Skip to main content OpenWRT WireGuard VPN Server Tutorial : r/openwrt
Go to openwrt

OpenWRT WireGuard VPN Server Tutorial

Adapted from this guide.

Introduction

I recently figured out how to set up a WireGuard VPN on my Raspberry Pi 3 running OpenWRT and I decided to write an up-to-date guide on how to do it. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it.

This will let you connect to your home network from anywhere, as well as route all your traffic through your home internet so you can avoid content filters at School/Work, as well as keeping your traffic encrypted.

I don't use IPv6 on my network so you'll have to figure that stuff out for yourself.

Before you begin, I'll warn you that the process of setting up WireGuard may disconnect you from the internet a few times so make sure nobody else is using the internet before you start.

Step 1: Installing the packages

SSH into your OpenWRT device and run the following: 

opkg update
opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools
reboot

(protip: Windows 10 has built in SSH support if you don't have PuTTY installed. You can also use LuCI to install these packages by going to System>Software)

Step 2: Creating a firewall rule

Go into LuCI and head to Network>Firewall>Port Forwards

Create a new rule using the following input: 

Name: WireGuard
Protocol: UDP
External Zone: WAN
External Port: 1234
Internal Zone: LAN
Internal IP Address: <The IP address of your device, mine is 192.168.1.1>
Internal Port: 1234

Click Add, then Save & Apply. This allows your VPN clients (Phone, Laptop etc) to connect to your OpenWRT device from the internet.

Step 3: Generating the keys

SSH into your OpenWRT device and run the following: 

umask 077 && wg genkey > privkey
cat privkey | wg pubkey > pubkey
cat /root/pubkey
cat /root/privkey

This creates two files in the /root/ directory of your device, pubkey and privkey.

You should email yourself the pubkey or transfer it securely to your phone somehow because you'll need it when setting up the VPN connection.

Copy the private key to your clipboard because you'll need it for Step 4.

Step 4: Setting up the WireGuard interface

  1. Go into LuCI and head to Network>Interfaces>Add New Interface

  2. Set the name of the new interface as wg0

  3. Set the protocol to WireGuard VPN

  4. Click Submit

  5. Paste the private key you got from Step 3 into the Private Key field

  6. Set the listen port to 1234

  7. In the IP Addresses field, type 10.14.0.1/24

  8. Go to the Firewall Settings tab and assign the interface to your LAN zone if it's not automatically been assigned. This will enable you to access your LAN devices when you're connected to your VPN. If you want to keep your devices seperate, you can create another Firewall zone specifically for the WireGuard Interface.

  9. Click Save & Apply

Step 5: Setting up the VPN connection on an Android device

  1. Download the WireGuard app from the Play Store or F-Droid or whatever is your preferred source of apps

  2. Open the WireGuard app

  3. Tap the plus icon and go to "Create from scratch"

  4. Make up a name for your VPN connection

  5. Tap "Generate" to generate yourself a public and private key

  6. In the Addresses field, type 10.14.0.3/32

  7. Leave the Listen Port and MTU fields empty unless you need to change them for whatever reason

  8. In the DNS servers field, either type the address of your home DNS server or use a DNS server of your choice (e.g. 1.1.1.1)

  9. Tap Add Peer

  10. Paste the Public Key from the /root/ directory of your OpenWRT device

  11. Leave the Pre-shared key field blank

  12. In the Allowed IPs field, type 0.0.0.0/0,::0 (You should add ::0 even if you aren't using IPv6, as this stops your device from leaking data when connected to IPv6 enabled sites.)

  13. In the Endpoint field, type the public (WAN) IP address or domain name of your OpenWRT device, followed by a colon and the port number. For example: 69.65.164.12:1234

  14. In the Persistent Keepalive field, type 25

  15. Save the connection

Step 6: Adding your phone to the list of allowed peers

Now you have to register your phone as a peer to your OpenWRT device. To do this:

  1. In the WireGuard app, copy your Public Key (The one you generated earlier) to the clipboard

  2. Go into LuCI and head to Network>Interfaces

  3. Click Edit on the WireGuard interface

  4. Go to the Peers section and add click Add

  5. Paste the Public Key from your phone into the Public Key field

  6. In the Allowed IPs field, type 10.14.0.3/32

  7. Check the Route Allowed IPs checkbox

  8. Leave the Endpoint Host and Endpoint Port fields blank

  9. In the Persistent Keepalive field, type 25

  10. Click Save & Apply

  11. Reboot the OpenWRT device, either through LuCI>System>Reboot or by typing reboot in SSH

Step 7: Testing the VPN Connection

Theoretically, everything should be finished now. To test this, go into the WireGuard app and enable the VPN connection. Then open a browser and if you have internet connectivity then it worked. :)

(protip: The WireGuard app has it's own quick settings tile, so you can add it to your quick settings panel for ease of access)

If you have any questions or if it straight up didn't work, leave a comment and I'll try to help as best I can.

Edit: I'm thrilled to see that this post is still helping people six years later! If this post helped you and would like to show your appreciation, a small Bitcoin tip would be greatly appreciated! :-)

BTC: bc1qzjku02tp9ms8jer9y9286uaugpng898cu2q5lc

Talk with Meta AI to get creative inspiration and step-by-step guidance as you plan the perfect evening with friends.
Learn More
ai.meta.com
Clickable image which will reveal the video player: Talk with Meta AI to get creative inspiration and step-by-step guidance as you plan the perfect evening with friends.
Sort by:
Best
Open comment sort options

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

 If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / ^Contact)

More replies
Edited

Nice guide! I just went through this and definitely hit a few snags making it work. They way you've laid it out would have made it easier.

edit: The question below was before a correction in the guide.

One question - should Step 6.6 not have the tunnel IP for the client as the AllowedIPs entry (10.14.0.3/32 rather than 0.0.0.0/0)? I was under the impression that the zero IP was used on the client side to force all local traffic through the tunnel, while the client static IP was used on the server side to permit only connections from that endpoint.

Or is what you're doing more of a point-to-point configuration rather than point-to-lan/wan?

My config uses two OpenWRT routers to create a lan-to-lan tunnel. The goal is to enable tunneling to my home network while away from home in a client-transparent way to reduce exposure to untrusted wifi connections, and also stream US media sources while traveling abroad. So the SSID on the travel router is the same as I use at home, meaning that devices don't know they're off-lan. The first goal is good, but I have a DNS leak I'm troubleshooting which would break the second. The client isn't using the DNS assigned in the WG config, rather it's using the server assigned in the hotspot/wifi DHCP config. Still trying to figure that out.

More replies

I don't understand the port forward. Are you forwarding a port on your Raspberry Pi 3 to itself?

If you want to allow incoming traffic you would normally add a rule on the page Firewall -Traffic Rule, see section "Open ports on router".

More replies
See your trade from every angle with a fully customizable trading platform.
Learn More
tradestation.com
Thumbnail image: See your trade from every angle with a fully customizable trading platform.

Thank you for the tutorial! In step 2 I created a firewall rule in LuCI>Network>Firewall>Traffic Rules tab instead.

Is it possible to create a separate wireless interface just for VPN traffic? Hence, if you connect to the ssid "vpn" all traffic will be routed through the vpn. However, you still have guest, iot, and main networks that are separate and not routed through the vpn.

More replies

This is fantastic! Wireguard is somewhat lacking in good examples/tutorials, especially ones for OpenWRT. Thanks for writing this up.

No problem!

I wrote this up after trying casept's guide and running into a whole bunch of snags.

I intended to write it as a guide for myself in case I needed to do it again in the future but I decided to chuck it on reddit for you guys :)

More replies

How much data can you push thru the VPN interface before you become CPU constrained?

More replies
Give your r/smallbusiness a big boost and head to Lenovo.com for great deals on Intel PCs. Plus, earn rewards for work and get free business perks with any size business as a Lenovo Pro member.
  • Give your r/smallbusiness a big boost and head to Lenovo.com for great deals on Intel PCs. Plus, earn rewards for work and get free business perks with any size business as a Lenovo Pro member.
  • Give your r/smallbusiness a big boost and head to Lenovo.com for great deals on Intel PCs. Plus, earn rewards for work and get free business perks with any size business as a Lenovo Pro member.
  • Give your r/smallbusiness a big boost and head to Lenovo.com for great deals on Intel PCs. Plus, earn rewards for work and get free business perks with any size business as a Lenovo Pro member.
  • Give your r/smallbusiness a big boost and head to Lenovo.com for great deals on Intel PCs. Plus, earn rewards for work and get free business perks with any size business as a Lenovo Pro member.
    • a2.adform.net
    Shop Now

    Confirmed working, thanks!!

    PS: I spent all day yesterday trying to make this work on my own, today I found your post and "bam!" I can ping.

    More replies
    Edited

    Thanks for the write up! I’m trying to follow the steps, but was unsuccessful. I currently have an OpenWRT router added to my existing network, 192.168.1.1. The original modem/router is combined and sitting on 192.168.0.1. Not sure if I should move the OpenWRT to the other network first or am good to leave as is. Secondly, I have followed the steps outlined here, and now any device, when connected to one of the networks on the network is using a VPN connection to a Mullvad public server using Wireguard. I think my questions are:

    • Can I add your steps alongside the firewall and interface settings I currently have? My goal is to connect from my phone into my network when not home, but also (if possible) use the VPN connection for all traffic on this network

    • Am I wrong to have Mullvad in the mix and should ditch connecting in that manner?

    More replies