Is there a simple way to preserve wireguard over upgrades?

I know that I can build an image with wireguard installed - I don't consider that simple, as I have to do it for a number of router types.
I noticed a tab under flash operations that allows preserving certain kinds of configurations, but I don't think that's what I want.
I want the latest version of luci-kmod-wireguard to be installed automatically, so is there a simple way to do that?
At some point, the popularity of wg should be enough that luci-kmod-wireguard should be included automatically - I believe that wireguard itself is included but not luci-kmod.

So there is nuance to the answer...

If you keep settings across an upgrade, your wireguard configuration will remain (although you will have to reinstall the wireguard packages). This is safe to do across service upgrades (i.e. 21.02.0 > 21.02.1). But it is not recommended to keep settings across major upgrades (such as 19.07 > 21.02), and sometimes it is required that you do not keep settings when there is a major architectural change (for example, upgrading 18.06 > 21.02 while attempting to keep settings is not supported and may fail; a target change such as ar71xx > ath79, or devices that went from swconfig > DSA cannot maintain settings across these upgrades).

For the times that you don't keep settings, you can copy/paste the wireguard config stanzas from the /etc/config/network file -- at least as of 21.02, those are compatible across versions. Alternatively, you can setup a script with the UCI commands to do the same thing.

Always take a backup before making any changes or running any updates.


I originally thought this, too, but it is not. You still need to install kmod-wireguard. I don't know why I had thought it was included in 21.02, but I would imagine that some future major release (22.x or later) will indeed include it built-in.

EDIT 2: I forgot to mention that attended sysupgrade is a good option for your situation. Check it out here.


As you said, you then need to build an image that includes that package. However, you don't need to go through a full build from source, the Image Builder working off pre-built OpenWrt and packages can do that too. You could even use the online image builder and add luci-kmod-wireguard to the packages list.


Sysupgrade looks great, and I will start using it in the future.
For my immediate problem, I have some remote opentWRT devices which I manage remotely using wireguard. There is no one able to change things remotely, so if lose connectivity I'm SOL.
I had a method that usually works well, but the upgrade from 19.07 to 21.02 broke config files due to DSA switch changes for my routers.
So I think I'm stuck visiting in person (I just fixed one by driving for 6 hours) or creating a custom image and custom config files.
Thanks for the help. I don't think this is a long-term problem and Sysupgrade looks like a great solution when the config files can be saved across the upgrade.

As a sidenote: With the Image Builder, you can also supply random files to be included (the FILES command line parameter takes a directory, from which it will take a directory/files structure as if they were on the router itself). It will take any sort of files really, but it is especially useful to supply an /etc/ folder containing (some) configuration files. As a bonus, this will be then also the default state after a reset.

This would allow to prepare an identical device "at home", bake for example the network configuration files into the image, and sysupgrade the remote device using that image. It doesn't work all that well for configurations that include hardware UIDs (wireless config for example), but it works reasonably well for network configurations.

As for your particular problem: I have solved this in the past by including a firewall rule allowing SSH access from the outside (using a nonstandard port). Of course from a security standpoint this is not ideal at all, but the firewall rule is only activated until the VPN setup is complete and then deactivated once the VPN is established. But of course there's lots of ways to skin a cat.