Router Setup

OpenWrt WireGuard Setup Guide

This guide was produced using OpenWrt v.19.07.8 and v.21.02.0

Install required packages

  1. In your router’s webUI, navigate to System - Software, click Update lists

  2. In the Filter field, type WireGuard, locate and install the wireguard, wireguard-tools, kmod-wireguard, and luci-app-wireguard packages. Note: The wireguard package is included in version 21.02.

  3. Restart your router

Generate WireGuard keypair

  1. SSH into your router as ‘root’ (OpenWrt Wiki):

    ssh root@

  2. Generate WireGuard keys:

    wg genkey | tee privatekey | wg pubkey > publickey

    chmod 600 privatekey

  3. Note your Private & Public keys, you will need them later:

    cat privatekey

    cat publickey

Obtain WireGuard IP address

  1. Log into the Client Area
  2. Navigate to WireGuard tab and click the Add a new key button

  3. Copy and paste the Public key obtained previously, give it any name, then click the Add key button and note the assigned IP address

Create an Interface

  1. Navigate to Network - Interface,

  2. Click the Add new interface... button and enter the following configuration:

    • Name - give it any name, e.g. ivpnAustria
    • Protocol - WireGuard VPN
  3. Create interface

  4. In the General Settings tab:

    • Bring up on boot - Checked
    • Private Key - copy and paste the generated previously Private key
    • IP Address - enter the WireGuard IP Address obtained in the Client Area ending with /32, e.g.

  5. In the Advanced Settings tab, set MTU to 1412

  6. In the Peers tab:

    • Description - give it any name, e.g. Austria
    • Public Key - the IVPN WireGuard server public key, available on the IVPN server status page
    • Allowed IPs -
    • Route Allowed IPs - Checked
    • Endpoint Host - an IP address of IVPN WireGuard server

      Hostnames are available on the IVPN server status page. To turn the hostname of the server into an IP address use, e.g. the nslookup command in your computer’s terminal:

    $ nslookup


    • Endpoint Port - 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574 or 58237. All ports are equally secure
    • Persistent Keep Alive - 25 seconds is reasonable

  7. Click Save & Save & Apply

Add a Firewall zone

  1. Navigate to Network - Firewall

  2. Click the Add button and enter the following configuration:

    • Name - Give it any name, e.g. ivpn_fw
    • Input - Reject
    • Output - Accept
    • Forward - Reject
    • Masquerading - Checked
    • MSS clamping - Checked
    • Covered networks - select the previously created VPN tunnel interface, e.g. ivpnAustria
    • Allow forward to destination zones - Unspecified
    • Allow forward from source zones - lan

  3. Click Save & Save & Apply

Configuring a Kill-switch (optional)

To ensure the traffic on your LAN devices travels strictly via the VPN tunnel and to prevent any possible leaks if the router disconnects from the VPN server for any reason, edit your lan firewall zone and remove WAN from the Allow forward to destination zones field, then click Save & Save & Apply buttons.


  1. Navigate to Network - Interfaces

  2. Click on the Edit button next to the WAN interface

  3. In the Advanced Settings tab, uncheck the Use DNS servers advertised by peer and specify one of the following DNS servers in the Use custom DNS servers field:

    • = regular DNS with no blocking
    • = standard AntiTracker to block advertising and malware domains
    • = Hardcore Mode AntiTracker to also block Google and Facebook domains

  4. Click the Save button.

  5. For firmware version 21.02, repeat steps 2 to 4 for the IVPN WireGuard and WAN6 interfaces. For firmware version 19.07, repeat steps 2 to 4 for the WAN6 interface.

  6. Click the Save & Apply button.

Final Steps

  1. A device reboot is not required, though it may be useful to confirm that everything behaves as expected.
  2. Run a leak test at via one of the internal network clients attached to your OpenWRT router.

Please note: If you plan to use a Multi-hop setup please see this guide and make the required changes to the Endpoint Address port and Peer Public Key.

Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.