Hopp-rsk-owr01: Difference between revisions

(16 intermediate revisions by the same user not shown)

Line 1:

Linksys WRT3200ACM running OpenWRT, each partition ~~will run~~ a different VPN server for now. ~~KISS~~!

Linksys WRT3200ACM running OpenWRT, each partition is running a different VPN server for now. KISS!

[https://firmware-selector.openwrt.org/?version=24.10.4 Custom install]

Custom script to run on first boot (uci-defaults)

# Beware! This script will be in /rom/etc/uci-defaults/ as part of the image.

# Uncomment lines to apply:

#

# wlan_name="OpenWrt"

# wlan_password="12345678"

#

root_password="changeme"

lan_ip_address="10.65.30.1"

#

# pppoe_username=""

# pppoe_password=""

# log potential errors

exec >/tmp/setup.log 2>&1

if [ -n "$root_password" ]; then

(echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null

fi

# Configure LAN

# More options: https://openwrt.org/docs/guide-user/base-system/basic-networking

if [ -n "$lan_ip_address" ]; then

uci set network.lan.ipaddr="$lan_ip_address"

uci commit network

fi

# Configure WLAN

# More options: https://openwrt.org/docs/guide-user/network/wifi/basic#wi-fi_interfaces

if [ -n "$wlan_name" -a -n "$wlan_password" -a ${#wlan_password} -ge 8 ]; then

uci set wireless.@wifi-device[0].disabled='0'

uci set wireless.@wifi-iface[0].disabled='0'

uci set wireless.@wifi-iface[0].encryption='psk2'

uci set wireless.@wifi-iface[0].ssid="$wlan_name"

uci set wireless.@wifi-iface[0].key="$wlan_password"

uci commit wireless

fi

# Configure PPPoE

# More options: https://openwrt.org/docs/guide- user/network/wan/wan_interface_protocols#protocol_pppoe_ppp_over_ethernet

if [ -n "$pppoe_username" -a "$pppoe_password" ]; then

uci set network.wan.proto=pppoe

uci set network.wan.username="$pppoe_username"

uci set network.wan.password="$pppoe_password"

uci commit network

fi

echo "So long, and thanks for all the fish!"

Custom OpenVPN Packages

base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-openvpn openssh-sftp-server openvpn-easy-rsa openvpn-openssl

Custom Wireguard Packages

base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-proto-wireguard openssh-sftp-server qrencode wireguard-tools

==OpenVPN==

[https://forum.openwrt.org/search?context=topic&context_id=51852&q=openvpn%20server&skip_context=true Forum topics]

[https://support.linksys.com/kb/article/6710-en/ Linksys help]

[https://www.reddit.com/r/LinksysOfficial/comments/165zrj9/insecure_openvpn_implementation_in_wrt3200acm/?rdt=40669 Reddit info]

[https://forum.openwrt.org/t/solved-configuring-linksys-wrt3200acm-with-openvpn-client/27528 OpenWRT link]

[https://forums.openvpn.net/viewtopic.php?t=33309 OpenVPN link]

====beadon====

well holy moly, someone released a what looks to be working allinone script that i could never hope to write in a sane timeframe

https://github.com/beadon/OpenWRTOpenVPNMgmt

https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

==WireGuard==

[https://openwrt.org/docs/guide-user/services/vpn/wireguard/server OpenWRT Wiki]

~~OpenWrt Wiki~~

===Command-line instructions===

~~You are hereHomeDocumentationUser guideAdditional servicesVPN (Virtual Private Network)WireGuardWireGuard server~~

~~Learn about OpenWrt~~

1. Preparation

~~WireGuard server~~

~~This article relies on the following:~~

~~Accessing web interface / command-line interface~~

~~Managing configs / packages / services / logs~~

~~Introduction~~

~~This how-to describes the method for setting up WireGuard server on OpenWrt.~~

~~Follow WireGuard client for client setup and WireGuard extras for additional tuning.~~

~~Goals~~

~~Encrypt your internet connection to enforce security and privacy.~~

~~Prevent traffic leaks and spoofing on the client side.~~

~~Bypass regional restrictions using commercial providers.~~

~~Escape client side content filters and internet censorship.~~

~~Access your LAN services remotely without port forwarding.~~

~~Command-line instructions~~

~~1. Preparation~~

Install the required packages. Specify configuration parameters for VPN server.

# Install packages

opkg update

opkg install wireguard-tools

# Configuration parameters

VPN_IF="vpn"

VPN_PORT="51820"

VPN_ADDR="192.168.9.1/24"

VPN_ADDR6="fd00:9::1/64"

2. Key management

Generate and exchange keys between server and client.

# Generate keys

umask go=

wg genkey | tee wgserver.key | wg pubkey > wgserver.pub

wg genkey | tee wgclient.key | wg pubkey > wgclient.pub

wg genpsk > wgclient.psk

# Server private key

VPN_KEY="$(cat wgserver.key)"

# Pre-shared key

VPN_PSK="$(cat wgclient.psk)"

# Client public key

VPN_PUB="$(cat wgclient.pub)"

3. Firewall

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall

uci rename firewall.@zone[0]="lan"

uci rename firewall.@zone[1]="wan"

uci del_list firewall.lan.network="${VPN_IF}"

uci add_list firewall.lan.network="${VPN_IF}"

uci -q delete firewall.wg

uci set firewall.wg="rule"

uci set firewall.wg.name="Allow-WireGuard"

uci set firewall.wg.src="wan"

uci set firewall.wg.dest_port="${VPN_PORT}"

uci set firewall.wg.proto="udp"

uci set firewall.wg.target="ACCEPT"

uci commit firewall

service firewall restart

4. Network

Configure VPN interface and peers.

# Configure network

uci -q delete network.${VPN_IF}

uci set network.${VPN_IF}="interface"

uci set network.${VPN_IF}.proto="wireguard"

uci set network.${VPN_IF}.private_key="${VPN_KEY}"

uci set network.${VPN_IF}.listen_port="${VPN_PORT}"

uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"

uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"

# Add VPN peers

uci -q delete network.wgclient

uci set network.wgclient="wireguard_${VPN_IF}"

uci set network.wgclient.public_key="${VPN_PUB}"

uci set network.wgclient.preshared_key="${VPN_PSK}"

uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"

uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"

uci commit network

service network restart

LuCI Web Interface instructions

===LuCI Web Interface instructions===

1. Installing packages

Navigate to LuCI → System → Software and install the package luci-proto-wireguard.

Line 100:

Line 165:

2. Restarting services

Navigate to LuCI → System → Startup → Initscripts and click on network → Restart.

3. Add WireGuard Network Interface

To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface...

Line 108:

Line 175:

Name the interface wg0 (or whatever is preferred)

Click on Create Interface to create it and open it for editing

4. Configure the WireGuard Network Interface

In the open edit window of the interface configure the following:

Line 115:

Line 184:

IP addresses: 10.0.0.1/24 or preferred internal VPN IPv4 address for the WireGuard server interface end of the VPN

Save this configuration

5. Configure WireGuard Peers

To create a new WireGuard peer configuration go to LuCI → Network → Interfaces → wg0 → Edit → Peers

*Click on Add peer

Click on Add peer

*Click on Generate new key pair to populate the public and private key fields

Click on Generate new key pair to populate the public and private key fields

*Allowed IPs: 10.0.0.10 or whatever other address you will assign to the client

Allowed IPs: 10.0.0.10 or whatever other address you will assign to the client

*Endpoint port: 51820

Endpoint port: 51820

*Persistent Keep Alive: 25

Persistent Keep Alive: 25

*Save

Save

Click on Edit for the peer just created

Line 132:

Line 202:

To transfer the peer configuration to the client device either:

Use a Wireguard client on a phone / tablet that can scan the generated QR code or

*Use a Wireguard client on a phone / tablet that can scan the generated QR code or

Copy and paste the generated configuration data into a device.conf file for import into a WireGuard client

*Copy and paste the generated configuration data into a device.conf file for import into a WireGuard client

Once you have saved the changes to the wg0 interface, click Save & Apply on the Interfaces page, then Restart wg0. This is necessary for the new peer list to take effect. “Save & Apply” alone is not enough!

6. Configure Firewall for WireGuard traffic

Go to LuCI → Network → Firewall → General Settings and under Zones add a new zone:

Name: WireguardVPN (or preferred name)

*Name: WireguardVPN (or preferred name)

Input: accept

*Input: accept

Output: accept

*Output: accept

Intra zone forward: accept

*Intra zone forward: accept

Masquerading: checked

*Masquerading: checked

MSS Clamping: checked

*MSS Clamping: checked

Covered networks: wg0

*Covered networks: wg0

Allow forward to destination zones: lan and wan

*Allow forward to destination zones: lan and wan

Allow forward from source zones: lan

*Allow forward from source zones: lan

Save

*Save

Create rule to allow IPv4 & IPv6 traffic through from internet for connecting from client device using IPv4 (if router has public IPv4 address) or from client device using IPv6 (if router has public IPv6 address available).

Go to LuCI → Network → Firewall → Traffic Rules

*Name: WireGuard-incoming (or preferred name)

Name: WireGuard-incoming (or preferred name)

*Protocol: UDP

Protocol: UDP

*Source zone: wan

Source zone: wan

*Source address: -- add IP --

Source address: -- add IP --

*Source port: any

Source port: any

*Destination zone: Device

Destination zone: Device

*Destination address: -- add IP--

Destination address: -- add IP--

*Destination port: 51820

Destination port: 51820

*Action: accept

Action: accept

*Save, Save & apply

Save, Save & apply

Note: If only IPv4 is being used to connect to the WireGuard server the above firewall traffic rule could be replaced with a Port Forward rule instead.

Line 169:

Line 239:

Testing

Establish the VPN connection. Verify your routing with traceroute and traceroute6.

traceroute openwrt.org

traceroute6 openwrt.org

Check your IP and DNS provider.

*ipleak.net

ipleak.net

*dnsleaktest.com

dnsleaktest.com

On router:

*Go to LuCI > Status > Wireguard and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time

Go to LuCI > Status > Wireguard and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time

*Go to LuCI > Network > Diagnostics and ipv4 ping client device IP eg. 10.0.0.10

Go to LuCI > Network > Diagnostics and ipv4 ping client device IP eg. 10.0.0.10

On client device depending on wireguard software:

*Check transfer traffic for tx & rx

Check transfer traffic for tx & rx

*Ping router internal lan IP

Ping router internal lan IP

*Check public IP address in a browser – https://whatsmyip.com – should see public IP address of ISP for the router

Check public IP address in a browser – https://whatsmyip.com – should see public IP address of ISP for the router

Troubleshooting

Collect and analyze the following information.

# Restart services

service log restart; service network restart; sleep 10

# Log and status

logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"

# Runtime configuration

pgrep -f -a wg; wg show; wg showconf wg0

ip address show; ip route show table all

ip rule show; ip -6 rule show; nft list ruleset

# Persistent configuration

uci show network; uci show firewall; crontab -l

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies

~~Last modified: 2025/10/05 00:14by alex_henrie~~

~~Self-registration in the wiki has been disabled.~~

~~If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.~~

@@ Line 1: / Line 1: @@
-Linksys WRT3200ACM running OpenWRT, each partition will run a different VPN server for now.  KISS!
+Linksys WRT3200ACM running OpenWRT, each partition is running a different VPN server for now. KISS!
+[https://firmware-selector.openwrt.org/?version=24.10.4 Custom install]
+Custom script to run on first boot (uci-defaults)
+ # Beware! This script will be in /rom/etc/uci-defaults/ as part of the image.
+ # Uncomment lines to apply:
+ #
+ # wlan_name="OpenWrt"
+ # wlan_password="12345678"
+ #
+ root_password="changeme"
+ lan_ip_address="10.65.30.1"
+ #
+ # pppoe_username=""
+ # pppoe_password=""
+ # log potential errors
+ exec >/tmp/setup.log 2>&1
+ if [ -n "$root_password" ]; then
+   (echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null
+ fi
+ # Configure LAN
+ # More options: https://openwrt.org/docs/guide-user/base-system/basic-networking
+  if [ -n "$lan_ip_address" ]; then
+   uci set network.lan.ipaddr="$lan_ip_address"
+   uci commit network
+ fi
+ # Configure WLAN
+ # More options: https://openwrt.org/docs/guide-user/network/wifi/basic#wi-fi_interfaces
+ if [ -n "$wlan_name" -a -n "$wlan_password" -a ${#wlan_password} -ge 8 ]; then
+   uci set wireless.@wifi-device[0].disabled='0'
+   uci set wireless.@wifi-iface[0].disabled='0'
+   uci set wireless.@wifi-iface[0].encryption='psk2'
+   uci set wireless.@wifi-iface[0].ssid="$wlan_name"
+   uci set wireless.@wifi-iface[0].key="$wlan_password"
+   uci commit wireless
+ fi
+ # Configure PPPoE
+ # More options: https://openwrt.org/docs/guide- user/network/wan/wan_interface_protocols#protocol_pppoe_ppp_over_ethernet
+ if [ -n "$pppoe_username" -a "$pppoe_password" ]; then
+   uci set network.wan.proto=pppoe
+   uci set network.wan.username="$pppoe_username"
+   uci set network.wan.password="$pppoe_password"
+   uci commit network
+ fi
+ echo "So long, and thanks for all the fish!"
+Custom OpenVPN Packages
+ base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-app-openvpn openssh-sftp-server openvpn-easy-rsa openvpn-openssl
+Custom Wireguard Packages
+ base-files ca-bundle dnsmasq dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi wpad-basic-mbedtls kmod-btmrvl kmod-mwifiex-sdio mwlwifi-firmware-88w8964 iwinfo luci luci-app-advanced-reboot luci-proto-wireguard openssh-sftp-server qrencode wireguard-tools
 ==OpenVPN==
+[https://forum.openwrt.org/search?context=topic&context_id=51852&q=openvpn%20server&skip_context=true Forum topics]
+[https://support.linksys.com/kb/article/6710-en/ Linksys help]
+[https://www.reddit.com/r/LinksysOfficial/comments/165zrj9/insecure_openvpn_implementation_in_wrt3200acm/?rdt=40669 Reddit info]
+[https://forum.openwrt.org/t/solved-configuring-linksys-wrt3200acm-with-openvpn-client/27528 OpenWRT link]
+[https://forums.openvpn.net/viewtopic.php?t=33309 OpenVPN link]
+====beadon====
+well holy moly, someone released a what looks to be working allinone script that i could never hope to write in a sane timeframe
+https://github.com/beadon/OpenWRTOpenVPNMgmt
+https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
 ==WireGuard==
 [https://openwrt.org/docs/guide-user/services/vpn/wireguard/server OpenWRT Wiki]
-OpenWrt Wiki
+===Command-line instructions===
-You are hereHomeDocumentationUser guideAdditional servicesVPN (Virtual Private Network)WireGuardWireGuard server
- Learn about OpenWrt
+. Preparation
-WireGuard server
-This article relies on the following:
-Accessing web interface / command-line interface
-Managing configs / packages / services / logs
-Introduction
-This how-to describes the method for setting up WireGuard server on OpenWrt.
-Follow WireGuard client for client setup and WireGuard extras for additional tuning.
-Goals
-Encrypt your internet connection to enforce security and privacy.
-Prevent traffic leaks and spoofing on the client side.
-Bypass regional restrictions using commercial providers.
-Escape client side content filters and internet censorship.
-Access your LAN services remotely without port forwarding.
-Command-line instructions
-. Preparation
 Install the required packages. Specify configuration parameters for VPN server.
-# Install packages
+ # Install packages
-opkg update
+ opkg update
-opkg install wireguard-tools
+ opkg install wireguard-tools
-# Configuration parameters
+ # Configuration parameters
-VPN_IF="vpn"
+ VPN_IF="vpn"
-VPN_PORT="51820"
+ VPN_PORT="51820"
-VPN_ADDR="192.168.9.1/24"
+ VPN_ADDR="192.168.9.1/24"
-VPN_ADDR6="fd00:9::1/64"
+ VPN_ADDR6="fd00:9::1/64"
 . Key management
 Generate and exchange keys between server and client.
-# Generate keys
+ # Generate keys
-umask go=
+ umask go=
-wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
+ wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
-wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
+ wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
-wg genpsk > wgclient.psk
+ wg genpsk > wgclient.psk
-# Server private key
+ # Server private key
-VPN_KEY="$(cat wgserver.key)"
+ VPN_KEY="$(cat wgserver.key)"
-# Pre-shared key
+ # Pre-shared key
-VPN_PSK="$(cat wgclient.psk)"
+ VPN_PSK="$(cat wgclient.psk)"
-# Client public key
+ # Client public key
-VPN_PUB="$(cat wgclient.pub)"
+ VPN_PUB="$(cat wgclient.pub)"
 . Firewall
 Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.
-# Configure firewall
+ # Configure firewall
-uci rename firewall.@zone[0]="lan"
+ uci rename firewall.@zone[0]="lan"
-uci rename firewall.@zone[1]="wan"
+ uci rename firewall.@zone[1]="wan"
-uci del_list firewall.lan.network="${VPN_IF}"
+ uci del_list firewall.lan.network="${VPN_IF}"
-uci add_list firewall.lan.network="${VPN_IF}"
+ uci add_list firewall.lan.network="${VPN_IF}"
-uci -q delete firewall.wg
+ uci -q delete firewall.wg
-uci set firewall.wg="rule"
+ uci set firewall.wg="rule"
-uci set firewall.wg.name="Allow-WireGuard"
+ uci set firewall.wg.name="Allow-WireGuard"
-uci set firewall.wg.src="wan"
+ uci set firewall.wg.src="wan"
-uci set firewall.wg.dest_port="${VPN_PORT}"
+ uci set firewall.wg.dest_port="${VPN_PORT}"
-uci set firewall.wg.proto="udp"
+ uci set firewall.wg.proto="udp"
-uci set firewall.wg.target="ACCEPT"
+ uci set firewall.wg.target="ACCEPT"
-uci commit firewall
+ uci commit firewall
-service firewall restart
+ service firewall restart
 . Network
 Configure VPN interface and peers.
-# Configure network
+ # Configure network
-uci -q delete network.${VPN_IF}
+ uci -q delete network.${VPN_IF}
-uci set network.${VPN_IF}="interface"
+ uci set network.${VPN_IF}="interface"
-uci set network.${VPN_IF}.proto="wireguard"
+ uci set network.${VPN_IF}.proto="wireguard"
-uci set network.${VPN_IF}.private_key="${VPN_KEY}"
+ uci set network.${VPN_IF}.private_key="${VPN_KEY}"
-uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
+ uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
-uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
+ uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
-uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
+ uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
-# Add VPN peers
+  # Add VPN peers
-uci -q delete network.wgclient
+ uci -q delete network.wgclient
-uci set network.wgclient="wireguard_${VPN_IF}"
+ uci set network.wgclient="wireguard_${VPN_IF}"
-uci set network.wgclient.public_key="${VPN_PUB}"
+ uci set network.wgclient.public_key="${VPN_PUB}"
-uci set network.wgclient.preshared_key="${VPN_PSK}"
+ uci set network.wgclient.preshared_key="${VPN_PSK}"
-uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
+ uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
-uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
+ uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
-uci commit network
+ uci commit network
-service network restart
+ service network restart
-LuCI Web Interface instructions
+===LuCI Web Interface instructions===
 . Installing packages
 Navigate to LuCI → System → Software and install the package luci-proto-wireguard.
@@ Line 100: / Line 165: @@
 . Restarting services
 Navigate to LuCI → System → Startup → Initscripts and click on network → Restart.
 . Add WireGuard Network Interface
 To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface...
@@ Line 108: / Line 175: @@
 Name the interface wg0 (or whatever is preferred)
 Click on Create Interface to create it and open it for editing
 . Configure the WireGuard Network Interface
 In the open edit window of the interface configure the following:
@@ Line 115: / Line 184: @@
 IP addresses: 10.0.0.1/24 or preferred internal VPN IPv4 address for the WireGuard server interface end of the VPN
 Save this configuration
-. Configure WireGuard Peers
+. Configure WireGuard Peers
 To create a new WireGuard peer configuration go to LuCI → Network → Interfaces → wg0 → Edit → Peers
+*Click on Add peer
-Click on Add peer
+*Click on Generate new key pair to populate the public and private key fields
-Click on Generate new key pair to populate the public and private key fields
+*Allowed IPs: 10.0.0.10 or whatever other address you will assign to the client
-Allowed IPs: 10.0.0.10 or whatever other address you will assign to the client
+*Endpoint port: 51820
-Endpoint port: 51820
+*Persistent Keep Alive: 25
-Persistent Keep Alive: 25
+*Save
-Save
 Click on Edit for the peer just created
@@ Line 132: / Line 202: @@
 To transfer the peer configuration to the client device either:
-Use a Wireguard client on a phone / tablet that can scan the generated QR code or
+*Use a Wireguard client on a phone / tablet that can scan the generated QR code or
-Copy and paste the generated configuration data into a device.conf file for import into a WireGuard client
+*Copy and paste the generated configuration data into a device.conf file for import into a WireGuard client
 Once you have saved the changes to the wg0 interface, click Save & Apply on the Interfaces page, then Restart wg0. This is necessary for the new peer list to take effect. “Save & Apply” alone is not enough!
 . Configure Firewall for WireGuard traffic
 Go to LuCI → Network → Firewall → General Settings and under Zones add a new zone:
-Name: WireguardVPN (or preferred name)
+*Name: WireguardVPN (or preferred name)
-Input: accept
+*Input: accept
-Output: accept
+*Output: accept
-Intra zone forward: accept
+*Intra zone forward: accept
-Masquerading: checked
+*Masquerading: checked
-MSS Clamping: checked
+*MSS Clamping: checked
-Covered networks: wg0
+*Covered networks: wg0
-Allow forward to destination zones: lan and wan
+*Allow forward to destination zones: lan and wan
-Allow forward from source zones: lan
+*Allow forward from source zones: lan
-Save
+*Save
 Create rule to allow IPv4 & IPv6 traffic through from internet for connecting from client device using IPv4 (if router has public IPv4 address) or from client device using IPv6 (if router has public IPv6 address available).
 Go to LuCI → Network → Firewall → Traffic Rules
+*Name: WireGuard-incoming (or preferred name)
-Name: WireGuard-incoming (or preferred name)
+*Protocol: UDP
-Protocol: UDP
+*Source zone: wan
-Source zone: wan
+*Source address: -- add IP --
-Source address: -- add IP --
+*Source port: any
-Source port: any
+*Destination zone: Device
-Destination zone: Device
+*Destination address: -- add IP--
-Destination address: -- add IP--
+*Destination port: 51820
-Destination port: 51820
+*Action: accept
-Action: accept
+*Save, Save & apply
-Save, Save & apply
 Note: If only IPv4 is being used to connect to the WireGuard server the above firewall traffic rule could be replaced with a Port Forward rule instead.
@@ Line 169: / Line 239: @@
 Testing
 Establish the VPN connection. Verify your routing with traceroute and traceroute6.
+ traceroute openwrt.org
-traceroute openwrt.org
+ traceroute6 openwrt.org
-traceroute6 openwrt.org
 Check your IP and DNS provider.
+*ipleak.net
-ipleak.net
+*dnsleaktest.com
-dnsleaktest.com
 On router:
+*Go to LuCI > Status > Wireguard and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time
-Go to LuCI > Status > Wireguard and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time
+*Go to LuCI > Network > Diagnostics and ipv4 ping client device IP eg. 10.0.0.10
-Go to LuCI > Network > Diagnostics and ipv4 ping client device IP eg. 10.0.0.10
 On client device depending on wireguard software:
+*Check transfer traffic for tx & rx
-Check transfer traffic for tx & rx
+*Ping router internal lan IP
-Ping router internal lan IP
+*Check public IP address in a browser – https://whatsmyip.com – should see public IP address of ISP for the router
-Check public IP address in a browser – https://whatsmyip.com – should see public IP address of ISP for the router
 Troubleshooting
 Collect and analyze the following information.
+ # Restart services
-# Restart services
+ service log restart; service network restart; sleep 10
-service log restart; service network restart; sleep 10
-# Log and status
+ # Log and status
-logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
+ logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
-# Runtime configuration
+ # Runtime configuration
-pgrep -f -a wg; wg show; wg showconf wg0
+ pgrep -f -a wg; wg show; wg showconf wg0
-ip address show; ip route show table all
+ ip address show; ip route show table all
-ip rule show; ip -6 rule show; nft list ruleset
+ ip rule show; ip -6 rule show; nft list ruleset
-# Persistent configuration
+ # Persistent configuration
-uci show network; uci show firewall; crontab -l
+ uci show network; uci show firewall; crontab -l
-This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
- Last modified: 2025/10/05 00:14by alex_henrie
-Self-registration in the wiki has been disabled.
-If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.