Wireguard VPN client on OpenWRT

Goal: have a router running a trusted operating system (OpenWRT), and routing all the LAN trafic to a Wireguard VPN.

In this howto we’ll use a Mullvad endpoint, but same applies to any Wireguard VPN provider.

Note on IPv6: Mullvad doesn’t provide an IPv6 subnet, so proper IPv6 support is not possible. We could use NAT6 to have IPv6 connectivity, but it is not covered by this howto.

Sources:

• https://mullvad.net/en/help/running-wireguard-router/
• https://www.azirevpn.com/support/guides/router/openwrt/wireguard

Help:

• https://github.com/nitred/nr-wg-mtu-finder
• https://gist.github.com/nitred/f16850ca48c48c79bf422e90ee5b9d95

Prerequisites

• Up-to-date OpenWRT (Wireguard might not be available in old OpenWRT versions) with a working network setup. This was tested on OpenWRT 23.05
• A Wireguard peer config (ie. from Mullvad or any other provider)

Install Wireguard on OpenWRT

• Menu “System” → “Software”
  • “Update lists”
  • Search “wireguard”
  • Install “luci-proto-wireguard”
• Reboot OpenWRT

Configure OpenWRT

Configure Wireguard

• Menu “Network” → “Interfaces”
  • Click on Add new interface…
    • In the Name of the new interface field, enter wg.
    • In the Protocol of the new interface list, select WireGuard VPN
    • Generate a privkey and a pubkey: you may do it on Mullvad website, or on a trusted machine where wireguard is installed (ie. the router itself): wg genkey | tee /tmp/privkey | wg pubkey | tee /tmp/pubkey
    • Paste the private key in the “Private key” field
    • In “IP Addresses”, add the IPv4 the client is assigned (sent by the wireguard provider), and add the IPv6 too
    • In the “Peers” tab, click “Add Peer”
      • Paste the public key of the wireguard server
      • In “Allowed IPs”, add “0.0.0.0/0” and “::/0” (that means all traffic will be allowed through the wireguard tunnel
      • Check “Route allowed IPs”
      • “Endpoint Host”: wireguard server IP address. Can be either IPv4 or IPv6 (both should work for IPv4 and IPv4 whatsoever)
      • “Endpoint Port”: wireguard server listening port
      • “Persistent Keep Alive”: if the OpenWRT router is behind a NAT (ie any kind of “internet box” in .fr at least), enter “20”. This can be changed if the connection hangs too often for example.
      • Click “Save” to close the “Add Peer” window
    • Click “Save” to close the “Add interface” window

Configure the firewall

• Menu “Network” → “Firewall”
• In “Zones”, click “Add”
  • Name: wgzone
  • Input: reject
  • Output: accept
  • Forward: reject
  • Check the Masquerading box
  • Check the MSS clamping box
  • Covered Networks: check wg, uncheck everything else
  • Click “Save”
• In “Zones”, edit the “lan ⇒ wan” zone:
  • Check the MSS clamping box (sure about that?)
  • Allow forward to destination zones: check wgzone, uncheck everything else
  • Click “Save”

Configure DNS servers (to make sure the internet box doesn’t have the list of visited domains)

You may either use Mullvad DNS servers or anything else you like.

Use Mullvad DNS

• Menu “Network” → “DHCP and DNS”
  • Tab “Forwards”
    • In the “DNS Forwards” field, add 10.64.0.1
• Menu “Network” → “Interfaces” (this is optional but sometimes prevent leaks)
  • Edit the “WAN” interface:
    • In “Advanced settings” tab, uncheck “Use DNS servers advertised by peer”
  • Edit the “WAN6” interface:
    • In “Advanced settings” tab, uncheck “Use DNS servers advertised by peer”

Choose your DNS servers

• Menu “Network” → “Interfaces”
• Edit the “WAN” interface:
  • In “Advanced settings” tab:
    • Uncheck “Use DNS servers advertised by peer”
    • Add trusted DNS servers in “Use custom DNS servers”, such as FDN ones: 80.67.169.12 and 80.67.169.40
  • Click “Save”
• Edit the “WAN6” interface:
  • In “Advanced settings” tab:
    • Uncheck “Use DNS servers advertised by peer”
    • Add trusted DNS servers, such as FDN ones: 2001:910:800::12 and 2001:910:800::40
  • Click “Save”

Synchronize time

Wireguard needs a correctly set clock to function properly, so this step should be down after every single reboot. It can be automated (see next part).

• Menu “System” → “System”
• Sync time:
  • If the computer has correct time, click “Sync with browser”
  • If computer is not on time, or OpenWRT has NTP servers set (should be set by default), click “Sync with NTP server”

Automated time synchronisation, aka NTP

• Menu Network → Routing
• Static IPv4 Routes
  • Add
  • Interface: wan
  • Route type: unicast
  • Target: 194.177.34.116/32 (chosen NTP server)
  • Gateway: 192.168.1.1 (use your WAN gateway)
  • Save
• Network → Firewall
• Traffic Rules
  • Add
  • Name: NTP
  • Protocol: UDP
  • Source zone: Device (output)
  • Output zone: wan
  • Destination address: 194.177.34.116/32
  • Destination port: 123
  • Action: accept
  • Save
• System → System
  • Time Synchronisation
  • Uncheck “Use advertised NTP servers”
  • Remove all NTP server candidates
  • Add 194.177.34.116
• Save and apply

Save & reboot

• Click the blue “Save & apply”
• Menu “System” → “Reboot”
• Click “Perform reboot”
• Wait until you can reconnect to the Luci web interface, and connect
• Check your public IP address (ie on https://ip.me or https://mullvad.net)

Disable Wireguard

If for some reason you need to disable wireguard temporarily, do these steps. To re-enable it afterwards, just revert these.

• Edit lan→wgzone firewall zone, in Allow forward to destination zones: uncheck “wgzone” and check “wan”
• Edit wg interface, edit peer, uncheck “route allowed IPs”
• save & apply
• reboot