plugin-system-upgrade
3. Start the update with DNF
Now that your system is up-to-date, backed up, and you have the DNF plugin installed, you can begin the upgrade by using the following command in a terminal:
sudo dnf system-upgrade download --releasever=31
This command will begin downloading all of the upgrades for your machine locally to prepare for the upgrade. If you have issues when upgrading because of packages without updates, broken dependencies, or retired packages, add the ‐‐allowerasing flag when typing the above command. This will allow DNF to remove packages that may be blocking your system upgrade.
4. Reboot and upgrade
Once the previous command finishes downloading all of the upgrades, your system will be ready for rebooting. To boot your system into the upgrade process, type the following command in a terminal:
sudo dnf system-upgrade reboot
Your system will restart after this. Many releases ago, the fedup tool would create a new option on the kernel selection / boot screen. With the dnf-plugin-system-upgrade package, your system reboots into the current kernel installed for Fedora 30; this is normal. Shortly after the kernel selection screen, your system begins the upgrade process.
Now might be a good time for a coffee break! Once it finishes, your system will restart and you’ll be able to log in to your newly upgraded Fedora 31 system.
Resolving upgrade problems
On occasion, there may be unexpected issues when you upgrade your system. If you experience any issues, please visit the DNF system upgrade quick docs for more information on troubleshooting.
If you are having issues upgrading and have third-party repositories installed on your system, you may need to disable these repositories while you are upgrading. For support with repositories not provided by Fedora, please contact the providers of the repositories.
It’s here! We’re proud to announce the release of Fedora 31. Thanks to the hard work of thousands of Fedora community members and contributors, we’re celebrating yet another on-time release. This is getting to be a habit!
If you just want to get to the bits without delay, go to https://getfedora.org/ right now. For details, read on!
Toolbox
If you haven’t used the Fedora Toolbox, this is a great time to try it out. This is a simple tool for launching and managing personal workspace containers, so you can do development or experiment in an isolated experience. It’s as simple as running “toolbox enter” from the command line.
This containerized workflow is vital for users of the ostree-based Fedora variants like CoreOS, IoT, and Silverblue, but is also extremely useful on any workstation or even server system. Look for many more enhancements to this tool and the user experience around it in the next few months — your feedback is very welcome.
All of Fedora’s Flavors
Fedora Editions are targeted outputs geared toward specific “showcase” uses.
Fedora Workstation focuses on the desktop, and particular software developers who want a “just works” Linux operating system experience. This release features GNOME 3.34, which brings significant performance enhancements which will be especially noticeable on lower-powered hardware.
Fedora Server brings the latest in cutting-edge open source server software to systems administrators in an easy-to-deploy fashion.
And, in preview state, we have Fedora CoreOS, a category-defining operating system made for the modern container world, and Fedora IoT for “edge computing” use cases. (Stay tuned for a planned contest to find a shiny name for the IoT edition!)
Of course, we produce more than just the editions. Fedora Spins and Labs target a variety of audiences and use cases, including the Fedora Astronomy, which brings a complete open source toolchain to both amateur and professional astronomers, and desktop environments like KDE Plasma and Xfce.
And, don’t forget our alternate architectures, ARM AArch64, Power, and S390x. Of particular note, we have improved support for the Rockchip system-on-a-chip devices including the Rock960, RockPro64, and Rock64, plus initial support for “panfrost”, an open source 3D accelerated graphics driver for newer Arm Mali “midgard” GPUs.
No matter what variant of Fedora you use, you’re getting the latest the open source world has to offer. Following our “First” foundation, we’re enabling CgroupsV2 (if you’re using Docker, make sure to check this out). Glibc 2.30 and NodeJS 12 are among the many updated packages in Fedora 31. And, we’ve switched the “python” command to by Python 3 — remember, Python 2 is end-of-life at the end of this year.
We’re excited for you to try out the new release! Go to https://getfedora.org/ and download it now. Or if you’re already running a Fedora operating system, follow the easy upgrade instructions.
In the unlikely event of a problem….
If you run into a problem, check out the Fedora 31 Common Bugs page, and if you have questions, visit our Ask Fedora user-support platform.
Thank you everyone
Thanks to the thousands of people who contributed to the Fedora Project in this release cycle, and especially to those of you who worked extra hard to make this another on-time release. And if you’re in Portland for USENIX LISA this week, stop by the expo floor and visit me at the Red Hat, Fedora, and CentOS booth.
Wireguard is a new VPN designed as a replacement for IPSec and OpenVPN. Its design goal is to be simple and secure, and it takes advantage of recent technologies such as the Noise Protocol Framework. Some consider Wireguard’s ease of configuration akin to OpenSSH. This article shows you how to deploy and use it.
It is currently in active development, so it might not be the best for production machines. However, Wireguard is under consideration to be included into the Linux kernel. The design has been formally verified,* and proven to be secure against a number of threats.
When deploying Wireguard, keep your Fedora Linux system updated to the most recent version, since Wireguard does not have a stable release cadence.
Set the timezone
To check and set your timezone, first display current time information:
timedatectl
Then if needed, set the correct timezone, for example to Europe/London.
timedatectl set-timezone Europe/London
Note that your system’s real time clock (RTC) may continue to be set to UTC or another timezone.
Install Wireguard
To install, enable the COPR repository for the project and then install with dnf, using sudo:
Once installed, two new commands become available, along with support for systemd:
wg: Configuration of wireguard interfaces
wg-quick Bringing up the VPN tunnels
Create the configuration directory for Wireguard, and apply a umask of 077. A umask of 077 allows read, write, and execute permission for the file’s owner (root), but prohibits read, write, and execute permission for everyone else.
mkdir /etc/wireguard
cd /etc/wireguard
umask 077
Generate Key Pairs
Generate the private key, then derive the public key from it.
$ wg genkey > /etc/wireguard/privkey
$ wg pubkey < /etc/wireguard/privkey > /etc/wireguard/publickey
Alternatively, this can be done in one go:
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
There is a vanity address generator, which might be of interest to some. You can also generate a pre-shared key to provide a level of quantum protection:
wg genpsk > psk
This will be the same value for both the server and client, so you only need to run the command once.
Configure Wireguard server and client
Both the client and server have an [Interface] option to specify the IP address assigned to the interface, along with the private keys.
Each peer (server and client) has a [Peer] section containing its respective PublicKey, along with the PresharedKey. Additionally, this block can list allowed IP addresses which can use the tunnel.
Server
A firewall rule is added when the interface is brought up, along with enabling masquerading. Make sure to note the /24 IPv4 address range within Interface, which differs from the client. Edit the /etc/wireguard/wg0.conf file as follows, using the IP address for your server for Address, and the client IP address in AllowedIPs.
The client is very similar to the server config, but has an optional additional entry of PersistentKeepalive set to 30 seconds. This is to prevent NAT from causing issues, and depending on your setup might not be needed. Setting AllowedIPs to 0.0.0.0/0 will forward all traffic over the tunnel. Edit the client’s /etc/wireguard/wg0.conf file as follows, using your client’s IP address for Address and the server IP address at the Endpoint.
* “Formally verified,” in this sense, means that the design has been proved to have mathematically correct messages and key secrecy, forward secrecy, mutual authentication, session uniqueness, channel binding, and resistance against replay, key compromise impersonation, and denial of server attacks.
