Installing WireGuard on routers running OpenWrt and LuCI
To follow this guide, it is necessary to have a flashed compatible router with OpenWrt installed on it. LuCI, the web administration interface for OpenWrt is used to facilitate the installation.
This guide was last reviewed using:
- OpenWrt version 18.06.2 r7676-cddd7b4c77
- LuCI version openwrt-18.06 branch (git-19.020.41695-6f6641d)
Some steps may slightly differ at the time of your reading.
Installing the LuCI WireGuard package
-
Connect to the LuCI administration interface through the browser of your choice. Usually its address is 192.168.1.1.
-
In the menu bar, hover on System > click on Software.
-
In the Download and install package field, enter luci-proto-wireguard > click on OK to install WireGuard and all necessary dependencies.
Generating the keys pair
-
Connect onto the router by typing in a console:
ssh root@192.168.1.1
Show optional steps
Create a directory to store the keys. You can replace wgkeys with the name of your choice.
mkdir wgkeys && cd wgkeys
-
Generate the keys with the following command:
wg genkey | tee privatekey | wg pubkey > publickey
-
Display the keys with the following commands, you will need them later:
cat privatekey && cat publickey
Contacting AzireVPN API to get connection details
If you are using Linux or macOS, the following steps can be executed in your console instead.
-
It is necessary to install ca-bundle and curl in order to contact AzireVPN API, using the following commands:
opkg update
opkg install ca-bundle curl -
Contact the API to get connection details with the following command, you will need them later. Replace se1 in the API URL by the two letters code of the location you desire to connect to. You can find the codes in the hostname of our WireGuard endpoints on the Status page:
curl -d list=1 -d username=REPLACE --data-urlencode password=REPLACE --data-urlencode pubkey=REPLACE https://api.azirevpn.com/v1/wireguard/connect/se1
Creating the WireGuard interface
-
In the menu bar, hover on Network > click on Interfaces.
-
In the Global network options section, in the IPv6 ULA-Prefix field, enter the IPv6 prefix delegation subnet and the IPv6 prefix delegation netmask returned earlier by the API, available under the ipv6_pd_subnet and the ipv6_pd_netmask fields. When entered, the final address should be of the form 0:0:0:0::/0.
-
Click on Save & Apply.
-
Click on Add new interface…
-
In the Name of the new interface field, enter wg.
-
In the Protocol of the new interface list, select WireGuard VPN > click on Submit
Configuring the WireGuard interface
-
In the Common Configuration section, in the Private Key field, enter the private key you generated earlier.
-
In the IP Addresses field, enter the IPv4 private address and netmask returned earlier by the API, available under the ipv4_addr and ipv4_addr_netmask fields. The IP address should be in the form 10.0.0.0/0.
-
Next to the IP Addresses field, click on + to add a new field.
-
In the newly created field, enter the IPv6 public address and netmask returned earlier by the API, available under the ipv6_addr and ipv6_addr_netmask fields. The IP address should be in the form 0:0:0:0::0/0.
-
In the Peers section, click on Add.
-
In the Public Key field, enter the public key of the WireGuard endpoint returned earlier by the API, available under the endpoint_pubkey field.
-
In the Allowed IPs field, enter 0.0.0.0/0.
-
Next to the Allowed IPs field, click on + to add a new field.
-
In the newly created field, enter ::/0.
-
Check the Route Allowed IPs box.
-
In the Endpoint Host field, enter the IPv4 hostname of the WireGuard endpoint returned earlier by the API, available under the endpoint_ipv4_addr field. If your ISP supports IPv6 natively, you can choose to use the IPv6 hostname of the endpoint instead, available under the endpoint_ipv6_addr field.
-
In the Endpoint Port field, enter the port number of the WireGuard endpoint returned earlier by the API, available under the endpoint_ipv4_port field. If your ISP supports IPv6 natively, you can choose to use the IPv6 port of the endpoint instead, available under the endpoint_ipv6_port field.
-
Click on Save & Apply.
Configuring the firewall
-
In the menu bar, hover on Network > click on Firewall.
-
In the Zones section, click on Add.
-
In the Zone "newzone" section, in the Name field, enter wgzone.
-
In the Input list, select Reject.
-
Check the Masquerading box.
-
Check the MSS clamping box.
-
In the Covered Networks list, check wg.
-
Click on Save & Apply.
-
In the Zones section, in the lan ⇒ wan zone line, click on Edit.
-
In the Inter-Zone Forwarding section, in the Allow forward to destination zones list, uncheck wan then check wgzone
-
Click on Save & Apply.
Configuring the DNS servers
You will need to take note of AzireVPN DNS servers as their IP addresses will be needed later. AzireVPN DNS servers are listed on the Locations and Servers page.
With the following DNS configuration, it is not necessary to setup Azire DNS servers on every device as the router will advertise them through DHCP, ignoring the ones coming from your ISP.
-
In the menu bar, hover on Network > click on Interfaces.
-
In the Interfaces section, in the WAN interface line, click on Edit.
-
In the Common Configuration section, click on the Advanced Settings tab.
-
Uncheck the Use DNS servers advertised by peer box.
-
In the Use custom DNS servers field, enter the IPv4 address for the chosen location.
-
Click on Save.
-
In the tab bar below the menu bar, click on WAN6.
-
In the Common Configuration section, click on the Advanced Settings tab.
-
Uncheck the Use DNS servers advertised by peer box.
-
In the Use custom DNS servers field, enter the IPv6 address for the chosen location.
-
Click on Save & Apply.
Rebooting the router
-
In the menu bar, hover on System > click on Reboot.
-
Click on Perform reboot.
-
Wait some minutes for the reboot to be effective and the WireGuard interface to be up and running.
-
Connect to the LuCI administration interface.
-
In the menu bar, hover on System > click on System.
-
In the System Properties section, click on the Sync with browser button. The router needs to be synced to perform the connection as WireGuard is time sensitive. This step must be done each time the router is rebooted.
-
You can check the connection to our service on the Check page.