A VPN (Virtual Private Network) server allows you to easily access your home network and its resources from anywhere in the world. It also allows you to access the internet securely and privately by routing your traffic through the VPN server. Which can be useful if you are using a public WiFi network at a coffee shop or airport.
WireGuard is a modern VPN protocol that is fast, secure and easy to setup. It is supported by most operating systems and devices including Linux, Windows, macOS, Android and iOS.
In this guide, I will show you how to setup a WireGuard VPN server on your OpenWrt router.
- An OpenWrt router
- A publicly accessible IPv4 address (required)
- A domain name (optional)
First we need to install the WireGuard packages on OpenWrt. SSH into your router and run the following commands:opkg updateopkg install luci-proto-wireguard qrencode
Now, login to the LuCI web interface and go to Network > Interfaces. Click on Add new interface..., type
wg0(or whatever you prefer) in the name field and choose WireGuard VPN as the protocol. Click on Create interface.
- Edit the newly created interface and click on Generate new keypair. This will generate a private and public key for the VPN server.
- Also set the Listen port to 51820 (or whatever you prefer).
- For the IP Addresses field, enter the subnet you want to use for the VPN clients. For example,
- We also need to create a new firewall zone for the VPN interface. Go to Network > Firewall and click on Add. Enter
vpn(or whatever you prefer) in the Name field. Allow input and output. Choose
wg0as the Covered networks, also allow forward forward to destination zones
wan(our LAN and internet connection respectively), as well as forward from source zones
lan. So the VPN clients can access the internet and the LAN network but it's not accesible directly from the internet.
- Now, we also need to setup the peers which are the clients that will connect to the VPN server. Go to the
wg0interface settings and add a new peer, also generate a new keypair for the peer. Set the Allowed IPs to the IP of the client inside the VPN (eg:
10.1.99.20/32) as well as setting the Persistent keepalive to
25. This will help keep the connection alive behind NATs.
- As we installed the
qrencodepackage we can generate the QR code for the client configuration. Click on Show QR code and scan it with the WireGuard app on your device. Here you can also specify the connection endpoint to a domain name that's pointing to your router's public IP address (like Cloudflare or other DDNS service).
Each time we create a new peer we also need to restart the WireGuard
Finally, we need to create a Firewall port forward rule to allow incoming connections to the WireGuard server. Go to Network > Firewall and click on Add. Enter
vpn(or whatever you prefer) in the Name field. Choose
wanas the source zone, external port
51820and forward it to destination zone
lan, internal IP address of your router and port
- Now, you should be able to connect to your WireGuard VPN server from another devies (such as a phone).
Tip: forward another port to your WireGuard server
This is useful if you're behind a firewall that blocks port
51820 or if you want to use a different port for your WireGuard server. In this example, we will forward port
53 (DNS) to our WireGuard server.
In this guide, we learned to setup our own VPN server using open source technologies such as WireGuard and OpenWrt allowing us to securely access our home network from the internet. Thanks for reading, and feel free to experiment with different setups like a site-to-site VPN or a VPN client on your router!