Configuring and Running WireGuard on OpenWrt

Install WireGuard:

$ opkg install wireguard luci-app-wireguard

But in my case, I custom build OpenWrt from gl-inet sources. The build contains only the essentials for my smoothly-running GL-AR750S-Ext. Routing, firewalling, VPN, and a single remotely accessible (via LAN only) service running: Dropbear.

Look here for configuring WireGuard on OpenWrt using LuCi.

Configuring WireGuard on OpenWrt “The Hard Way” is quite easy. We will configure OpenWrt as a WireGuard client and have it masquerade all traffic to our VPS. Other configurations such as redirecting all traffic through the remote WireGuard server, or configuring OpenWrt as the WireGuard server are not covered here, but should be easy enough to implement using the following configurations as a starting point.

Adjust addresses, allowed_ips, and persistent_keepalive as needed.


config interface 'vpn'
	option proto 'wireguard'
	option private_key 'WIREGUARD_PRIVATE_KEY'
	list addresses ''

config wireguard_vpn
	option endpoint_host 'WIREGUARD_SERVER_IP_OR_HOSTNAME'
	option endpoint_port 'WIREGUARD_SERVER_PORT'
	option persistent_keepalive '30'
	option public_key 'WIREGUARD_SERVER_PUBLIC_KEY'
	list allowed_ips ''

Add the following if you would like devices on your local network to access hosts through the WireGuard tunnel.


config zone
	option name 'vpn'
	list network 'vpn'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

Ignore DHCP on vpn interface.


config dhcp 'vpn'
	option interface 'vpn'
	option ignore '1'