May 2024 Update: How to create wireguard tunnel with nordvpn on OpenWRT 22.03

Hey everyone,

I have been working on this for a while. I wanted to create a wireguard tunnel to nordvpn servers. I will provide two ways to achieve the result. Option number two is optimal because I am able to create a private wireguard server that allows me to connect to the local subnet that is behind nordvpn. This will allow me to create a subnet that is protected by nordvpn. I can then access this subnet through my own private wireguard server anywhere in the world. So here is the process:

Setup (The setup will be the same for both option 1 and option 2)

  1. Install packages
sudo apt install wireguard curl jq net-tools
  1. Install nordvpn on linux machine
sh <(curl -sSf
  1. Login into nordvpn
sudo nordvpn login
  1. Change connection protocol to nordlynx
sudo nordvpn set technology nordlynx
  1. connect to your preferred server
`sudo nordvpn c nl #to connect Nederland as an example`
  1. Obtain ip address of nordlynx interface (should be similar to
ifconfig nordlynx
  1. Obtain nordlynx configuration public-key and private-key
sudo wg show nordlynx private-key
sudo wg show nordlynx public-key
  1. Enter this command to obtain the peers (nordvpn servers) public key
curl -s "\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|, (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'
  1. Install these software packages on Openwrt
    kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools
  2. Create network interface that connects to nordlynx wireguard server
  3. Add your nordlynx public and private key
  4. Allowed ip ( - found earlier)
  5. Route allowed ips checked
  6. Persistent keep alive 25s
  7. Create a firewall zone to assign the interface to
  8. Create peer with the public key of the nordvpn server you connected to and set allowed ips to
  9. Set endpoint host to external ip address of nordvpn server
  10. Set endpoint port to 51820
  11. Persistent keep alive to 25 seconds
  12. Create a new interface with static ip address range
  13. Create a new firewall zone to attach the new interface to
  14. Create advanced DHCP settings to make sure DNS is through nordvpn
  15. Create device that is attached to a vlan or ethernet port and then assign this device to your subnets interface


*I will now propose two options on how to route traffic from the interface with the static ip address (i.e. to the wireguard vpn tunnel. Option 1 is used in case option 2 does not work. Option 1 forces the traffic from interface subnet to be routed through the tunnel. Correct firewall rules should allow the traffic to pass through the zones but it does not always work. I think option 1 did not work with similar firewall settings becasue I did not click "route allowed ips" in the peers section of the wireguard interface.

Option 1

  1. Install pbr and luci-app-pbr in openwrt packages
  2. Create a new policy that routes your static ip address to wg0 (wireguard tunnel)
  3. Create firewall settings that reflects below:

  4. Enjoy traffic through the wireguard tunnel

Option 2

  1. The firewall zone with the subnet interface should have 'covered networks' as the interface. It should then forward to the wireguard tunnel destination zone
  2. The firewall zone should have allow forward from source zone (subnet interface). Then it should not have to forward anywhere else. Covered networks is the wireguard tunnel interface. Masquerading and MSS clamping should be enabled.

Please provide revisions in the comments


  1. (how to obtain wireguard credentials)
  2. [Instruction] Config NordVPN wireguard (Nordlynx) on OpenWrt (configure nordvpn wireguard on openwrt - my tutorial goes into more depth on how to setup the wireguard rules)

Given that 22.03 officially went EOL as of the end of April 2024, I'd recommend testing your recipe against 23.05. Make adjustments if necessary and edit the title accordingly.


Nordvpn provides radically different setup guide.

When I use option 2 my guest network is always messed up. Whenever I click route addresses on wireguard peer and set allowed ip to my guest network quits working. Anyone know why this is?

I can confirm that option 2 works on openwrt 23. Didn't even realize I was that far behind in updates.

We'd need to see your configuration after you've setup option 2.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
  • After obtaining the keys and IP addresses, be sure to disable NordLynx on the laptop. There can only be one active connection at a time with the same key.
  • Only the private key field needs to be transferred over to the wireguard interface, and the server's public key installed as the peer. Anyone who knows a private key can derive the corresponding public key from it any time later. The reverse of course is not true. When you return to the page you will find the private key is obscured and the public key field has been populated.
  • Do not check Route Allowed IPs when using PBR. PBR will install routes as needed.

@mk24 In regard to do not check "route allowed IPs". Every time I check that box it makes my default gateway as the wg0 interface. I am unable to use my guest and IOT network consequentially. However, I am unable to successfully setup the wg0 interface without it setting allowed ip as "" and click route allowed ips. So im either forced to have my vpn network working or my guest network working. Can you help me understand what is going on?

As I understand it, you have to add two routes in PBR, with the source controlling which one will be used. I have not actually done this in practice so don't say I'm an expert with PBR. Also you need to be sure that the encrypted packets from the Wireguard kernel process to the VPN server will always be routed into the regular wan. These packets will have the source IP of the regular WAN interface.

Can we see your config, please?

Hey everyone,

after lots of testing. I have realized that you should not click "create routes for allowed ips". When you set allowed ip to and then wireguard app creates a route, this will make a new default gateway. This will indeed mess up your routing options in openwrt. I would set allowed ips to and then go with option 1 using pbr. Option one will create a route from (vpn subnet) to wg0 (nordlynx wireguard interface) with pbr. Make sure to set the vpn subnet dhcp options to 6,, The wg0 interface should use those custom dns servers for nordvpn. Please reply if you have questions.

I can confirm that this works for 23.05

Shall we edit the title accordingly?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.