How to set up WireGuard on router? For Openwart

Setting up WireGuard on a router can enhance your network security and provide seamless VPN access for all connected devices. This guide will walk you through the process step by step.

Prerequisites

Before starting, ensure you have:

• A router that supports WireGuard (e.g., OpenWRT, pfSense, DD-WRT, or a custom firmware with WireGuard support)
• SSH access to the router (if required)
• An active WireGuard server or VPN provider offering WireGuard configuration
• A basic understanding of networking concepts

Step 1: Install WireGuard on the Router

For OpenWRT, install WireGuard using:

opkg update
opkg install luci-app-wireguard wireguard-tools

For pfSense, go to System > Package Manager > Available Packages, search for WireGuard, and install it.

Step 2: Generate Key Pairs

If your router does not generate keys automatically, create them manually:

wg genkey | tee privatekey | wg pubkey > publickey

Save the keys as they will be needed later.

Step 3: Configure the WireGuard Interface

Edit the WireGuard configuration file (/etc/wireguard/wg0.conf) or use the router’s UI (if available):

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = YOUR_WG_SERVER_IP:51820
PersistentKeepalive = 25

Save the file and apply the configuration.

Step 4: Configure Firewall Rules

For OpenWRT:

iptables -A INPUT -p udp --dport 51820 -j ACCEPT
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

For pfSense, go to Firewall > Rules, create a new rule to allow UDP traffic on port 51820, and apply changes.

Step 5: Start WireGuard

To activate the connection:

wg-quick up wg0

To enable WireGuard at boot:

systemctl enable wg-quick@wg0

Step 6: Verify the Connection

Check if the tunnel is active:

wg show

Test connectivity from a client device by attempting to reach an external website or checking your IP address.

Troubleshooting

• No Internet? Ensure IP forwarding is enabled:

  echo 1 > /proc/sys/net/ipv4/ip_forward

• Connection Drops? Adjust MTU settings in WireGuard:

  MTU = 1420

Once everything is configured properly, all devices connected to your router will automatically route their traffic through WireGuard, improving privacy and security.