WIP

The guide is still a work in progress

Get a static IP address

If you don’t have a static IP address at your disposal (many ISP offer that as a paid service) a workaround is to configure a DDNS service like noip on your router.

Personally, owning a domain at Cloudflare I opted for their API which dynamically updates the DNS record associated to the (sub)domain you are using. Check out DDNS cloudflare to see how to sort that out.

Install necessary packages

The following assumes a SSH connection with your OpenWrt router has been established

root@GL-MT6000:~#
opkg update
opkg install wireguard-tools

Generate server key-pair

cd /root
wg genkey | tee wg_server.key | wg pubkey > wg_server.pub
SERVER_PRIVATE_KEY=$(cat /root/wg_server.key)
SERVER_PUBLIC_KEY=$(cat /root/wg_server.pub)

Wireguard interface

uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key="$SERVER_PRIVATE_KEY"
uci set network.wg0.listen_port='51820'
uci add_list network.wg0.addresses='10.0.0.1/24'

Firewall configuration

# Create WireGuard zone
uci set firewall.wg=zone
uci set firewall.wg.name='wg'
uci set firewall.wg.input='ACCEPT'
uci set firewall.wg.output='ACCEPT'
uci set firewall.wg.forward='ACCEPT'
uci add_list firewall.wg.network='wg0'
uci set firewall.wg.masq='1'
 
# Allow WireGuard UDP traffic
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-WireGuard'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='51820'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].target='ACCEPT'
 
# Add forwarding rules
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='wg'
uci set firewall.@forwarding[-1].dest='wan'
 
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='wg'
uci set firewall.@forwarding[-1].dest='lan'
 
# Commit all changes
uci commit network
uci commit firewall
 
# Restart services
/etc/init.d/network restart
/etc/init.d/firewall restart

Adding a peer (VPN client)

cd /root
wg genkey | tee wg_client.key | wg pubkey > wg_client.pub
CLIENT_PRIVATE_KEY=$(cat /root/wg_client.key)
CLIENT_PUBLIC_KEY=$(cat /root/wg_client.pub)
# Add peer configuration for client
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].description='client'
uci set network.@wireguard_wg0[-1].public_key="$CLIENT_PUBLIC_KEY"
uci set network.@wireguard_wg0[-1].allowed_ips='10.0.0.2/32'
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
uci commit network

Generate configuration file to add to Wireguard on the client’s device

cat << EOF > client.conf
[Interface]
PrivateKey = $CLIENT_PRIVATE_KEY
Address = 10.0.0.3/32
DNS = 192.168.8.1
 
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
Endpoint = YOUR_STATIC_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF

In my case Endpoint= home.mydomain.com since I set up the subdomain @home to point to my public IP Address (see here).

(Optional) Generate Qr-code for an easier setup:

opkg install qrencode
qrencode -t ansiutf8 < iphone_client_config.conf