WireGuard runs natively on OpenWrt, which turns a single router into either a whole-network VPN gateway or a remote-access server for your home. This guide sets up WireGuard on an OpenWrt router end to end in 2026: installing the package, then two real configurations — OpenWrt as a client (route the entire LAN out through a remote peer) and OpenWrt as a server (reach your home network from anywhere).
Quick answer: OpenWrt can run WireGuard natively. Install the luci-proto-wireguard package, then create a WireGuard interface under Network > Interfaces in LuCI. Run OpenWrt as a client to send all LAN traffic through a remote VPN peer, or as a server to give remote devices access to your home network. The hard part is rarely the keys — it is the firewall zone and routing, so most "no handshake" or "no internet" problems are solved there.
What you need before you start
- A router running OpenWrt with enough free flash and RAM for the WireGuard packages. Very low-flash devices (4/32 MB) may not have room — check your device's free storage first.
- A WireGuard peer to connect to. For client mode this is the remote server you route through; for server mode it is the remote devices that will connect back. A self-hosted server on a Contabo VPS makes a reliable peer you fully control.
- The keys and endpoint for the other side: in client mode, the server's public key and its reachable
host:port. Each peer gets its own key pair — reusing one key across devices breaks the handshake.
If the protocol itself is new to you, our what is WireGuard explainer covers the cryptography and why it is faster than OpenVPN.
Step 1 — Install WireGuard support
WireGuard is not always preinstalled, so add the packages. Over SSH:
opkg update
opkg install luci-proto-wireguard wireguard-tools
luci-proto-wireguard adds the WireGuard protocol to the LuCI web interface, and wireguard-tools gives you the wg command for generating keys and inspecting tunnels. You can also install these from System > Software in LuCI if you prefer the UI. After installing, refresh LuCI so the new protocol appears.
Step 2 — Generate keys
Each end of a WireGuard tunnel has a private/public key pair. On OpenWrt, generate one with wireguard-tools:
wg genkey | tee privatekey | wg pubkey > publickey
Keep the private key on this router and share only the public key with the other peer. If OpenWrt is the client, you will also need the server's public key; if OpenWrt is the server, you collect the public key of each client that will connect.
Case A — OpenWrt as a WireGuard client (route the whole LAN out)
In client mode, every device on your LAN leaves through the remote peer — a full-tunnel VPN for the entire home network.
- Create the interface. In LuCI go to Network > Interfaces > Add new interface, name it (e.g.
wg0), and choose WireGuard VPN as the protocol. - Fill the interface. Set the Private Key (this router's key) and the IP address this router takes inside the tunnel (the address your server assigned, e.g.
10.0.0.2/24). - Add the peer. Under the Peers tab add the server: its Public Key, Endpoint host and Endpoint port, Allowed IPs =
0.0.0.0/0(and::/0for IPv6) for a full tunnel, and Persistent Keepalive =25so the path survives NAT. - Firewall zone. Assign the
wg0interface to a firewall zone. The simplest working setup is to put it in the wan zone (or a dedicated zone that is allowed to forward from lan and has masquerading enabled), so LAN traffic is NAT'd out through the tunnel. - DNS. Set the tunnel's DNS to your server or a trusted resolver so lookups do not leak back to your ISP.
When it works, every LAN device's public IP becomes the server's IP.
Case B — OpenWrt as a WireGuard server (remote access to your home network)
In server mode, OpenWrt listens for incoming connections so your phone or laptop can reach the home LAN from anywhere.
- Create the interface the same way (Network > Interfaces, protocol WireGuard VPN), give the router its Private Key and a VPN-side IP address (e.g.
10.0.0.1/24), and set a Listen Port (commonly51820). - Open / forward the UDP port. Allow the chosen UDP port inbound in the firewall. If OpenWrt is behind another modem/router, forward that UDP port to the OpenWrt box; if your ISP uses CGNAT, inbound may not be reachable at all — see dynamic DNS for self-hosting.
- Add each client as a peer. For every remote device add a Peer with its Public Key and Allowed IPs set to that client's tunnel IP (e.g.
10.0.0.2/32). To let clients reach the whole home LAN, include your LAN subnet (e.g.192.168.1.0/24) in the client's config and allow forwarding. - Firewall forwarding. Put the WireGuard interface in a zone that may forward to lan, so connected clients can reach local devices.
Anatomy of the config
OpenWrt stores this in /etc/config/network, but the shape mirrors a standard WireGuard config. Here it is with explicit placeholders — never paste real keys from a guide; each device generates its own:
[Interface]
PrivateKey = <this-router-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = <other-peer-public-key>
Endpoint = <peer-host-or-ip>:51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25
PrivateKey— this router's secret key, kept local.Address— the router's IP inside the tunnel.ListenPort— only needed when OpenWrt is the server.PublicKey— the other peer's public key (the server's, in client mode).Endpoint— the reachablehost:portof the peer (only the client side needs this for an outbound tunnel).AllowedIPs— what routes through:0.0.0.0/0for a full tunnel (client), or a specific tunnel/LAN subnet (server).PersistentKeepalive = 25— keeps the path alive behind NAT.
Troubleshooting on OpenWrt
- No handshake: most often a firewall issue — the WireGuard interface is not in a zone, or the zone cannot forward. Check the Endpoint host/port and that the server's UDP port is open; confirm the public keys match; remember a home server behind CGNAT may be unreachable inbound. More in our handshake troubleshooting guide.
- Connected but no internet (client mode): the WireGuard zone needs masquerading, and lan → wg forwarding must be allowed; otherwise NAT'd LAN traffic has no path out.
- MTU: WireGuard defaults to 1420; on a PPPoE WAN, 1412 is a common working value. If some sites stall, lower the interface MTU step by step — see our WireGuard MTU fix guide.
- DNS doesn't apply: set the DNS on the WireGuard interface (or push it via your firewall/DHCP) so LAN clients use the tunnel's resolver instead of the ISP's.
- Kill-switch: route the whole LAN only through the WireGuard zone and block lan → wan directly, so traffic stops if the tunnel drops instead of leaking out the normal WAN.
Client vs server at a glance
| OpenWrt as client | OpenWrt as server | |
|---|---|---|
| Goal | Route the whole LAN out through a remote peer | Let remote devices reach your home LAN |
| AllowedIPs | 0.0.0.0/0 (full tunnel) | client tunnel IP + LAN subnet |
| Listen port | Not required | Required (e.g. 51820, opened inbound) |
| Firewall | wg zone → wan, masquerade, lan→wg forward | wg zone may forward to lan |
| Endpoint | Points at the remote server | Clients point at the OpenWrt router |
The bottom line
OpenWrt makes WireGuard a router-level feature: install luci-proto-wireguard, create the interface in Network > Interfaces, and pick client (whole-LAN VPN) or server (remote access). Almost every failure is the firewall zone or routing, not the keys. For the peer at the other end, a Contabo VPS at €5.50/month runs a personal WireGuard server your OpenWrt router can dial out to, with no shared keys and full control.
Editorial guide based on the documented behaviour of OpenWrt's WireGuard support (luci-proto-wireguard / LuCI). Exact menus vary slightly by OpenWrt version. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→
