Step 1: Install Required Packages
opkg update
opkg install wireguard luci-proto-wireguard luci-app-wireguard
Step 2: Generate Keys for the Server
umask 077 # Ensures the keys are created with correct permissions
# (Optional) Create WireGuard directory
mkdir -p /etc/wireguard
cd /etc/wireguard
# Generate server private key
wg genkey > server_private.key
# Generate server public key
cat server_private.key | wg pubkey > server_public.key
Step 3: Generate Keys for the Client
# Generate client private key
wg genkey > client_private.key
# Generate client public key
cat client_private.key | wg pubkey > client_public.key
Step 4: Configure the Network – /etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key 'SERVER_PRIVATE_KEY' # Replace with your server’s private key
option listen_port '51820'
list addresses '10.8.0.1/24' # Server IP in the VPN tunnel
config wireguard_wg0
option public_key 'CLIENT_PUBLIC_KEY' # Replace with client's public key (e.g., from Windows)
option description 'Windows PC'
list allowed_ips '10.8.0.2/32' # Client's IP in the tunnel
Step 5: Configure the Windows Client (WireGuard App)
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.8.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 192.168.0.0/24 # Your home LAN network
PersistentKeepalive = 25
Step 6: Configure Firewall – /etc/config/firewall
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'vpn'
option dest 'lan'
config rule
option name 'Allow-WireGuard-Inbound'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
Step 7: Restart Network and Firewall
/etc/init.d/network restart
/etc/init.d/firewall restart
📌 NOTE:
Why can you access local devices but not browse the internet through the VPN?
Because:
- Your WireGuard config allows routing to the LAN (e.g.,
192.168.1.0/24), so you can reach devices at home. - But your client only routes specific subnets through the VPN (
AllowedIPs = 192.168.1.0/24). - And your OpenWRT doesn’t do NAT/MASQUERADE, so traffic from VPN to internet is not translated to your public IP.
🌍 Want to appear on the internet as if you’re behind the OpenWRT router?
1. Modify the WireGuard Client Config:
Change AllowedIPs to:
AllowedIPs = 0.0.0.0/0
This means: “Route all internet traffic through the VPN.”
2. Enable NAT on OpenWRT
Run this command via SSH:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
⚠️ Replace eth0 with your actual WAN interface (commonly wan or eth1).
You can find it with:
ip route | grep default
3. (Optional) Make NAT Rule Persistent
Add to /etc/firewall.user:
# Allow NAT for WireGuard
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Save the file and restart the firewall:
/etc/init.d/firewall restart
4. Enable Forwarding from VPN to WAN
Make sure /etc/config/firewall contains:
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'vpn'
option dest 'wan'
✅ Result:
All your traffic will be routed through the VPN tunnel.
You’ll appear on the internet under your OpenWRT router’s IP address.
Share files with each other: pairdrop.aniq.eu, upload.aniq.eu