ProjectsBlogAbout
Log inGet Started
Back to blog
DevOps9 min read

WireGuard VPN Setup Guide for OpenWrt Router

This guide will help you set up a WireGuard VPN server on an OpenWrt router to securely access your remote network from another location. WireGuard is faster, simpler, and more secure than traditional VPN solutions like OpenVPN.

WireGuard VPN Setup Guide for OpenWrt Router

Overview

This guide will help you set up a WireGuard VPN server on an OpenWrt router to securely access your remote network from another location. WireGuard is faster, simpler, and more secure than traditional VPN solutions like OpenVPN.

What You'll Need

  • OpenWrt router at Location A (server) with public IP
  • Client device at Location B (your remote location)
  • SSH access to your OpenWrt router
  • Basic command line knowledge

Network Architecture

Client Device (10.0.0.2)
         ↓
    WireGuard VPN Tunnel
         ↓
OpenWrt Router (10.0.0.1)
         ↓
    Network A Internet

Part 1: Server Setup (OpenWrt Router)

Step 1: Install WireGuard Packages

Connect to your router via SSH:

ssh root@YOUR_ROUTER_IP

Update package list and install WireGuard:

opkg update
opkg install wireguard-tools luci-proto-wireguard kmod-wireguard

Step 2: Generate Encryption Keys

Create the WireGuard directory:

mkdir -p /etc/wireguard

Generate server keys:

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

Generate client keys:

wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key

Set appropriate permissions:

chmod 600 /etc/wireguard/*.key

Display and save your keys (you'll need these later):

echo "=== Server Private Key ==="
cat /etc/wireguard/server_private.key
echo ""
echo "=== Server Public Key ==="
cat /etc/wireguard/server_public.key
echo ""
echo "=== Client Private Key ==="
cat /etc/wireguard/client_private.key
echo ""
echo "=== Client Public Key ==="
cat /etc/wireguard/client_public.key

Important: Copy all four keys to a safe location!

Step 3: Configure WireGuard Interface

Store keys in variables for easy configuration:

SERVER_PRIVATE_KEY=$(cat /etc/wireguard/server_private.key)
CLIENT_PUBLIC_KEY=$(cat /etc/wireguard/client_public.key)

Create WireGuard network interface:

uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key="$SERVER_PRIVATE_KEY"
uci set network.wg0.listen_port='51820'
uci add_list network.wg0.addresses='10.0.0.1/24'

Add client peer configuration:

uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key="$CLIENT_PUBLIC_KEY"
uci set network.@wireguard_wg0[-1].description='Remote_Client'
uci add_list network.@wireguard_wg0[-1].allowed_ips='10.0.0.2/32'
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'

Commit network configuration:

uci commit network

Step 4: Configure Firewall Rules

Create a dedicated WireGuard firewall zone:

uci set firewall.wg=zone
uci set firewall.wg.name='wg'
uci set firewall.wg.input='ACCEPT'
uci set firewall.wg.output='ACCEPT'
uci set firewall.wg.forward='ACCEPT'
uci set firewall.wg.masq='1'
uci set firewall.wg.network='wg0'

Allow traffic forwarding from WireGuard to WAN:

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='wg'
uci set firewall.@forwarding[-1].dest='wan'

Allow incoming WireGuard connections:

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-WireGuard'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='51820'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].target='ACCEPT'

Commit firewall changes:

uci commit firewall

Step 5: Enable IP Forwarding

Enable packet forwarding to route traffic through the VPN:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=1

Step 6: Apply Configuration

Restart network and firewall services:

/etc/init.d/network restart
/etc/init.d/firewall restart

Wait about 10 seconds for services to fully restart.

Step 7: Verify Server Configuration

Check if WireGuard interface is running:

ip addr show wg0

You should see an interface with IP 10.0.0.1/24.

Check WireGuard status:

wg show

Verify the listening port:

netstat -ulnp | grep 51820

Part 2: Client Setup (Remote Device)

Step 1: Create Client Configuration File

Create a file named wg-remote.conf with the following content:

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_ROUTER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Replace the following:

  • YOUR_CLIENT_PRIVATE_KEY - Client private key from Step 2
  • YOUR_SERVER_PUBLIC_KEY - Server public key from Step 2
  • YOUR_ROUTER_PUBLIC_IP - Your router's public IP address

Step 2: Install WireGuard Client

Windows

  1. Download WireGuard from: https://www.wireguard.com/install/
  2. Install the application
  3. Click "Add Tunnel" → "Add empty tunnel" or import wg-remote.conf
  4. Click "Activate" to connect

macOS

  1. Install WireGuard from the App Store
  2. Open the app and click "Import tunnel(s) from file"
  3. Select your wg-remote.conf file
  4. Toggle the connection switch to ON

Linux

Install WireGuard:

# Ubuntu/Debian
sudo apt install wireguard

# Fedora
sudo dnf install wireguard-tools

# Arch Linux
sudo pacman -S wireguard-tools

Copy configuration and connect:

sudo cp wg-remote.conf /etc/wireguard/
sudo wg-quick up wg-remote

To disconnect:

sudo wg-quick down wg-remote

Android

  1. Install "WireGuard" from Google Play Store
  2. Tap the "+" button
  3. Select "Create from file or archive"
  4. Choose your wg-remote.conf file
  5. Toggle the connection switch to ON

iOS

  1. Install "WireGuard" from the App Store
  2. Tap "Add a tunnel"
  3. Select "Create from file or archive"
  4. Choose your wg-remote.conf file
  5. Toggle the connection switch to ON

Part 3: Testing and Verification

Test Connection

After connecting to the VPN, verify your setup:

Check your public IP address:

curl ifconfig.me

You should see your router's public IP address.

Test basic connectivity:

ping 8.8.8.8
ping 10.0.0.1

Visit an IP checker website:

Open your browser and visit https://whatismyip.com - it should show your router's IP address.

Monitor Connection on Server

On the OpenWrt router, check connected clients:

wg show

You should see:

  • Client's endpoint (remote IP)
  • Latest handshake timestamp
  • Data transfer statistics

Troubleshooting

Client Can't Connect

Check server status:

# Verify WireGuard is running
wg show

# Check if interface exists
ip addr show wg0

# Verify port is listening
netstat -ulnp | grep 51820

Check firewall:

# View firewall rules
iptables -L -n -v | grep 10.0.0
iptables -t nat -L -n -v

No Internet After Connecting

Verify IP forwarding:

cat /proc/sys/net/ipv4/ip_forward

Should return 1. If not:

echo 1 > /proc/sys/net/ipv4/ip_forward

Check NAT rules:

iptables -t nat -L POSTROUTING -n -v

You should see a MASQUERADE rule for the WireGuard subnet.

Check routing:

ip route

Slow Connection

Reduce MTU in client config:

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 8.8.8.8
MTU = 1420

Check server logs:

logread | grep wireguard

Advanced Configuration

Using Custom DNS Servers

Replace the DNS line in your client configuration:

# Use router as DNS
DNS = 10.0.0.1

# Use Cloudflare
DNS = 1.1.1.1, 1.0.0.1

# Use Google DNS
DNS = 8.8.8.8, 8.8.4.4

# Use Quad9
DNS = 9.9.9.9, 149.112.112.112

Split Tunneling (Route Only Specific Traffic)

To route only certain networks through the VPN, modify AllowedIPs:

# Route only specific IP ranges
AllowedIPs = 192.168.1.0/24, 10.10.0.0/16

# Or specific subnets
AllowedIPs = 172.16.0.0/12

Adding Multiple Clients

For each additional client, generate new keys and add a peer:

# Generate new client keys
wg genkey | tee /etc/wireguard/client2_private.key | wg pubkey > /etc/wireguard/client2_public.key

# Add peer
CLIENT2_PUBLIC_KEY=$(cat /etc/wireguard/client2_public.key)
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key="$CLIENT2_PUBLIC_KEY"
uci set network.@wireguard_wg0[-1].description='Client_2'
uci add_list network.@wireguard_wg0[-1].allowed_ips='10.0.0.3/32'
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
uci commit network
/etc/init.d/network restart

Create a new client config with Address = 10.0.0.3/24.

Monitoring Data Usage

Real-time monitoring:

watch -n 2 wg show

Check interface statistics:

ip -s link show wg0

Install bandwidth monitor:

opkg install iftop
iftop -i wg0

Security Best Practices

  1. Keep private keys secure - Never share your private keys
  2. Use strong firewall rules - Only allow necessary ports
  3. Regular updates - Keep OpenWrt and WireGuard updated
  4. Unique keys per client - Generate separate keys for each device
  5. Monitor connections - Regularly check wg show for unauthorized peers
  6. Disable when not needed - Turn off VPN when not in use

Maintenance

Update WireGuard

opkg update
opkg upgrade wireguard-tools kmod-wireguard

Backup Configuration

# Backup keys
tar -czf wireguard-backup.tar.gz /etc/wireguard/

# Backup OpenWrt config
sysupgrade -b backup.tar.gz

Remove WireGuard

If you need to uninstall:

# Stop and remove interface
ifconfig wg0 down

# Remove configuration
uci delete network.wg0
uci delete network.@wireguard_wg0[-1]
uci delete firewall.wg
uci delete firewall.@forwarding[-1]
uci delete firewall.@rule[-1]
uci commit

# Remove packages
opkg remove wireguard-tools luci-proto-wireguard kmod-wireguard

# Remove files
rm -rf /etc/wireguard

# Restart services
/etc/init.d/network restart
/etc/init.d/firewall restart

Conclusion

You now have a fully functional WireGuard VPN connecting your remote device to your home network. This setup provides:

  • Fast, modern encryption
  • Low latency connection
  • Secure remote access
  • Simple configuration and maintenance

Enjoy your secure connection!

Quick Reference

Common Commands

# Server (OpenWrt)
wg show                    # Show status
ip addr show wg0          # Check interface
/etc/init.d/network restart   # Restart network

# Client (Linux)
sudo wg-quick up wg-remote    # Connect
sudo wg-quick down wg-remote  # Disconnect
sudo wg show                   # Show status

Default Values

  • Server IP: 10.0.0.1/24
  • Client IP: 10.0.0.2/24
  • VPN Port: 51820/UDP
  • Keepalive: 25 seconds

Important Files

  • Keys: /etc/wireguard/*.key
  • Network Config: /etc/config/network
  • Firewall Config: /etc/config/firewall
  • Client Config: wg-remote.conf