WireGuard extras
Introduction
- This how-to describes the most common WireGuard tuning scenarios adapted for OpenWrt.
- Follow WireGuard server for server setup and WireGuard client for client setup.
- Follow WireGuard protocol for server and client configuration.
- Follow DDNS client to use own server with dynamic IP address.
- Follow Random generator to overcome low entropy issues.
Extras
References
Web interface
If you want to manage VPN settings and view VPN status using web interface. Install the necessary packages.
# Install packages opkg update opkg install luci-proto-wireguard qrencode service rpcd restart
- Navigate to LuCI → Network → Interfaces to configure WireGuard.
- Navigate to LuCI → Status → WireGuard to view WireGuard status.
Dynamic connection
Preserve default route to restore WAN connectivity when VPN is disconnected.
# Preserve default route uci set network.wan.metric="1024" uci commit network service network restart
Dynamic address
Periodically re-resolve inactive peer hostnames for VPN peers with dynamic IP addresses.
# Periodically re-resolve inactive peers cat << "EOF" >> /etc/crontabs/root * * * * * /usr/bin/wireguard_watchdog EOF uci set system.@system[0].cronloglevel="9" uci commit system service cron restart
Race conditions
Resolve the race condition with sysntpd service when RTC is missing.
# Resolve race conditions cat << "EOF" >> /etc/crontabs/root * * * * * date -s 2030-01-01; service sysntpd restart EOF uci set system.@system[0].cronloglevel="9" uci commit system service cron restart
Site-to-site
Implement plain routing between server side LAN and client side LAN assuming that:
192.168.1.0/24- server side LAN192.168.2.0/24- client side LAN
Add route to client side LAN on VPN server.
uci set network.wgclient.route_allowed_ips="1" uci add_list network.wgclient.allowed_ips="192.168.2.0/24" uci commit network service network restart
Add route to server side LAN on VPN client.
uci set network.wgserver.route_allowed_ips="1" uci add_list network.wgserver.allowed_ips="192.168.1.0/24" uci commit network service network restart
Consider VPN network as private and assign VPN interface to LAN zone on VPN client.
uci del_list firewall.wan.network="vpn" uci add_list firewall.lan.network="vpn" uci commit firewall service firewall restart
IPv6 site-to-site
Provide IPv6 site-to-site connectivity assuming that:
fd00:0:0:1::/64- server side LANfd00:0:0:2::/64- client side LAN
Add route to client side LAN on VPN server.
uci set network.lan.ip6assign="64" uci set network.lan.ip6hint="1" uci set network.vpn.ip6prefix="fd00::/48" uci add_list network.wgclient.allowed_ips="fd00:0:0:2::/64" uci commit network service network restart
Add route to server side LAN on VPN client.
uci set network.lan.ip6assign="64" uci set network.lan.ip6hint="2" uci set network.vpn.ip6prefix="fd00::/48" uci add_list network.wgserver.allowed_ips="fd00:0:0:1::/64" uci commit network service network restart
Default gateway
If you do not need to route all traffic to VPN. Disable gateway redirection on VPN client.
uci del_list network.wgserver.allowed_ips="0.0.0.0/0" uci del_list network.wgserver.allowed_ips="::/0" uci commit network service network restart
If you want to disable automatic routes for allowed IPs.
uci -q delete network.wgserver.route_allowed_ips
uci commit network
service network restart
Split gateway
If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN and VPN networks assuming that:
192.168.1.0/24- LAN network192.168.1.2/24- VPN gateway192.168.9.0/24- VPN network
Add port forwarding for VPN server on LAN gateway.
uci -q delete firewall.wg uci set firewall.wg="redirect" uci set firewall.wg.name="Redirect-WireGuard" uci set firewall.wg.src="wan" uci set firewall.wg.src_dport="51820" uci set firewall.wg.dest="lan" uci set firewall.wg.dest_ip="192.168.1.2" uci set firewall.wg.family="ipv4" uci set firewall.wg.proto="udp" uci set firewall.wg.target="DNAT" uci commit firewall service firewall restart
Add route to VPN network via VPN gateway on LAN gateway.
uci -q delete network.vpn uci set network.vpn="route" uci set network.vpn.interface="lan" uci set network.vpn.target="192.168.9.0/24" uci set network.vpn.gateway="192.168.1.2" uci commit network service network restart
IPv6 gateway
Set up IPv6 tunnel broker or use IPv6 NAT or NPT if necessary.
Disable ISP prefix delegation to prevent IPv6 leaks on VPN client.
DNS over VPN
Serve DNS for VPN clients on OpenWrt server when using point-to-point topology.
Route DNS over VPN to prevent DNS leaks on VPN client.
Replace peer DNS with public or VPN-specific DNS provider on OpenWrt client.
Modify the VPN connection using NetworkManager on Linux desktop client.
nmcli connection modify id VPN_CON \ ipv4.dns-search ~. ipv4.dns-priority -50 \ ipv6.dns-search ~. ipv6.dns-priority -50
Kill switch
Prevent traffic leaks on OpenWrt client isolating VPN interface in a separate firewall zone.
uci -q delete firewall.vpn uci set firewall.vpn="zone" uci set firewall.vpn.name="vpn" uci set firewall.vpn.input="REJECT" uci set firewall.vpn.output="ACCEPT" uci set firewall.vpn.forward="REJECT" uci set firewall.vpn.masq="1" uci set firewall.vpn.mtu_fix="1" uci add_list firewall.vpn.network="vpn" uci del_list firewall.wan.network="vpn" uci -q delete firewall.@forwarding[0] uci set firewall.lan_vpn="forwarding" uci set firewall.lan_vpn.src="lan" uci set firewall.lan_vpn.dest="vpn" uci commit firewall service firewall restart
Multi-client
Set up multi-client VPN server. Generate client keys and profiles. Configure VPN peers.
# Configuration parameters VPN_IDS="wgserver wgclient wglaptop wgmobile" VPN_PKI="." VPN_IF="vpn" VPN_PORT="$(uci -q get network.${VPN_IF}.listen_port)" read -r VPN_ADDR VPN_ADDR6 \ < <(uci -q get network.${VPN_IF}.addresses) # Fetch server address NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)" . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_ipaddr NET_ADDR "${NET_IF}" if [ -n "${NET_FQDN}" ] then VPN_SERV="${NET_FQDN}" else VPN_SERV="${NET_ADDR}" fi # Generate client keys umask go= mkdir -p ${VPN_PKI} for VPN_ID in ${VPN_IDS#* } do wg genkey \ | tee ${VPN_PKI}/${VPN_ID}.key \ | wg pubkey > ${VPN_PKI}/${VPN_ID}.pub wg genpsk > ${VPN_PKI}/${VPN_ID}.psk done # Generate client profiles VPN_SFX="1" for VPN_ID in ${VPN_IDS#* } do let VPN_SFX++ cat << EOF > ${VPN_PKI}/${VPN_ID}.conf [Interface] PrivateKey = $(cat ${VPN_PKI}/${VPN_ID}.key) Address = ${VPN_ADDR%.*}.${VPN_SFX}/24 Address = ${VPN_ADDR6%:*}:${VPN_SFX}/64 DNS = ${VPN_ADDR%/*} DNS = ${VPN_ADDR6%/*} [Peer] PublicKey = $(cat ${VPN_PKI}/${VPN_IDS%% *}.pub) PresharedKey = $(cat ${VPN_PKI}/${VPN_ID}.psk) PersistentKeepalive = 25 Endpoint = ${VPN_SERV}:${VPN_PORT} AllowedIPs = 0.0.0.0/0 AllowedIPs = ::/0 EOF done ls ${VPN_PKI}/*.conf # Back up client profiles cat << EOF >> /etc/sysupgrade.conf $(pwd ${VPN_PKI}) EOF # Add VPN peers VPN_SFX="1" for VPN_ID in ${VPN_IDS#* } do let VPN_SFX++ uci -q delete network.${VPN_ID} uci set network.${VPN_ID}="wireguard_${VPN_IF}" uci set network.${VPN_ID}.description="${VPN_ID}" uci set network.${VPN_ID}.private_key="$(cat ${VPN_PKI}/${VPN_ID}.key)" uci set network.${VPN_ID}.public_key="$(cat ${VPN_PKI}/${VPN_ID}.pub)" uci set network.${VPN_ID}.preshared_key="$(cat ${VPN_PKI}/${VPN_ID}.psk)" uci add_list network.${VPN_ID}.allowed_ips="${VPN_ADDR%.*}.${VPN_SFX}/32" uci add_list network.${VPN_ID}.allowed_ips="${VPN_ADDR6%:*}:${VPN_SFX}/128" done uci commit network service network restart
Perform OpenWrt backup. Extract client profiles from the archive and import them to your clients.
Automated
Automated VPN server installation and client profiles generation.
URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server" cat << EOF > wireguard-server.sh $(wget -U "" -O - "${URL}?codeblock=0") $(wget -U "" -O - "${URL}?codeblock=1") $(wget -U "" -O - "${URL}?codeblock=2") $(wget -U "" -O - "${URL}?codeblock=3") $(wget -U "" -O - "${URL}/../extras?codeblock=15") EOF sh wireguard-server.sh