Private Internet Access (pia) wireguard VPN on OpenWrt


I use Putty, but there are other ways listed in the link to ssh into the router

...under the heading:
PuTTY gives you command-line access to OpenWrt.

this is provided by PIA

the script modification to generate the keys:

PRIV_KEY="$(wg genkey)"
PUB_KEY="$(echo "$PRIV_KEY" | wg pubkey)"
1 Like

You should have the username and password in the openvpn config. Username starts with p.

To generate your public and private keys. Once you've SSH to your router run the following and note down the output.

PRIV_KEY="$(wg genkey)"
PUB_KEY="$(echo "$PRIV_KEY" | wg pubkey)"
echo "Private key is $PRIV_KEY"
echo "Public key is $PUB_KEY"

Edit the first 4 lines of the script. Add your username, password, private key and public key between the quotes.

Copy the script to your router. Run the following command, I'm assuming you called the file This will make the script executable and also ensure it is kept after a sysupgrade.

chmod +x /root/
echo "/root/" >> /etc/sysupgrade.conf

Install dependencies

opkg update
opkg install jq 
opkg install curl

Run the script for the first time


This will generate the information you require to manually setup the connection for the first time. Follow the instruction in the wiki to setup a wireguard client.

Call the VPN_IF wg0_pia or edit the script where it says VPN_IF=

Let us know when you get this far. Perhaps you could write up what you did, to help others in your situation.

Thanks for the reply, I'm using Powershell on windows 10, How do I move the script( to the router?,in%20the%20Port%20number%20field.

I made some additions/changes to @d687r02j8g script.
Didn't work when I ran it on fresh install, required wg interface to exist. Now runs.
Moved user creds to separate file (, creates template if file isn't there
Generates keypair for creds file.
Region identifier in also, can edit and rerun to change wg peer
Updated Script, creates PIA WG Config for OpenWrt


LazerDog, are you still using this setup? I seem to be having an URL not found on the v2/token fetch.
I'm just trying to set it up for the first time, so something else may be wrong for me.

I've had a chance to experiment with PIA wg recently, I ended up using their own manual-connections script which runs just fine on my OpenWrt router with some minor manupulations of the PIA script files. Here's what I ended up using:

	cd /root/
	git clone --depth 1 pia-config
	cd pia-config || return 1
	sed -i '/ncolors=/d;/check_tool wg-quick/d;/setDNS="no"/d' ./*.sh

After that I just ran their scripts as per their README. I did get the name of the locations by running their scripts on the Linux machine tho, but even that I believe should work on OpenWrt.

I then have another script to pull data from the created configs into OpenWrt network file. From some feedback on reddit I've learned that the PIA wg configs become invalid when PIA reboots their servers.

1 Like

I got the script up and running. However, when I check my ip the IPv6 is still showing my ISP. PIA says they don't support IPv6. Is there a way to get my IPv6 through my IPv4? Or do I just have to turn IPv6 off?

How did you do it?

change wget to curl

Inspired by various scripts and discussions on this thread, I made my own script to setup and start a PIA WireGuard interface.
The script is using OpenWrt UCI system to save its configuration and settings.

The configuration is done by simple Q/A using the script (it asks for PIA id and password, and the region either manually or by interactive selection).

It also can install a watchdog to automatically update/restart the VPN if needed.


Nice work. Can it be used to only create the config as well?


No, it creates the network/wg config then starts wg.
If it is in watchdog mode, it will check and reset the config if needed before restarting wg (for this interface only).

However, I will add in the next release an argument like --configonly to use with the command start or a command set-wg, to prevent wg to start after the config is set.

Version 1.0.5 : init-network command added, to setup uci network interface and WG peer config only without starting it.

1 Like

Thanks Bo.

1 Like

If you know the geo-based names of WG servers you want to connect to, the function in the gist below will update OpenWrt network config with new parameters.

You need to have git installed and enough space to use PIA scripts:

I found this in the PIA help:
It is the script to use WG on linux.
Do you think it can be used on openwrt?

Yes, it can, their Linux scripts are used in the gist linked just above your post.

Ok. Thanks.
To make sure is clear for me (not an expert).
At the moment I have OpenVPN installed and connecting to PIA.
In my Firewall - Zone settings, I have my WAN set to cover networks that includes PIA_VPN (See creenshot).

The script provided by you up here, is it a modified verison than the one of PIA I referred to?
And to make it to work, do I have to make changes to my Firewall Zone Settings?
Thank you @stangri.

The script I linked in a gist changes the network/firewall configs automatically.