WireGuard basics

WireGuard is an OSS and protocol that implements VPN by creating secure point-to-point connections over UDP in routed configurations. It runs as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols. The protocol is designed to provide a general purpose VPN solution and can support different configuration types including point-to-point, client-server, and site-to-site connections.

WireGuard generally relies on public-key cryptography. It requires to generate a private and public key for each peer and exchange only the public keys. While the private key is best never disclosed outside the peer where it was generated. For better security, you can also generate and exchange a pre-shared key. Each pair of peers should use one pre-shared key.

WireGuard is time sensitive and can refuse to pass traffic if the peer's clock is out of sync. It's recommended to rely on NTP for all peers. The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, specifically when RTC is missing. Setting time forward on the client side can work around the problem.

Navigate to LuCI → System → Software and install the packages luci-proto-wireguard and luci-app-wireguard to manage WireGuard using LuCI.

Generate a key pair of private and public keys.

wg genkey | tee wg.key | wg pubkey > wg.pub

• Use the wg.key file to configure the WireGuard interface on this router.
• Use the wg.pub file to configure peers that will connect to this router through the WireGuard VPN.

Navigate to LuCI → System → Startup → Initscripts and click to network → Restart.

To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface... and select WireGuard VPN from the Protocol dropdown menu.

The menu LuCI → Status → WireGuard shows information about the WireGuard VPN.