The amount of tutorials out for setting up Wireguard on your Openwrt router are either incorrect or over complicated.

I’ve decided to collate these and create an easy to understand walkthrough to get a simple Wireguard VPN set up on your router. I will be using the wireguard app on Android as an example in this tutorial but others should be similar.

With advice from some of the members of the openwrt forums (thanks to cpunk) the below details have been updated to be more accurate.

Install packages

SSH into your router and run the below:
opkg update
opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools

Add the interface

Login to your router and select Network > Interfaces and then select Add new interface.

Name the newly created interface wgo, select Wireguard VPN as the protocol and press Submit.

Generate key pairs

From SSH run the following:
mkdir -p /etc/wireguard
wg genkey | tee /etc/wireguard/server-privatekey | wg pubkey > /etc/wireguard/server-publickey
wg genkey | tee client-privatekey | wg pubkey > client-publickey

Grab the keys

There should now be two files in /etc/wireguard, one called server-privatekey & server-publickey. Open these files to view the keys and make a note of them.

Wireguard app

Download and open up the wireguard app on your device and select the + icon and select Create from scratch. Name the Interface, click GENERATE. Copy the Public key somewhere as you will need this to enter into the Wireguard interface on your Openwrt router .

Configure the Openwrt Wireguard Interface

In your router, head over to the configuration page of wg0 interface. From the general settings section, paste the server-privatekey you obtained from /etc/wireguard earlier into Private Key section, set Listening port to 51820 or any unused port you like.
In IP Addresses, choose a subnet IP CIDR, for example 10.200.200.1/24 . This will be the subnet of your VPN

In the PEERS section click Add and paste in the Public key you obtained from the wireguard app. In the Allowed IP’s section you’re indicating what addresses are reached through the tunnel to this peer. In our example we only want to send traffic to the one client’s address. To do this, pick an IP address for the client in the subnet you previously chose, and use /32 at the end. For example 10.200.200.2/32. Next, make sure Route Allowed IPs is checked and set Persistent Keep Alive to the recommended value of 25.

Select Firewall Settings from the top of the page and assign lan zone for the interface then click Save & Apply.

Create firewall rule

Next run the following in SSH to make a new firewall rule in OpenWRT.
Making sure your change port 51820 to match what you selected earlier if you changed this:

uci add firewall rule
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="51820"
uci set firewall.@rule[-1].name="Allow-Wireguard-Inbound"
uci commit firewall
/etc/init.d/firewall restart

Wireguard app

Go back to the app and in Addresses, put the address you chose for the client and entered on the server in the peer Allowed IPs section, but use the real subnet mask (/24 in CIDR notation) like you did for the server Address, e.g. 10.200.200.2/24. In DNS servers, put the router’s LAN IP address in and select ADD PEER. Don’t touch Listen port and MTU unless you know what you’re doing.

In the Public key section paste in the public key you obtained from /etc/wireguard on the openwrt router earlier and enter 0.0.0.0/0 into Allowed IPs. In Endpoint, specify the router’s WAN IP address or a domain name, ending with :port. For example vpn.foobar.dev:51820. Leave the rest default and hit the save icon.

You should now be up and running. If you have trouble connecting, restart your router and check settings if still not working.