Editing OpenWRT/Setting up Wire Guard (section)

==Introduction==

I recently figured out how to set up a WireGuard VPN on my Raspberry Pi 3 running OpenWRT and I decided to write an up-to-date guide on how to do it. It should work on any device running a recent-ish build of OpenWRT/LEDE, provided you have enough storage space for it.

This will let you connect to your home network from anywhere, as well as route all your traffic through your home internet so you can avoid content filters at School/Work, as well as keeping your traffic encrypted.

I don't use IPv6 on my network so you'll have to figure that stuff out for yourself.

Before you begin, I'll warn you that the process of setting up WireGuard may disconnect you from the internet a few times so make sure nobody else is using the internet before you start.

===Step 1: Installing the packages===

SSH into your OpenWRT device and run the following:

<code>
opkg update<br>
opkg install luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools<br>
reboot
</code>

(protip: Windows 10 has built in SSH support if you don't have PuTTY installed. You can also use LuCI to install these packages by going to `System>Software`)

===Step 2: Creating a firewall rule===

Go into LuCI and head to `Network>Firewall>Port Forwards`

Create a new rule using the following input:

<code>
Name: WireGuard<br>
Protocol: UDP<br>
External Zone: WAN<br>
External Port: 1234<br>
Internal Zone: LAN<br>
Internal IP Address: <The IP address of your device, mine is 192.168.1.1><br>
Internal Port: 1234<br>
</code>

Click Add, then Save & Apply. This allows your VPN clients (Phone, Laptop etc) to connect to your OpenWRT device from the internet.

===Step 3: Generating the keys===

`SSH` into your OpenWRT device and run the following:

<code>
umask 077 && wg genkey > privkey<br>
cat privkey | wg pubkey > pubkey<br>
cat /root/pubkey<br>
cat /root/privkey
</code>

This creates two files in the `/root/` directory of your device, `pubkey` and `privkey`.

You should email yourself the pubkey or transfer it securely to your phone somehow because you'll need it when setting up the VPN connection.

Copy the private key to your clipboard because you'll need it for Step 4.

===Step 4: Setting up the WireGuard interface===

1.  Go into LuCI and head to `Network>Interfaces>Add New Interface`
    
2.  Set the name of the new interface as `wg0`
    
3.  Set the protocol to `WireGuard VPN`
    
4.  Click Submit
    
5.  Paste the private key you got from Step 3 into the `Private Key` field
    
6.  Set the listen port to `1234`
    
7.  In the `IP Addresses` field, type `10.14.0.1/24`
    
8.  Go to the `Firewall Settings` tab and assign the interface to your LAN zone if it's not automatically been assigned. This will enable you to access your LAN devices when you're connected to your VPN. If you want to keep your devices seperate, you can create another Firewall zone specifically for the WireGuard Interface.
    
9.  Click Save & Apply
    

===Step 5: Setting up the VPN connection on an Android device===

1.  Download the WireGuard app from the Play Store or F-Droid or whatever is your preferred source of apps
    
2.  Open the WireGuard app
    
3.  Tap the plus icon and go to "Create from scratch"
    
4.  Make up a name for your VPN connection
    
5.  Tap "Generate" to generate yourself a public and private key
    
6.  In the `Addresses` field, type `10.14.0.3/32`
    
7.  Leave the `Listen Port` and `MTU` fields empty unless you need to change them for whatever reason
    
8.  In the DNS servers field, either type the address of your home DNS server or use a DNS server of your choice (e.g. `1.1.1.1`)
    
9.  Tap `Add Peer`
    
10.  Paste the Public Key from the `/root/` directory of your OpenWRT device
    
11.  Leave the `Pre-shared key` field blank
    
12.  In the `Allowed IPs` field, type `0.0.0.0/0,::0` (You should add ::0 even if you aren't using IPv6, as this stops your device from leaking data when connected to IPv6 enabled sites.)
    
13.  In the `Endpoint` field, type the public (WAN) IP address or domain name of your OpenWRT device, followed by a colon and the port number. For example: `69.65.164.12:1234`
    
14.  In the `Persistent Keepalive` field, type `25`
    
15.  Save the connection
    

===Step 6: Adding your phone to the list of allowed peers===

Now you have to register your phone as a peer to your OpenWRT device. To do this:

1.  In the WireGuard app, copy your Public Key (The one you generated earlier) to the clipboard
    
2.  Go into LuCI and head to `Network>Interfaces`
    
3.  Click `Edit` on the WireGuard interface
    
4.  Go to the Peers section and add click `Add`
    
5.  Paste the Public Key from your phone into the `Public Key` field
    
6.  In the Allowed IPs field, type `10.14.0.3/32`
    
7.  Check the `Route Allowed IPs` checkbox
    
8.  Leave the `Endpoint Host` and `Endpoint Port` fields blank
    
9.  In the `Persistent Keepalive` field, type `25`
    
10.  Click Save & Apply
    
11.  Reboot the OpenWRT device, either through `LuCI>System>Reboot` or by typing `reboot` in SSH
    

===Step 7: Testing the VPN Connection===

Theoretically, everything should be finished now. To test this, go into the WireGuard app and enable the VPN connection. Then open a browser and if you have internet connectivity then it worked. :)

(protip: The WireGuard app has it's own quick settings tile, so you can add it to your quick settings panel for ease of access)

If you have any questions or if it straight up didn't work, leave a comment and I'll try to help as best I can.