How to setup a WireGuard VPN server on OpenWrt

Introduction

A VPN (Virtual Private Network) server allows you to easily access your home network and its resources from anywhere in the world. It also allows you to access the internet securely and privately by routing your traffic through the VPN server. Which can be useful if you are using a public WiFi network at a coffee shop or airport.

WireGuard is a modern VPN protocol that is fast, secure and easy to setup. It is supported by most operating systems and devices including Linux, Windows, macOS, Android and iOS.

In this guide, I will show you how to setup a WireGuard VPN server on your OpenWrt router.

Prerequisites

• An OpenWrt router
• A publicly accessible IPv4 address (required)
• A domain name (optional)

Setup

1. First we need to install the WireGuard packages on OpenWrt. SSH into your router and run the following commands:

   
   

   opkg update

   opkg install luci-proto-wireguard qrencode

   
   

2. Now, login to the LuCI web interface and go to Network > Interfaces. Click on Add new interface..., type wg0 (or whatever you prefer) in the name field and choose WireGuard VPN as the protocol. Click on Create interface.

3. Edit the newly created interface and click on Generate new keypair. This will generate a private and public key for the VPN server.
4. Also set the Listen port to 51820 (or whatever you prefer).
5. For the IP Addresses field, enter the subnet you want to use for the VPN clients. For example, 10.1.99.1/24.

6. We also need to create a new firewall zone for the VPN interface. Go to Network > Firewall and click on Add. Enter vpn (or whatever you prefer) in the Name field. Allow input and output. Choose wg0 as the Covered networks, also allow forward forward to destination zones lan and wan (our LAN and internet connection respectively), as well as forward from source zones lan. So the VPN clients can access the internet and the LAN network but it's not accesible directly from the internet.

7. Now, we also need to setup the peers which are the clients that will connect to the VPN server. Go to the wg0 interface settings and add a new peer, also generate a new keypair for the peer. Set the Allowed IPs to the IP of the client inside the VPN (eg: 10.1.99.20/32) as well as setting the Persistent keepalive to 25. This will help keep the connection alive behind NATs.

8. As we installed the qrencode package we can generate the QR code for the client configuration. Click on Show QR code and scan it with the WireGuard app on your device. Here you can also specify the connection endpoint to a domain name that's pointing to your router's public IP address (like Cloudflare or other DDNS service).

9. Each time we create a new peer we also need to restart the WireGuard wg0 interface.

10. Finally, we need to create a Firewall port forward rule to allow incoming connections to the WireGuard server. Go to Network > Firewall and click on Add. Enter vpn (or whatever you prefer) in the Name field. Choose wan as the source zone, external port 51820 and forward it to destination zone lan, internal IP address of your router and port 51820.

11. Now, you should be able to connect to your WireGuard VPN server from another devies (such as a phone).

Tip: forward another port to your WireGuard server

This is useful if you're behind a firewall that blocks port 51820 or if you want to use a different port for your WireGuard server. In this example, we will forward port 53 (DNS) to our WireGuard server.

Conclusion

In this guide, we learned to setup our own VPN server using open source technologies such as WireGuard and OpenWrt allowing us to securely access our home network from the internet. Thanks for reading, and feel free to experiment with different setups like a site-to-site VPN or a VPN client on your router!