Unable to set up wireguard

Hi everyone,

I’m new to OpenWrt and trying to set up a WireGuard VPN connection with ProtonVPN using the Luci GUI. While the same configuration works fine on Windows with the wireguard client, I can’t get it to work on OpenWrt.

The WireGuard interface shows no traffic (no packets sent or received), so it seems like the connection isn’t being established.

This is my current configuration
Private and public keys in the general tab are generated with the "Generate new key pair" buttom:

As a new user i cannot post more than one photo, so i will post the rest on the replies

Peer public and private keys are from the protonVpn conf:

Post output of the following commands

ubus call system board
cat /etc/config/network # remove wg keys
wg status # remove keys
ip ro sh # remove last 2 octets of IP addresses
1 Like

As usual. The fix is just ticking one box.

How to set up WireGuard® on OpenWRT router

Here it is, I am currently testing it in a old cube-pc with a usb live openwrt version (It is a test), I am thinking about buying other harware later, but i have managed before once to connect to the vpn wth same hardware, but i lost the configuration, so I think the hardware is not the problem, thanks in advance

ubus call system board

{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz",
        "model": "FUJITSU ESPRIMO Q920",
        "board_name": "fujitsu-esprimo-q920",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/generic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:af39:2e78::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option ip6assign '60'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'KN28UsasThvAT6z5YyuJbIxJ6D98OGiH9fFLYokblV0='
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'

config wireguard_wg0
        option description 'ProtonNL'
        option public_key 'Removed'
        option private_key 'Removed'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '185.107.56.219'
        option endpoint_port '51820'
root@OpenWrt:~# wg status
Invalid subcommand: `status'
Usage: wg <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.
root@OpenWrt:~# wg show
interface: wg0
  public key: KZSBuoXp267yvJe1/KZTeenhcbEmQL7cgRZGUxHCzh8=
  private key: (hidden)
  listening port: 55885

peer: RemovedPublicKey
  endpoint: 185.107.56.219:51820
  allowed ips: 0.0.0.0/0

ip ro sh:

default via 192.168.0.1 dev br-lan  src 192.168.0.137
185.107. via 192.168.0.1 dev br-lan (Remove last octets)
192.168.0.0/24 dev br-lan scope link  src 192.168.0.137

192.168.0.137 is the openwrt and 192.168.0.1 the ISP router.
The network looks like this: Internet - ISP Router - OpenWrt (ethernet cable)

You are right; I had the "Route allowed IPs" box unchecked and some firewall configurations missing. Thank you! Now I have it connected and sending packets, but the traffic is still not being routed through the VPN. Devices connected via Wi-Fi to OpenWrt are still showing my ISP address.

This is expected because your OpenWrt device is operating as an AP. Your client devices don't know that the AP is actually a gateway to the internet. Instead, they are only aware of your main router and they send all of the traffic to the main router to reach the internet.

To solve this, there are a few approaches:

  1. Configure your AP such that it has a routed network that is independent of your upstream network's lan (the default configuration of OpenWrt has a wan/lan for this purpose).
  2. Change the configuration of the DHCP server (likely currently your main router) to use option 3 (DHCP advertised gateway address) to reflect the address of your OpenWrt device.
  3. manually configure the client devices (via their own settings) to use the OpenWrt device as their gateway.

Your best bet is to start over from scratch and follow the tutorial closely. The configuration of the firewall is different that you might expect. That’s the other easy mistake issue setting this up.

I need to do all the configuration in openwrt and it should be independent from the isp router so I think I need to follow the first option.
I am trying to emulate a travel router to do some tests before buying one.
So please if you have any guide i would apreciate it, because I have followed many, even tried with chatgpt answers but none of them worked I cannot get the Wifi traffic routed throw wireguard.
Maybe the aproach is not exactly a travel router because the openwrt is conected via LAN to the isp router...

The solution is fairly simple, then...

  1. Reset the router to defaults.
  2. If necessary, change the lan subnet so that it doesn't conflict with your current upstream/main network (i.e. if your current network uses 192.168.1.0/24, change the lan IP of OpenWrt to something like 192.168.5.1)
  3. Connect the wan port of the OpenWrt device to the upstream lan.
  4. Configure the wifi (if desired) on the OpenWrt router.
  5. Setup Wireguard (it looks like you didn't get it working previously, but we'll address that issue if it comes up again after you follow this general process)
  6. Connect your client devices to the OpenWrt router's lan ports and/or wifi -- they should now route through the OpenWrt device and via the tunnel if Wireguard is setup correctly.

Don't even try this. These LLMs cannot help you properly -- they are more likely to lead you astray.

When you follow my advice above, it will be very similar to the travel router scenario.

The travel router use case depends on routing between two networks-- users in a LAN, and a connection to the Internet via a WAN. If this minipc only has one Ethernet port you will need to use wifi for one of the networks.

Once you have lan->wan routing working, it is what is assumed in almost all the guides to setting up a "whole house" VPN through a router.

Hey you tried using Policy Based Routing.

https://openwrt.org/docs/guide-user/network/routing/pbr

Set up a new policy

PBR will not help in the OP's current configuration and topology. The client devices do not know that there is an alternate gateway -- they are all using the upstream router.

I have been busy this last days but finally today i got it working. Thank you all for the help.
I will detail the steps I have followed:

  1. Set up wan and lan correctly: Turn the raspberry pi into a WIFI router » Simplificando Redes
  2. Follow the surfshark guide to set up wireguard: How to set up WireGuard® on OpenWRT router – Surfshark Customer Support
    But the Luci GUI has been updated and now there are more keys to be filled:
    In the interface:
    Public Key -> Generate a new one
    Private Key -> Provided by Surfshark
    In the peer:
    Public Key -> Provided by Surfshark
    Private Key -> Generate new one

I would urge you to install the chrony package too. Wireguard requires the clock be exactly correct. Installing this package will save you a lot of headaches with WireGuard because it won't work at all if the clock isn't exactly correct even if it's configured exactly correct. The Raspberry Pi has no RTC (real time clock) so it will forget the time when it shuts down or reboots.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.