I’m new to OpenWrt and trying to set up a WireGuard VPN connection with ProtonVPN using the Luci GUI. While the same configuration works fine on Windows with the wireguard client, I can’t get it to work on OpenWrt.
The WireGuard interface shows no traffic (no packets sent or received), so it seems like the connection isn’t being established.
This is my current configuration
Private and public keys in the general tab are generated with the "Generate new key pair" buttom:
Here it is, I am currently testing it in a old cube-pc with a usb live openwrt version (It is a test), I am thinking about buying other harware later, but i have managed before once to connect to the vpn wth same hardware, but i lost the configuration, so I think the hardware is not the problem, thanks in advance
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:af39:2e78::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option ip6assign '60'
config interface 'wg0'
option proto 'wireguard'
option private_key 'KN28UsasThvAT6z5YyuJbIxJ6D98OGiH9fFLYokblV0='
list addresses '10.2.0.2/32'
list dns '10.2.0.1'
config wireguard_wg0
option description 'ProtonNL'
option public_key 'Removed'
option private_key 'Removed'
list allowed_ips '0.0.0.0/0'
option endpoint_host '185.107.56.219'
option endpoint_port '51820'
root@OpenWrt:~# wg status
Invalid subcommand: `status'
Usage: wg <cmd> [<args>]
Available subcommands:
show: Shows the current configuration and device information
showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
set: Change the current configuration, add peers, remove peers, or change peers
setconf: Applies a configuration file to a WireGuard interface
addconf: Appends a configuration file to a WireGuard interface
syncconf: Synchronizes a configuration file to a WireGuard interface
genkey: Generates a new private key and writes it to stdout
genpsk: Generates a new preshared key and writes it to stdout
pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.
root@OpenWrt:~# wg show
interface: wg0
public key: KZSBuoXp267yvJe1/KZTeenhcbEmQL7cgRZGUxHCzh8=
private key: (hidden)
listening port: 55885
peer: RemovedPublicKey
endpoint: 185.107.56.219:51820
allowed ips: 0.0.0.0/0
ip ro sh:
default via 192.168.0.1 dev br-lan src 192.168.0.137
185.107. via 192.168.0.1 dev br-lan (Remove last octets)
192.168.0.0/24 dev br-lan scope link src 192.168.0.137
192.168.0.137 is the openwrt and 192.168.0.1 the ISP router.
The network looks like this: Internet - ISP Router - OpenWrt (ethernet cable)
You are right; I had the "Route allowed IPs" box unchecked and some firewall configurations missing. Thank you! Now I have it connected and sending packets, but the traffic is still not being routed through the VPN. Devices connected via Wi-Fi to OpenWrt are still showing my ISP address.
This is expected because your OpenWrt device is operating as an AP. Your client devices don't know that the AP is actually a gateway to the internet. Instead, they are only aware of your main router and they send all of the traffic to the main router to reach the internet.
To solve this, there are a few approaches:
Configure your AP such that it has a routed network that is independent of your upstream network's lan (the default configuration of OpenWrt has a wan/lan for this purpose).
Change the configuration of the DHCP server (likely currently your main router) to use option 3 (DHCP advertised gateway address) to reflect the address of your OpenWrt device.
manually configure the client devices (via their own settings) to use the OpenWrt device as their gateway.
Your best bet is to start over from scratch and follow the tutorial closely. The configuration of the firewall is different that you might expect. That’s the other easy mistake issue setting this up.
I need to do all the configuration in openwrt and it should be independent from the isp router so I think I need to follow the first option.
I am trying to emulate a travel router to do some tests before buying one.
So please if you have any guide i would apreciate it, because I have followed many, even tried with chatgpt answers but none of them worked I cannot get the Wifi traffic routed throw wireguard.
Maybe the aproach is not exactly a travel router because the openwrt is conected via LAN to the isp router...
If necessary, change the lan subnet so that it doesn't conflict with your current upstream/main network (i.e. if your current network uses 192.168.1.0/24, change the lan IP of OpenWrt to something like 192.168.5.1)
Connect the wan port of the OpenWrt device to the upstream lan.
Configure the wifi (if desired) on the OpenWrt router.
Setup Wireguard (it looks like you didn't get it working previously, but we'll address that issue if it comes up again after you follow this general process)
Connect your client devices to the OpenWrt router's lan ports and/or wifi -- they should now route through the OpenWrt device and via the tunnel if Wireguard is setup correctly.
Don't even try this. These LLMs cannot help you properly -- they are more likely to lead you astray.
When you follow my advice above, it will be very similar to the travel router scenario.
The travel router use case depends on routing between two networks-- users in a LAN, and a connection to the Internet via a WAN. If this minipc only has one Ethernet port you will need to use wifi for one of the networks.
Once you have lan->wan routing working, it is what is assumed in almost all the guides to setting up a "whole house" VPN through a router.
PBR will not help in the OP's current configuration and topology. The client devices do not know that there is an alternate gateway -- they are all using the upstream router.
Follow the surfshark guide to set up wireguard: How to set up WireGuard® on OpenWRT router – Surfshark Customer Support
But the Luci GUI has been updated and now there are more keys to be filled:
In the interface:
Public Key -> Generate a new one
Private Key -> Provided by Surfshark
In the peer:
Public Key -> Provided by Surfshark
Private Key -> Generate new one
I would urge you to install the chrony package too. Wireguard requires the clock be exactly correct. Installing this package will save you a lot of headaches with WireGuard because it won't work at all if the clock isn't exactly correct even if it's configured exactly correct. The Raspberry Pi has no RTC (real time clock) so it will forget the time when it shuts down or reboots.