Userspace wireguard in OpenWrt 22.03?

I want to run my own userspace WireGuard implementation instead of the kernel implementation in OpenWrt 22.03 and use the userspace WG implementation to make my router (and its LAN) a VPN client by routing certain destination IP addresses through WG.

WG is normally configured in /etc/config/network and automatically uses the kernel implementation. Using the same kind of /etc/config/network-based configuration, is there a way to configure OpenWrt to use a userspace implementation instead? I saw no option for this in the documentation. I want to use my modified userspace implementation, e.g. one based on I could also write my own script to do the low-level things of bringing up the tunnel, running various ip & iptables commands, etc, but I'm concerned that my low-level operations will not play well with the rest of the system wrt how zones are defined and how the firewall works, basically the config in /etc/config/firewall and /etc/config/network.

In case you are curious why I prefer a userspace implementation, it is for obfuscation of my WG traffic. Regular WG packets are very easy to spot. I could also modify the kernel implementation for a modified wireguard.ko, but that's more dangerous and I also want to use unmodified WG on the other WG connections.

No, there wouldn't be a pre-existing UCI config stream for a software you've just added/adding.

  • People say that, but how - what makes them easy to spot? (There's actually 2-3 other open threads where users said the same thing, but have no solution, it seems yours may work)
  • And what are people doing to make them less spotable?
  • How can one peer be altered to do so, but not the other?

You can add the interface to a firewall zone by defining the interface as an unmanaged protocol and assigning an appropriate zone. I'm not sure how this will work for a userspace application you start and terminate.

There are 4 packet types and the type is represented in plaintext at the beginning of each packet. Handshake init, handshake response and cookie response messages always have the same sizes.

You can't make WG packets less spottable by changing the public version of WG to encrypt or otherwise reversibly transform the packets in a fixed way. Attackers will just do the reverse transform and then do the original DPI. But if you encrypt/scramble it in your own way that is not publicly known, then attackers will have a harder time. This can be done by changing the public WG to take an additional argument, an encryption key for symmetrically encrypting/decrypting parts of outgoing/incoming packets. Or just having your own fork that used your own hard-coded key.

Of course both peers need to use the same protocol for WG to work. I control both ends.

1 Like

Aside from OpenWrt currently not providing any kind of support for userspace wireguard, please take a step back first - and re-evaluate what kind of hardware you'd want to run it on…

Currently there seem to be two userspace implementations for wireguard, the original go based wireguard-go, and a W.I.P. implementation for rust with wireguard-rs. Neither of these will run easily on a 'typical' mips or arm router, both have a pretty heavy footprint (flash and RAM, too much for most routers), neither are great in terms of portability (rust worse than go). While you can run them 'easily' on a smartphone or an SBC like system, very few more traditional routers would be capable to deal with it (you rarely find more than ~40 MB usable flash, even on the most recent routers).


The router has a N6005 (x86-64) with 32GB RAM, so no resource worries. It also makes building binaries quite easy. I was able to just run a statically-linked rust binary I built on my desktop.

I got a beefy router to support complicated setups that require complicated stuff like this.

I could also run a regular distro like Debian instead of OpenWrt, but generally, router-related config seems easier to manage from a high-level in OpenWrt.

Actually, what I'm hoping to find is not even a userspace WG binary. I can provide that binary myself and just need a way to configure in /etc/config/network how that binary is to be started and to use that instead of the kernel WG. In other words, a way to configure OpenWrt to run the the userspace WG binary instead of something like "ip link add wg0 type wireguard".