New WireGuard based OpenWrt VPN implementation: unetd

Awesome features would for sure be,

  • The ability to use Multicast within the VPN

  • To use multipel ”WAN” connections to aggregate/bond the bandwidth within the VPN

I am using Wireguard a lot and those features I have only found in ZeroTier which has a lot of disadvantages compared to Wireguard.

Hi @nbd ,
I tried my test as:
generate keys:

wg genkey

wg pubkey <<<"wEaf3RvD5jgSqJM3C8sGKpsN4ErhcZ9s1rpVyg5JYU8="

Then start unetd on host1:

unetd -h /var/run/unetd/hosts -u /var/run/unetd/socket -N '{"name": "wg0",
                                "type": "dynamic",
                                "key": "wEaf3RvD5jgSqJM3C8sGKpsN4ErhcZ9s1rpVyg5JYU8=",
                                "auth_key": "rwnY3IgprwnSknd8Qa5yN0MI9GM1lCqAEnj5sGoEzSc="}'&

unet-dht -u /var/run/unetd/socket -n /var/run/unetd/nodes.dat 0c6b9251a7f5e246ef29f694403b0cf3 -N "rwnY3IgprwnSknd8Qa5yN0MI9GM1lCqAEnj5sGoEzSc="

Then on host2:

./unetd -h /var/run/unetd/hosts -u /var/run/unetd/socket -N '{"name": "wg0",
                                "type": "dynamic",
                                "key": "wEaf3RvD5jgSqJM3C8sGKpsN4ErhcZ9s1rpVyg5JYU8=",
                                "auth_key": "rwnY3IgprwnSknd8Qa5yN0MI9GM1lCqAEnj5sGoEzSc="}'&

./unet-dht -u /var/run/unetd/socket -n /var/run/unetd/nodes.dat 0c6b9251a7f5e246ef29f694403b0cf4 -N "rwnY3IgprwnSknd8Qa5yN0MI9GM1lCqAEnj5sGoEzSc="

I got some message like as on both hosts:

Start search for network, id=f00ecd3dcaa0f030d6b8403a8ade0bf9e0886f1a

Received 2 values.
Received 2 values.

root@OpenWrt:~# ubus call unetd network_get
        "networks": {
                "wg0": {
                        "config": {
                                "name": "wg0",
                                "type": "dynamic",
                                "key": "wEaf3RvD5jgSqJM3C8sGKpsN4ErhcZ9s1rpVyg5JYU8=",
                                "auth_key": "rwnY3IgprwnSknd8Qa5yN0MI9GM1lCqAEnj5sGoEzSc="
                        "peers": {


and interface wg0 dose not get up.

Is there something wrong with my test?


I try the tutorial steps, however, they fail with:

unetd[12591]: segfault (11) at b79b707c nip b796c964 lr b78dadd4 code 1 in[b78fb000+b0000]
unetd[12591]: code: 7d292214 91230004 38210010 4e800020 81230000 9421fff0 61290020 91230000
unetd[12591]: code: 38210010 4e800020 9421ffe0 7c0802a6 <8123004c> 429f0005 bf810010 7fc802a6

Is there a way to debug unetd?

@gmzhuo I follow whats written on the wiki page, however, no wireguard interface is opened.

@gmzhuo, You can't convert the private signing key to a public one with wg pubkey. You can use unet-tool for that: unet-tool -P -K - <<<"wEaf3RvD5jgSqJM3C8sGKpsN4ErhcZ9s1rpVyg5JYU8="

@PolynomialDivision it should save a corefile in /tmp when it segfaults. Please tell me what target you're building for and send me the core file, so that I can take a look.

The segfault was on the WDR4900v1. I switched devices, to a Banana Pi R64. However, that also fails to create a wireguard interface. :confused: When I try to manually run unetd, it says:

unetd -h /var/run/unetd/hosts -u /var/run/unetd/socket -N 
'{"name": "wg0","type": "dynamic","key": "4N9vg/CO1hSD8EKu7XgRlJ5oApQ7EehH68Eddo0m23A=","auth_key": "UVLj/N9CAB1DlIXvX7og47k+7bAWzbrz5cyA6lYQeBc="}'
Setup failed for network wg0

What happens if you run ip link add dev wg0 type wireguard?

This creates a wireguard interface and it works.

@nbd I notice this and it seems a very interesting project but I think we need more documentation to facilitate the use of it...

What I want to achieve.

I want to connect 2 router in different location.

  • One have a public dynamic ip
  • the other is under double NAT

Previous I used a softether vpn server emulating a layer2 bridge but this resulted in some problem and I'm trying to find something better suited.

I notice that a good candidate is wireguard + vxlan to emulate L2 and unetd seems to be just what I need but I'm a bit confused on how to configure this.

The wiki is not very useful so I wonder if you can guide me in this?

Since I have a public IP, dht is still needed? I guess yes since the idea of unetd is to not have a centralized system.

Consider that my dynamic ip is under a noip service and I will use an address to get that.

I will currently experiment with a manual configuration of wireguard + vxlan but I would love to use your tool to handle all the thing under the hood... (wireguard doesn't like dynamic ip a lot from what i notice)

1 Like

Hi @Ansuel,

At the moment, unetd does not have explicit support for dynamic IP via DNS lookup. I do think this is something that would be a very useful addition, so I'm going to add support for it.
In the mean time, here's a slightly hackish way to set up the kind of configuration that you want with the current state of unetd:

Use unet-cli to create a network and add both routers. Don't worry about endpoint addresses, just leave them out.
Afterwards, write a script that runs on the device behind NAT, which periodically looks up the IP address of the public dynamic IP router and adds it to unetd using:
ubus call unetd network_connect '{"network": "unet", "address": "", "timeout": 30 }'
(adjust the network name and address accordingly)

Having the node behind NAT reach out to the other router in this way is enough to bring up the full network.

Once I've added DNS lookup support, you will be able to configure the hostname in the auth_connect option in the interface in /etc/config/network.

Does that make sense, or do you need more information?


I will try to create the script with the suggested command. Feel free to tag me when the dynamic IP support is there and ask for testing.

hello @nbd - looks like a great idea!

Perhaps variable names and their descriptions could better fit what their current purpose is. Would you consider renaming, or at least adding synonyms (for deprecation and transition period) for config keywords which better describe what they do?

e.g. device -> tun_device, key -> wg_key (which, public, private?) auth_key -> sign_key, connect -> config_src_hosts, domain -> dns_suffix?

When staring at uci config files, it's nice for keys to be intuitive, specially when their values are not immediately obvious. I could send a PR on github if there is a mirror for this there.

So i just wanted to clarify, if id like to connect 2 openwrt routers together (potentially up to 5 in the future), that dont have public ip, and i need layer 2 (so vxlan?) working, its possible with unetd, or i just misunderstood something?

If yes, this would be amazing, ive been waiting for something like that for a while, cause the current setup with wireguard i have, is a little too complicated for me (at least when it comes to vxlan and layer 2), and it requires at least one public ip afaik...

Yes, it's possible if you use the extra unet-dht package. Please note that initially it may take some time before it's able to establish the connection for the first time, so you need to be patient if you don't have a server with a public IP.
Layer 2 via VXLAN is working fine over a single interface with as many nodes as you need in your network.
Are your OpenWrt routers behind NAT, or directly connected? Behind NAT is possible (even if both of them are), but takes even longer to connect via DHT.


Sorry for the late reply, currently i have one public ip, but i might lose it in the future, also if its just first time connecting via DHT, and after that its normal, doesnt rly matter to me, actually even if takes an hour everytime im establishing connection between the routers, it doesnt matter, or do you mean like it takes a long time, everytime i try to connect to the other network, like when im trying to actually use it?

One more question, cause im rather a noob in these matters, if i follow the example setup from the wiki, just to start off and learn, both routers needs to be in one lan during the configuration right?

If you are in the USA (elsewhere it also works but with bad latency), you can try getting a public IP from

The devices don't need to be in the same LAN, you just need to be able to reach all nodes you wish to connect from one of them from which you create and distribute the configuration.

1 Like