OpenWrt WireGuard Setup

Follow this guide to set up WireGuard on your OpenWrt router

⚠️ Advanced Setup: This guide assumes familiarity with OpenWrt administration. Setting up WireGuard on a router will route all devices through the tunnel.
1

Install WireGuard Packages

Connect to your OpenWrt router via SSH and install the required packages:

# Update package lists
opkg update

# Install WireGuard packages
opkg install wireguard-tools luci-app-wireguard

# For kernel module (if not included)
opkg install kmod-wireguard
💡 Tip: The luci-app-wireguard package provides a web interface for WireGuard configuration.

Verify Installation

# Check if WireGuard module is loaded
lsmod | grep wireguard

# Check WireGuard version
wg --version
2

Get Your Configuration

Download your WireGuard configuration from the GetIP.online dashboard.

⚠️ Account Required: You need to create an account and generate a tunnel first.

Create Account
3

Configure WireGuard (CLI Method)

Create the WireGuard interface configuration:

Create Network Interface

# Add WireGuard interface to network config
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key='YOUR_PRIVATE_KEY_HERE'
uci add_list network.wg0.addresses='YOUR_IPV6_ADDRESS_HERE/128'

# Add peer configuration
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1]=wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key='SERVER_PUBLIC_KEY_HERE'
uci set network.@wireguard_wg0[-1].endpoint_host='SERVER_ENDPOINT_HERE'
uci set network.@wireguard_wg0[-1].endpoint_port='51820'
uci set network.@wireguard_wg0[-1].allowed_ips='::/0'
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'

# Commit changes
uci commit network

Configure Firewall

# Add WireGuard to WAN zone
uci add firewall zone
uci set firewall.@zone[-1].name='wg'
uci set firewall.@zone[-1].network='wg0'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'

# Allow forwarding from LAN to WireGuard
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='wg'

# Commit firewall changes
uci commit firewall
4

Configure WireGuard (Web UI Method)

Alternatively, configure through the LuCI web interface:

  1. Access your OpenWrt web interface (usually http://192.168.1.1)
  2. Navigate to Network → Interfaces
  3. Click Add new interface
  4. Name it wg0 and select WireGuard VPN as protocol
  5. Configure with your tunnel details:
    • Private Key: From your configuration file
    • IPv6 Address: Your assigned IPv6 address with /128
  6. Under Peers, add the server details
  7. Save and apply changes
💡 LuCI Access: If you can't access LuCI, ensure luci package is installed and the web server is running.
5

Start WireGuard and Test

Activate the WireGuard interface and verify connectivity:

Start the Interface

# Restart network service
/etc/init.d/network restart

# Check interface status
ifstatus wg0

# Check WireGuard status
wg show

Test IPv6 Connectivity

# Test from router
ping6 google.com

# Check IPv6 routing
ip -6 route show

# Monitor WireGuard traffic
wg show wg0 transfer
⚠️ Important: After configuring WireGuard on your router, all devices on your network will use the IPv6 tunnel.
6

Advanced Configuration

IPv6 Forwarding

Enable IPv6 forwarding for your LAN devices:

# Enable IPv6 forwarding
uci set network.lan.ip6assign='60'
uci commit network

# In /etc/sysctl.conf, ensure:
net.ipv6.conf.all.forwarding=1

DNS Configuration

Configure IPv6 DNS servers:

# Add IPv6 DNS servers
uci add_list network.wg0.dns='2001:4860:4860::8888'
uci add_list network.wg0.dns='2001:4860:4860::8844'
uci commit network

MTU Optimization

Adjust MTU for optimal performance:

# Set MTU (usually 1420 for WireGuard)
uci set network.wg0.mtu='1420'
uci commit network
?

Troubleshooting

Connection not establishing

  • Check system logs: logread | grep wireguard
  • Verify firewall rules: iptables -L -n -v
  • Ensure correct endpoint and port
  • Check if your ISP blocks UDP port 51820

LAN devices can't access IPv6

  • Verify IPv6 forwarding is enabled
  • Check firewall forwarding rules
  • Ensure Router Advertisement daemon is running
  • Check: /etc/init.d/odhcpd status

Performance issues

  • Check CPU usage during transfers: top
  • Consider hardware acceleration if available
  • Adjust MTU size if needed
  • Disable unnecessary logging

Useful Commands

# Show WireGuard configuration
wg showconf wg0

# Monitor real-time stats
watch -n 1 'wg show wg0 transfer'

# Restart WireGuard interface
ifdown wg0 && ifup wg0

# Check routing table
ip -6 route show table all

All Set!

Your OpenWrt router is now routing IPv6 traffic through GetIP.online. All devices on your network can now access IPv6 resources.

Manage Tunnels Other Platforms