Command Palette

Search for a command to run...

WireGuard VPN Setup Guide for OpenWrt Router

DevOps

WireGuard VPN Setup Guide for OpenWrt Router

Overview

This guide will help you set up a WireGuard VPN server on an OpenWrt router to securely access your remote network from another location. WireGuard is faster, simpler, and more secure than traditional VPN solutions like OpenVPN.

What You'll Need

  • OpenWrt router at Location A (server) with public IP
  • Client device at Location B (your remote location)
  • SSH access to your OpenWrt router
  • Basic command line knowledge

Network Architecture

Part 1: Server Setup (OpenWrt Router)

Step 1: Install WireGuard Packages

Connect to your router via SSH:

Update package list and install WireGuard:

Step 2: Generate Encryption Keys

Create the WireGuard directory:

Generate server keys:

Generate client keys:

Set appropriate permissions:

Display and save your keys (you'll need these later):

Important: Copy all four keys to a safe location!

Step 3: Configure WireGuard Interface

Store keys in variables for easy configuration:

Create WireGuard network interface:

Add client peer configuration:

Commit network configuration:

Step 4: Configure Firewall Rules

Create a dedicated WireGuard firewall zone:

Allow traffic forwarding from WireGuard to WAN:

Allow incoming WireGuard connections:

Commit firewall changes:

Step 5: Enable IP Forwarding

Enable packet forwarding to route traffic through the VPN:

Step 6: Apply Configuration

Restart network and firewall services:

Wait about 10 seconds for services to fully restart.

Step 7: Verify Server Configuration

Check if WireGuard interface is running:

You should see an interface with IP 10.0.0.1/24.

Check WireGuard status:

Verify the listening port:

Part 2: Client Setup (Remote Device)

Step 1: Create Client Configuration File

Create a file named wg-remote.conf with the following content:

Replace the following:

  • YOUR_CLIENT_PRIVATE_KEY - Client private key from Step 2
  • YOUR_SERVER_PUBLIC_KEY - Server public key from Step 2
  • YOUR_ROUTER_PUBLIC_IP - Your router's public IP address

Step 2: Install WireGuard Client

Windows

  1. Download WireGuard from: https://www.wireguard.com/install/
  2. Install the application
  3. Click "Add Tunnel" → "Add empty tunnel" or import wg-remote.conf
  4. Click "Activate" to connect

macOS

  1. Install WireGuard from the App Store
  2. Open the app and click "Import tunnel(s) from file"
  3. Select your wg-remote.conf file
  4. Toggle the connection switch to ON

Linux

Install WireGuard:

Copy configuration and connect:

To disconnect:

Android

  1. Install "WireGuard" from Google Play Store
  2. Tap the "+" button
  3. Select "Create from file or archive"
  4. Choose your wg-remote.conf file
  5. Toggle the connection switch to ON

iOS

  1. Install "WireGuard" from the App Store
  2. Tap "Add a tunnel"
  3. Select "Create from file or archive"
  4. Choose your wg-remote.conf file
  5. Toggle the connection switch to ON

Part 3: Testing and Verification

Test Connection

After connecting to the VPN, verify your setup:

Check your public IP address:

You should see your router's public IP address.

Test basic connectivity:

Visit an IP checker website:

Open your browser and visit https://whatismyip.com - it should show your router's IP address.

Monitor Connection on Server

On the OpenWrt router, check connected clients:

You should see:

  • Client's endpoint (remote IP)
  • Latest handshake timestamp
  • Data transfer statistics

Troubleshooting

Client Can't Connect

Check server status:

Check firewall:

No Internet After Connecting

Verify IP forwarding:

Should return 1. If not:

Check NAT rules:

You should see a MASQUERADE rule for the WireGuard subnet.

Check routing:

Slow Connection

Reduce MTU in client config:

Check server logs:

Advanced Configuration

Using Custom DNS Servers

Replace the DNS line in your client configuration:

Split Tunneling (Route Only Specific Traffic)

To route only certain networks through the VPN, modify AllowedIPs:

Adding Multiple Clients

For each additional client, generate new keys and add a peer:

Create a new client config with Address = 10.0.0.3/24.

Monitoring Data Usage

Real-time monitoring:

Check interface statistics:

Install bandwidth monitor:

Security Best Practices

  1. Keep private keys secure - Never share your private keys
  2. Use strong firewall rules - Only allow necessary ports
  3. Regular updates - Keep OpenWrt and WireGuard updated
  4. Unique keys per client - Generate separate keys for each device
  5. Monitor connections - Regularly check wg show for unauthorized peers
  6. Disable when not needed - Turn off VPN when not in use

Maintenance

Update WireGuard

Backup Configuration

Remove WireGuard

If you need to uninstall:

Conclusion

You now have a fully functional WireGuard VPN connecting your remote device to your home network. This setup provides:

  • Fast, modern encryption
  • Low latency connection
  • Secure remote access
  • Simple configuration and maintenance

Enjoy your secure connection!

Quick Reference

Common Commands

Default Values

  • Server IP: 10.0.0.1/24
  • Client IP: 10.0.0.2/24
  • VPN Port: 51820/UDP
  • Keepalive: 25 seconds

Important Files

  • Keys: /etc/wireguard/*.key
  • Network Config: /etc/config/network
  • Firewall Config: /etc/config/firewall
  • Client Config: wg-remote.conf