WireGuard extras

If you want to manage VPN settings and view VPN status using web interface. Install the necessary packages.

# Install packages
opkg update
opkg install luci-proto-wireguard luci-app-wireguard qrencode
/etc/init.d/rpcd restart
  • Navigate to LuCI → Network → Interfaces to configure WireGuard.
  • Navigate to LuCI → Status → WireGuard to view WireGuard status.

Preserve default route to restore WAN connectivity when VPN is disconnected.

# Preserve default route
uci set network.wan.metric="1024"
uci commit network
/etc/init.d/network restart

Periodically re-resolve inactive peer hostnames for VPN peers with dynamic IP addresses.

# Periodically re-resolve inactive peers
cat << "EOF" >> /etc/crontabs/root
* * * * * /usr/bin/wireguard_watchdog
uci set system.@system[0].cronloglevel="9"
uci commit system
/etc/init.d/cron restart

Resolve the race condition with sysntpd service when RTC is missing.

# Resolve race conditions
cat << "EOF" >> /etc/crontabs/root
* * * * * date -s 2030-01-01; /etc/init.d/sysntpd restart
uci set system.@system[0].cronloglevel="9"
uci commit system
/etc/init.d/cron restart

Implement plain routing between server side LAN and client side LAN assuming that:

  • - server side LAN
  • - client side LAN

Add route to client side LAN on VPN server.

uci set network.wgclient.route_allowed_ips="1"
uci add_list network.wgclient.allowed_ips=""
uci commit network
/etc/init.d/network restart

Add route to server side LAN on VPN client.

uci set network.wgserver.route_allowed_ips="1"
uci add_list network.wgserver.allowed_ips=""
uci commit network
/etc/init.d/network restart

Consider VPN network as private and assign VPN interface to LAN zone on VPN client.

uci del_list firewall.wan.network="vpn"
uci add_list firewall.lan.network="vpn"
uci commit firewall
/etc/init.d/firewall restart

Provide IPv6 site-to-site connectivity assuming that:

  • fd00:0:0:1::/64 - server side LAN
  • fd00:0:0:2::/64 - client side LAN

Add route to client side LAN on VPN server.

uci set network.lan.ip6assign="64"
uci set network.lan.ip6hint="1"
uci set network.vpn.ip6prefix="fd00::/48"
uci add_list network.wgclient.allowed_ips="fd00:0:0:2::/64"
uci commit network
/etc/init.d/network restart

Add route to server side LAN on VPN client.

uci set network.lan.ip6assign="64"
uci set network.lan.ip6hint="2"
uci set network.vpn.ip6prefix="fd00::/48"
uci add_list network.wgserver.allowed_ips="fd00:0:0:1::/64"
uci commit network
/etc/init.d/network restart

If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client when using site-to-site connection.

uci del_list network.wgserver.allowed_ips=""
uci del_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart

Disable gateway redirection on VPN client when using PBR app.

uci -q delete network.wgserver.route_allowed_ips
uci commit network
/etc/init.d/network restart

If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

  • - LAN network
  • - VPN gateway
  • - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.wg
uci set firewall.wg="redirect"
uci set firewall.wg.name="Redirect-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.src_dport="51820"
uci set firewall.wg.dest="lan"
uci set firewall.wg.dest_ip=""
uci set firewall.wg.family="ipv4"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target=""
uci set network.vpn.gateway=""
uci commit network
/etc/init.d/network restart

Set up an IPv6 tunnel broker or IPv6 masquerading if necessary.

Disable ISP prefix delegation to prevent IPv6 leaks on VPN client.

Provide DNS for VPN clients in the point-to-point topology on OpenWrt server.

Utilize DNS over VPN to prevent DNS leaks on VPN client.

Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify id VPN_CON \
ipv4.dns-search ~. ipv4.dns-priority -50 \
ipv6.dns-search ~. ipv6.dns-priority -50

Prevent traffic leaks on OpenWrt client isolating VPN interface in a separate firewall zone.

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.@forwarding[0]
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
/etc/init.d/firewall restart

Set up multi-client VPN server. Generate client keys and profiles. Configure VPN peers.

# Configuration parameters
VPN_IDS="wgserver wgclient wglaptop wgmobile"
VPN_PORT="$(uci -q get network.${VPN_IF}.listen_port)"
$(uci -q get network.${VPN_IF}.addresses)
# Fetch server address
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
. /lib/functions/network.sh
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
if [ -n "${NET_FQDN}" ]
# Generate client keys
umask go=
mkdir -p ${VPN_PKI}
for VPN_ID in ${VPN_IDS#* }
if [ ! -e "${VPN_PKI}/${VPN_ID}.pub" ]
then wg genkey \
| tee ${VPN_PKI}/${VPN_ID}.key \
| wg pubkey > ${VPN_PKI}/${VPN_ID}.pub
if [ ! -e "${VPN_PKI}/${VPN_ID}.psk" ]
then wg genpsk > ${VPN_PKI}/${VPN_ID}.psk
# Generate client profiles
for VPN_ID in ${VPN_IDS#* }
let VPN_SFX++
cat << EOF > ${VPN_PKI}/${VPN_ID}.conf
Address = ${VPN_ADDR%.*}.${VPN_SFX}/24, ${VPN_ADDR6%:*}:${VPN_SFX}/64
PrivateKey = $(cat ${VPN_PKI}/${VPN_ID}.key)
DNS = ${VPN_ADDR%/*}, ${VPN_ADDR6%/*}
PublicKey = $(cat ${VPN_PKI}/${VPN_IDS%% *}.pub)
PresharedKey = $(cat ${VPN_PKI}/${VPN_ID}.psk)
PersistentKeepalive = 25
AllowedIPs =, ::/0
Endpoint = ${VPN_SERV}:${VPN_PORT}
ls ${VPN_PKI}/*.conf
# Back up client profiles
cat << EOF >> /etc/sysupgrade.conf
$(pwd ${VPN_PKI})
# Add VPN peers
for VPN_ID in ${VPN_IDS#* }
let VPN_SFX++
uci -q delete network.${VPN_ID}
uci set network.${VPN_ID}="wireguard_${VPN_IF}"
uci set network.${VPN_ID}.description="${VPN_ID}"
uci set network.${VPN_ID}.private_key="$(cat ${VPN_PKI}/${VPN_ID}.key)"
uci set network.${VPN_ID}.public_key="$(cat ${VPN_PKI}/${VPN_ID}.pub)"
uci set network.${VPN_ID}.preshared_key="$(cat ${VPN_PKI}/${VPN_ID}.psk)"
uci add_list network.${VPN_ID}.allowed_ips="${VPN_ADDR%.*}.${VPN_SFX}/32"
uci add_list network.${VPN_ID}.allowed_ips="${VPN_ADDR6%:*}:${VPN_SFX}/128"
uci commit network
/etc/init.d/network restart

Perform OpenWrt backup. Extract client profiles from the archive and import them to your clients.

Automated VPN server installation and client profiles generation.

cat << EOF > wireguard-server.sh
$(uclient-fetch -O - "${URL}/server?codeblock=0")
$(uclient-fetch -O - "${URL}/server?codeblock=1")
$(uclient-fetch -O - "${URL}/server?codeblock=2")
$(uclient-fetch -O - "${URL}/server?codeblock=3")
sleep 10
$(uclient-fetch -O - "${URL}/extras?codeblock=15")
sh wireguard-server.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/03/15 09:03
  • by vgaetera