Wireguard setup Openwrt

The amount of tutorials out for setting up Wireguard on your Openwrt router are either incorrect or over complicated.

I’ve decided to collate these and create an easy to understand walkthrough to get a simple Wireguard VPN set up on your router. I will be using the wireguard app on Android as an example in this tutorial but others should be similar.

With advice from some of the members of the openwrt forums (thanks to cpunk) the below details have been updated to be more accurate.

Install packages

SSH into your router and run the below:
opkg update
opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools

Add the interface

Login to your router and select Network > Interfaces and then select Add new interface.

Name the newly created interface wgo, select Wireguard VPN as the protocol and press Submit.

Generate key pairs

From SSH run the following:
mkdir -p /etc/wireguard
wg genkey | tee /etc/wireguard/server-privatekey | wg pubkey > /etc/wireguard/server-publickey
wg genkey | tee client-privatekey | wg pubkey > client-publickey

Grab the keys

There should now be two files in /etc/wireguard, one called server-privatekey & server-publickey. Open these files to view the keys and make a note of them.

Wireguard app

Download and open up the wireguard app on your device and select the + icon and select Create from scratch. Name the Interface, click GENERATE. Copy the Public key somewhere as you will need this to enter into the Wireguard interface on your Openwrt router .

Configure the Openwrt Wireguard Interface

In your router, head over to the configuration page of wg0 interface. From the general settings section, paste the server-privatekey you obtained from /etc/wireguard earlier into Private Key section, set Listening port to 51820 or any unused port you like.
In IP Addresses, choose a subnet IP CIDR, for example 10.200.200.1/24 . This will be the subnet of your VPN

In the PEERS section click Add and paste in the Public key you obtained from the wireguard app. In the Allowed IP’s section you’re indicating what addresses are reached through the tunnel to this peer. In our example we only want to send traffic to the one client’s address. To do this, pick an IP address for the client in the subnet you previously chose, and use /32 at the end. For example 10.200.200.2/32. Next, make sure Route Allowed IPs is checked and set Persistent Keep Alive to the recommended value of 25.

Select Firewall Settings from the top of the page and assign lan zone for the interface then click Save & Apply.

Create firewall rule

Next run the following in SSH to make a new firewall rule in OpenWRT.
Making sure your change port 51820 to match what you selected earlier if you changed this:

uci add firewall rule
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="51820"
uci set firewall.@rule[-1].name="Allow-Wireguard-Inbound"
uci commit firewall
/etc/init.d/firewall restart

Wireguard app

Go back to the app and in Addresses, put the address you chose for the client and entered on the server in the peer Allowed IPs section, but use the real subnet mask (/24 in CIDR notation) like you did for the server Address, e.g. 10.200.200.2/24. In DNS servers, put the router’s LAN IP address in and select ADD PEER. Don’t touch Listen port and MTU unless you know what you’re doing.

In the Public key section paste in the public key you obtained from /etc/wireguard on the openwrt router earlier and enter 0.0.0.0/0 into Allowed IPs. In Endpoint, specify the router’s WAN IP address or a domain name, ending with :port. For example vpn.foobar.dev:51820. Leave the rest default and hit the save icon.

You should now be up and running. If you have trouble connecting, restart your router and check settings if still not working.

Posted on

Setup NordVPN on Openwrt/LEDE router

Watching the 3pm kick offs is becoming extremely difficult with ISP’s blocking traffic when trying to watch a stream or IPTV service.

By using a VPN, you can get around this annoyance and freely watch without the fear of the dreaded no picture.

Along with this added bonus, the main purpose of using a VPN is to keep your internet activity private and away from your ISP.

Below is an excellent guide showing how you can set up NORDVPN on your Openwrt/LEDE router to protect all devices automatically when connected to your home internet connection.

Guide to setup Nordvpn

There is also sometimes a need to direct some devices such as a Smart TV you watch Netflix on away from the VPN as the service will be blocked. To do this you will need to create a Static IP address on the device and also add a rule in /etc/config/network to take care of this and route the device outside of the VPN and use your ISP Gateway. The below link is a good read on what’s needed.

https://forum.openwrt.org/t/route-single-ip-outside-openvpn/37373?u=toonage

Posted on

Who will be crowned with the premiership title?

The 18/19 premiership title race has went to the last day with man city and Liverpool fighting for the title.

Manchester city are on 95 points and in pole position while Liverpool are on 94 in second breathing down their necks.

Liverpool face wolves away and man city take on Brighton. With Liverpool securing their place in the champions League final earlier in the week, they’ll sure to be in high spirits and all guns blazing going into the last game.

All games kick off at 3pm today so it’s going to be a really interesting day with these being the games to watch.

On the other scale of the table, Cardiff have been declared the final team to be relegated out of the bottom three, the only focus now being who picks up the title.

My guess is that man city will pick up the title and be crowned champions but there is a little doubt in my mind that Liverpool can come up with the goods after the performance they put out again Barcelona going on to win 4-3 from both legs after being behind 3-0 from first leg.

All will be revealed around 5pm this evening with a replica trophy being at one of the grounds should it go either way.

Posted on