This translation is older than the original page and might be outdated. See what has changed.

FIXME This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)

WireGuard server

  • 加密您的互联网连接以加强安全和隐私。
    • 防止客户端的数据泄露和流量欺骗。
  • 使用商业vpn服务绕过区域限制。
    • 规避客户端内容过滤和互联网审查。
  • 更方便地远程访问您的局域网服务(无需端口转发)。

Install the required packages. Specify the VPN server configuration parameters.

# Install packages
opkg update
opkg install wireguard-tools
# Configuration parameters

Generate and exchange keys between server and client.

# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey >
wg genkey | tee wgclient.key | wg pubkey >
wg genpsk > wgclient.psk
# Server private key
WG_KEY="$(cat wgserver.key)"
# Pre-shared key
WG_PSK="$(cat wgclient.psk)"
# Client public key

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list"${WG_IF}"
uci add_list"${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set"Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set"ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Configure VPN interface and peers.

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart

建立 VPN 连接。 使用 traceroutetraceroute6 命令确认流量是否通过VPN网关.



请确保客户端没有DNS泄露(DNS leak)发生。


Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/network restart; sleep 10
# Log and status
logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
# Runtime configuration
pgrep -f -a wg; wg show; wg showconf vpn
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
# Persistent configuration
uci show network; uci show firewall; crontab -l
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/09/09 10:58
  • by vgaetera