Wireguard is a very lightweight VPN with much simpler configuration than the cumbersome OpenVPN. It’s perfect for setting up your home VPN, allowing sensitive services to connect to your home VPN first before accessing the internal network.

The diagram below shows my home network topology (see: Setting up OpenWrt as a Bypass Router Using Raspberry Pi 4B+ | Kunyang’s Blog). I use OpenWrt as a bypass router - other devices’ default gateway and DNS point to OpenWrt.

Network Topologic

OpenWrt

Installation

Required packages:

  • kmod-wireguard
  • luci-proto-wireguard
  • wireguard-tools

Configuration

  • Go to Network → Interface → Add new interface and create a wireguard interface named wg0.

    Create Interface

  • Click “Generate new key pair” to auto-generate a public and private key. For IP address, use any private address subnet. I use 192.168.100.1/24. This is the VPN subnet. Set a default port (I use 55555).

    Configure Wireguard

  • Go to Network → Firewall → General Setting and create a separate zone for wireguard. Enable Input, Output, and Forward. Disable Masq.

    Firewall

    After configuration, go to Interface → wg0 → Firewall Settings and you should see wg0 in its own zone.

  • If OpenWrt is your main router, you need to open the port in Firewall → Traffic Rules.

    Open Wireguard Port

  • In my case, OpenWrt is a bypass router, so I set up port forwarding on the main router:

    Port Forwarding

  • Go to Network → Interface → wg0 and click Edit, then switch to Peers and click Add peer:

    • Add a description, e.g., my Windows desktop
    • You can create a new key pair
    • I recommend creating a Preshared Key
    • Allow IPs is this node’s IP in the VPN network. I use 192.168.100.2/32. Note: the netmask must be 32, as each device should have only one IP.
    • If the device is on your home network (like my desktop), fill in OpenWrt’s address for Endpoint. If the device is external (like my MacBook), use your home’s public IP.
    • You can set Keep Alive to 25.

    Peer Configuration

  • Reload the wg0 interface.

Windows or Mac OS

Installation

Download the Wireguard App from here.

Configuration

  • In OpenWrt → Network → Interface → wg0 → Edit Peer, you can conveniently export configuration files for each device. Copy and paste them into the Windows Wireguard client.

  • Here’s a Windows configuration example:

    [Interface]
PrivateKey = [Windows_PRIVATE_KEY]
ListenPort = Port
Address = 192.168.100.2/32			# Windows' IP in wireguard subnet
DNS = [OpenWrt IP]					# Can be Wireguard Server's (OpenWrt) real IP

[Peer]
PublicKey = [OpenWrt_PUBLIC_KEY]
PresharedKey = [Windows_PSK]
AllowedIPs = 192.168.100.0/24		# My Windows is on the same subnet as the main router
Endpoint = [OpenWrt IP]:Port
PersistentKeepalive = 25

MacBook

My MacBook is usually taken outside my home network, so unlike the above, AllowedIPs is set to route all traffic through VPN:

[Interface]
PrivateKey = [MacBook_PRIVATE_KEY]
Address = 192.168.100.3/32
ListenPort = PORT
DNS = [OpenWrt IP]

[Peer]
PublicKey = [OpenWrt_PUBLIC_KEY]
PresharedKey = [MacBook_PSK]
AllowedIPs = 0.0.0.0/0, ::/0		# All traffic
Endpoint = [Home Public IP]:Port	# Public IP
PersistentKeepAlive = 25

Linux

Installation

sudo apt update
sudo apt upgrade
sudo apt install wireguard

Configuration

  • Go to /etc/wireguard and generate key pairs. You can also use OpenWrt’s web manager (more convenient but less secure):

    sudo -i
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

  • Edit the configuration file wg0.conf:

    [Interface]
PrivateKey = [LINUX_PRIVATE_KEY]
Address = 192.168.100.4/32
ListenPort = Port
DNS = [OpenWrt IP]

[Peer]
PublicKey = [OpenWrt_PUBLIC_KEY]
PresharedKey = [LINUX_PSK]
AllowedIPs = 192.168.100.0/24	# My Linux server is always at home
Endpoint = [OpenWrt IP]:Port
PersistentKeepAlive = 25

  • Start Wireguard:

    sudo wg-quick up wg0

  • If you need to reload:

    sudo wg-quick down wg0
sudo wg-quick up wg0

Troubleshooting

  • If you get an error:

    root@debian:/etc/wireguard# sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.100.4/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
/usr/bin/wg-quick: line 32: resolvconf: command not found
[#] ip link delete dev wg0

    The resolvconf package is not installed. Install it:

    sudo apt install resolvconf