ssh root@10.20.20.1
root@10.20.20.1's password:
BusyBox v1.36.1 (2026-05-14 20:07:45 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.6, r29141-81be8a8869
-----------------------------------------------------
root@OpenWrt_Router:~# owut list
luci-proto-wireguard pbr nano luci-app-attendedsysupgrade htop fping luci owut luci-app-pbr wpad-wolfssl iperf3 dnsmasq-full -dnsmasq -nftables -wpad-basic-mbedtls
root@OpenWrt_Router:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd80:685f:f4d6::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.20.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
option metric '20'
list dns '162.252.172.57'
list dns '149.154.159.92'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option disabled '1'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config interface 'wg0'
option proto 'wireguard'
option private_key 'PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP'
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
option metric '10'
option defaultroute '0'
config wireguard_wg0
config wireguard_wg0
config wireguard_wg0
option description 'Athens'
option public_key 'PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'gr-ath.prod.surfshark.com'
option endpoint_port '51820'
option persistent_keepalive '25'
option private_key 'LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
root@OpenWrt_Router:~# cat /etc/config/pbr
config pbr 'config'
option enabled '1'
option fw_mask '00ff0000'
option ipv6_enabled '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
option nft_user_set_counter '0'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '0'
option resolver_set 'dnsmasq.nftset'
option strict_enforcement '1'
option uplink_interface 'wan'
option uplink_interface6 'wan6'
option uplink_ip_rules_priority '30000'
option uplink_mark '00010000'
option verbosity '2'
list ignored_interface 'vpnserver'
list lan_device 'br-lan'
list resolver_instance '*'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option config_compat '25'
option config_version '1.2.2-r14'
option rule_create_option 'add'
option webui_show_ignore_target '0'
config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'HP-EliteBook-820-G1-thru-wg0'
option src_addr '10.20.20.31,10.20.20.32’
option interface 'wg0
config policy
option name 'koulourapc-hp-t730-thin-client-thru-wgo'
option src_addr '10.20.20.30'
option interface 'wg0'
root@OpenWrt_Router:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
root@OpenWrt_Router:~#
root@OpenWrt_Router:~#
I want to share the working config from my main router (Xiaomi Mi 4A gigabit) only wired interface enabled.
You must customize and create the firmware with the packages from above.
and then edit the configuration adding public and private keys and peer endpoint host.
note that the default gateway is the wan in order to force specific clients to pass thru wireguard inteface wgo.
I have not a kill switch but the strict policy enforcement works see
https://docs.openwrt.melmac.ca/pbr/#strict-enforcement