Note: The following guide has been deprecated in our configuration as we have switched to using OpenVPN. OpenVPN is supported natively by our ATAs, so in some installations, we may not even need a router installed
ssh into your router at
Note: Make sure you set a password for root before doing this step, you will not be able to perform an update until you do.
$ ssh email@example.com
Next, perform an update and install WireGuard packages:
# opkg update # opkg install wireguard-tools luci-proto-wireguard
Next generate the public/private keys and save the output for later, we will need the private key for our client set up and the public key for our server setup.
# wg genkey | tee privatekey | wg pubkey > publickey # cat privatekey && cat publickey
Finally, reboot. You must perform this step before adding an interface.
Configuring an Interface
After a few minutes the router should be rebooted. Navigate to the web interface at http://192.168.1.1 and go to Network –> Interfaces. Near the bottom of the screen press the button for Add New Interface… In the dialog, name the interface
philtel and set the protocol to
WireGuard VPN before pressing the Create Interface button.
On the Interfaces dialog, check the box for Bring up on boot and enter the private key we saved earlier into the corresponding field. In the box next to IP Addresses, we will put in an address in our server’s advertised range such as
On the Advanced Settings tab, make sure the box for Use default gateway is checked.
On the Peers tab, enter
philtel-server in the Description field and enter the server’s public key in the Public Key field. For Allowed IPs, enter
0.0.0.0/0 and make sure the box is checked for Route Allowed IPs. For the Endpoint Host, enter the public IP address of the server and for Endpoint Port use the port the server is running WireGuard on (likely
52934). Finally, enter
25 into the field for Persistent Keep Alive to have our client constantly keep the connection active since the server will not know of the client’s IP/Port to start a connection.
Finally, press the Save button and when the dialog disappears, press the Save & Apply button on the Interfaces page.
Configuring the Firewall
We want to pass all traffic through WireGuard and also allow connections direct to the WireGuard server so we must make changes in the firewall.
Navigate to Network –> Firewall and press the Add button in the Zones section of the page.
In the Name field enter
philtel_fw. From the Input dropdown choose
Reject, from the Output dropdown choose
Accept, and from the Forward dropdown choose
Check the boxes for Masquerading and MSS clamping. In Covered Networks select
philtel. For Allow Forward to destination zones leave this as
unspecified but for Allow forward from source zones select
Press the button for Save and then on the Firewall page press the button for Save & Apply.
Afterwards from any LAN client connected to the router should be able to ping a public IP and the internal IP of our WireGuard server:
> ping 22.214.171.124 > ping 10.11.12.1
Adding the Peer to the Server
On our server, we just need to edit the config for the new peer.
$ sudo nano /etc/wireguard/wg0.conf
Paste the following into the bottom of the file, substituting the client’s
AllowedIPs with what we set previously at the client:
[Peer] PublicKey = xxxxxxxxxx AllowedIPs = 10.11.12.13/32 PersistentKeepalive = 25
Now, we simply restart WireGuard on the server to load the new config:
$ sudo systemctl reload firstname.lastname@example.org
Workarounds for Wireguard not getting RX
We noticed after downtime/reboots that the WireGuard interface on the router will appear to connect and send TX, but it will not get any RX back. The temporarily solution for this was to up/down the interface on the server side, but this is a bad fix as it has to be done manually and power outages can never be predicted. There should not need to be human intervention for reconnection.
A similar issue was reported in this thread and workarounds were provided, https://forum.openwrt.org/t/wireguard-not-re-establishing-connection/90556/3.
NOTE: After applying the below workarounds, complete reconnection after a power cycle may take up to 3 minutes (could be more).
To apply these workarounds, SSH into the router (
ssh 192.168.1.1) and login with
root. Now, execute these three sets of commands:
Preserve default route to restore WAN connectivity when VPN is disconnected.
# Preserve default route uci set network.wan.metric="1024" uci commit network /etc/init.d/network restart
Periodically re-resolve inactive peer hostnames for VPN peers with dynamic IP addresses.
# Periodically re-resolve inactive peers cat << "EOF" >> /etc/crontabs/root * * * * * /usr/bin/wireguard_watchdog EOF uci set system.@system.cronloglevel="9" uci commit system /etc/init.d/cron restart
Resolve the race condition with
sysntpd service when RTC is missing.
# Resolve race conditions cat << "EOF" >> /etc/crontabs/root * * * * * date -s 2030-01-01; /etc/init.d/sysntpd restart EOF uci set system.@system.cronloglevel="9" uci commit system /etc/init.d/cron restart
At any point, check the status of the WireGuard link with
Now, the client and server should handhshake but it may be necessary to restart the interface via OpenWRT the first time. In the OpenWRT GUI, go to Network –> Interfaces and press the Restart button next to the
philtel interface. Within a few seconds the interface should come back up.
To test connectivity feel free to ping the server from the client or the client from the server using the