Introduction
A VPN (Virtual Private Network) server allows you to easily access your home network and its resources from anywhere in the world. It also allows you to access the internet securely and privately by routing your traffic through the VPN server. Which can be useful if you are using a public WiFi network at a coffee shop or airport.
WireGuard is a modern VPN protocol that is fast, secure and easy to setup. It is supported by most operating systems and devices including Linux, Windows, macOS, Android and iOS.
In this guide, I will show you how to setup a WireGuard VPN server on your OpenWrt router.
Prerequisites
- An OpenWrt router
- A publicly accessible IPv4 address (required)
- A domain name (optional)
Setup
-
First we need to install the WireGuard packages on OpenWrt. SSH into your router and run the following commands:
-
Now, login to the LuCI web interface and go to Network > Interfaces. Click on Add new interface..., type
wg0
(or whatever you prefer) in the name field and choose WireGuard VPN as the protocol. Click on Create interface.
- Edit the newly created interface and click on Generate new keypair. This will generate a private and public key for the VPN server.
- Also set the Listen port to 51820 (or whatever you prefer).
- For the IP Addresses field, enter the subnet you want to use for the VPN clients. For example,
10.1.99.1/24
.
- We also need to create a new firewall zone for the VPN interface. Go to Network > Firewall and click on Add. Enter
vpn
(or whatever you prefer) in the Name field. Allow input and output. Choosewg0
as the Covered networks, also allow forward forward to destination zoneslan
andwan
(our LAN and internet connection respectively), as well as forward from source zoneslan
. So the VPN clients can access the internet and the LAN network but it's not accesible directly from the internet.
- Now, we also need to setup the peers which are the clients that will connect to the VPN server. Go to the
wg0
interface settings and add a new peer, also generate a new keypair for the peer. Set the Allowed IPs to the IP of the client inside the VPN (eg:10.1.99.20/32
) as well as setting the Persistent keepalive to25
. This will help keep the connection alive behind NATs.
- As we installed the
qrencode
package we can generate the QR code for the client configuration. Click on Show QR code and scan it with the WireGuard app on your device. Here you can also specify the connection endpoint to a domain name that's pointing to your router's public IP address (like Cloudflare or other DDNS service).
-
Each time we create a new peer we also need to restart the WireGuard
wg0
interface. -
Finally, we need to create a Firewall port forward rule to allow incoming connections to the WireGuard server. Go to Network > Firewall and click on Add. Enter
vpn
(or whatever you prefer) in the Name field. Choosewan
as the source zone, external port51820
and forward it to destination zonelan
, internal IP address of your router and port51820
.
- Now, you should be able to connect to your WireGuard VPN server from another devies (such as a phone).
Tip: forward another port to your WireGuard server
This is useful if you're behind a firewall that blocks port 51820
or if you want to use a different port for your WireGuard server. In this example, we will forward port 53
(DNS) to our WireGuard server.
Conclusion
In this guide, we learned to setup our own VPN server using open source technologies such as WireGuard and OpenWrt allowing us to securely access our home network from the internet. Thanks for reading, and feel free to experiment with different setups like a site-to-site VPN or a VPN client on your router!