OpenWrt

This section of the documentation provides an overview of how to install AzireVPN on a router flashed with OpenWrt.

Getting started

The installation process involves numerous manual steps that need to be done carefully. It is suggested to go through the whole guide before starting the installation, as this will help you have a clear understanding of the overall procedure.

The router needs to be flashed with a factory OpenWrt firmware image to follow this guide. This is a risky operation that could damage the router. Caution is advised.

Generating WireGuard data

This section explains how to generate the data that are required for configuring the WireGuard interface on the router. These data will be used in various sections of the guide later on.

Generating these data requires authentication with an AzireVPN account. If you don’t have an account yet, you will need to register one.

To start, please fill out the form below with your AzireVPN username and password, and select the location you would like to connect to.

Installation

Installing the LuCI WireGuard package

The LuCI WireGuard package enables easy configuration of WireGuard interfaces from the web administration interface. To install the LuCI WireGuard package and all its dependencies, follow these steps:

  1. Open the LuCI administration interface in your preferred browser. The default address is 192.168.1.1.
  2. Enter your username and password to log in, if you have not done so already.
  3. In the menu bar, hover over System and click on Software.
  4. Click on the Update lists… button under the Actions label to refresh the list of available packages.
  5. A pop-up window will appear with some logs from the commands used to update the list of available packages.
  6. When the refresh is done, click on the Dismiss button.
  7. In the Download and install package field, enter luci-proto-wireguard, then click on OK to install WireGuard and all necessary dependencies.
  8. A pop-up window will ask you to confirm that you really want to install the package.
  9. Click on the Install button.
  10. When the install is done, click on the Dismiss button.
  11. Reboot the router for the changes to take effect.

Creating the WireGuard interface

A WireGuard interface is a virtual network device that can be used to securely tunnel your network traffic over the Internet. By creating a WireGuard interface, you can connect to one of our WireGuard servers. To create a WireGuard interface, follow these steps:

  1. In the menu bar, hover over Network and click on Interfaces.
  2. Under the Interfaces tab, in the Interfaces section, click on the Add new interface… button.
  3. A pop-up window will prompt you to enter the details of the new network interface.
  4. In the Name field, enter wg.
  5. In the Protocol drop down-list, select WireGuard VPN.
  6. Click on the Create interface button.

Configuring the local settings of the WireGuard interface

The local settings of the WireGuard interface determine how your router communicates with the WireGuard server. To configure the local settings of the WireGuard interface, follow these steps:

Here are the data you are going to need to configure the WireGuard interface:

Use the form at the top of the guide to generate data.

General settings

  1. The pop-up window will prompt you to enter the details of the new WireGuard network interface.
  2. Under the General Settings tab, enter the values from the table for the following fields:
  • Private Key
  • Public Key
  • IP Addresses
  1. To add more IP addresses in the IP Addresses fields, click on the + button.

Advanced settings

  1. Under the Advanced Settings tab, enter the values from the table for the Use custom DNS servers fields.
  2. To add more DNS servers in the Use custom DNS servers fields, click on the + button.

Configuring the peer settings of the WireGuard interface

The peer settings of the WireGuard interface specify the WireGuard server that your router will connect to. To configure the peer settings of the WireGuard interface, follow these steps:

Here are the data you are going to need to configure the WireGuard peer:

Use the form at the top of the guide to generate data.
  1. Under the Peers tab, click on the Add peer button.
  2. The pop-up window will prompt you to enter the details of the peer.
  3. Enter the values from the table for the following fields:
  • Public Key
  • Allowed IPs
  • Endpoint Host
  • Endpoint Port
  1. To add more IP addresses in the Allowed IPs fields, click on the + button.
  2. Check the Route Allowed IPs box.
  3. Click on the Save button twice.
  4. Click on the Save & Apply button to apply the changes. This will disconnect you from the Internet.

Configuring the firewall

The firewall settings of the WireGuard interface control how your router allows or blocks network traffic from and to the WireGuard server. To configure the firewall settings of the WireGuard interface, follow these steps:

  1. In the menu bar, hover over Network and click on Firewall.
  2. Under the General Settings tab, in the Zones section, click on the Add button.
  3. A pop-up window will prompt you to enter the details of the new firewall zone.
  4. Under the General Settings tab, in the Name field, enter wgzone.
  5. Check the Masquerading box, to enable network address translation (NAT) for the WireGuard interface.
  6. Check the MSS clamping box, to prevent packet fragmentation for the WireGuard interface.
  7. In the Covered Networks drop down-list, check the wg WireGuard interface name.
  8. Click on the Save button.
  9. In the Zones section, on the lan ⇒ wan zone line, click on the Edit button.
  10. A pop-up window will open where you can change the details of the lan firewall zone.
  11. In the Allow forward to destination zones drop down-list, uncheck wan, then check wgzone.
  12. Click on the Save button.
  13. Click on the Save & Apply button to apply the changes.

Configuring the router recursive DNS servers

This section is optional and is only needed if you want to use different recursive DNS servers than the ones assigned by your Internet Service Provider.

The DNS servers of the router decide how your router resolves domain names for your network traffic. You can use our recursive DNS servers to avoid ISP censorship and resolve our VPN servers' hostnames more reliably. To use our DNS servers on your router, follow these steps:

Here are the data you are going to need to configure the recursive DNS servers:

Use the form at the top of the guide to generate data.
  1. In the menu bar, hover over Network and click on Interfaces.
  2. Under the Interfaces tab, in the Interfaces section, on the wan interface line, click on the Edit button.
  3. A pop-up window will open where you can enter the DNS servers for the wan zone.
  4. Under the Advanced Settings tab, uncheck the Use DNS servers advertised by peer box.
  5. Enter the values from the table for the Use custom DNS servers IPv4 fields.
  6. To add more DNS servers in the Use custom DNS servers fields, click on the + button.
  7. Click on the Save button.
  8. Repeat the same steps (2 to 7) for the wan6 interface, but use the IPv6 values from the table instead of the IPv4 ones.
  9. Click on the Save & Apply button to apply the changes.

Completing the installation

This is the final step of the WireGuard configuration on your router. After rebooting the router and syncing the clock, you can verify that the WireGuard interface is working properly. To complete the installation, follow these steps:

  1. In the menu bar, hover over System and click on Reboot.
  2. Click on the Perform reboot button to restart the router and apply the changes.
  3. Wait a few minutes for the reboot to finish and the WireGuard interface to start.
  4. Open the LuCI administration interface again and log in with your username and password.
  5. In the menu bar, hover over System and click on System.
  6. In the System Properties section, under the General Settings tab, click on the Sync with browser button to synchronize the router's clock with your browser's clock. The router's clock needs to be synced to successfully establish the connection, as WireGuard is time sensitive. You may need to repeat this step every time the router is rebooted.
  7. Check the connection status on the Check page. The VPN and DNS indicators should be green, meaning that the router is using the WireGuard server and the DNS requests are secure.