How to set up WireGuard® on OpenWRT router

In this article, you will learn how to set up a manual WireGuard® connection on your OpenWRT firmware router.

To proceed, you first need an active Surfshark subscription. You can find the available plans on Surfshark's pricing page.

We will cover the following steps:

  1. Get your key pair
  2. I have a key pair
  3. I don't have a key pair
  4. Choose a Surfshark server
  5. Install and configure WireGuard
  6. Configure the interface
  7. Configure the VPN Zone
  8. Ensure the connection is successful

Get your key pair

There are two ways we can go from here. You might have generated a key pair, and you'll be able to use it. Or, we will have to generate one.

If you have a key pair already, continue the tutorial as usual. If you do not, you should move on to the I don’t have a key pair section.

I have a key pair

  1. Go to Surfshark's login page and log in. Then, visit VPN > Manual setup. Choose the Router option and click on WireGuard.

  2. In the next window, click on I have a key pair.

  3. Name your key pair and click Next.

  4. Enter your public key and hit Save.

I don't have a key pair

  1. Go to Surfshark's login page and log in. Then, visit VPN > Manual setup. Choose the Router option and click on WireGuard.

  2. In the next window, click on I don't have a key pair.

  3. Name your new key pair.

  4. Click on Generate a new key pair.

    NOTE: Copy and store the generated key pairs on your device. You will not be able to check them here again.


Choose a Surfshark server

Once you have your key pair, you should see a Choose a location button. Click on it. Here, you'll find the list of available locations to connect to. Select one and hit the download button.


Install and configure WireGuard


  1. Access your router by typing one of the following websites on your browser:

  2. Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol, so you should connect to telnet with the following IP address: 

    Change the root password with the command "passwd".

  3. Once logged in, click on System and select Software.

  4. On this page, you will download the WireGuard package. To do so, click on Update lists.

  5. Once the lists are updated, in the search field type WireGuard, and install the WireGuard package first, following with luci-app-wireguard.

  6. Restart the router. To do so, click on System and then click Reboot. After the reboot is done, log in to your router again.

Configure the interface


  1. Install the WireGuard interface. Click on Network > Interfaces. At the bottom of the page, select Add new interface.

  2. Fill in the following information:
    Name: wg0
    Protocol: WireGuard VPN

  3. Select Create Interface.

  4. Enter the Private key (refer to Get your key pair sections in this article). Copy and paste it into the Private Key area.

  5. In the IP Address box, enter the IP address from the Surfshark WireGuard server file. In our case, it's

  6. Click on the Advanced Settings tab and uncheck Use DNS servers advertised by peer and enter Surfshark DNS addresses, which are:

  7. Assign a firewall zone. To do so, click on Firewall settings. Here click on unspecified, and then in the bottom field, enter vpn.

  8. Now click on the Peers tab and select Add peer.

  9. Add the following information:
    Description: Name it whatever you like
    Public key: Paste your public key (refer to Get your key pair sections in this article)
    Allowed IPs:
    Route allowed IPs: check the box
    Endpoint host: enter the endpoint IP address of the configuration file (note that it should end with
    Endpoint port: Enter the last 5 digits from the IP address of the configuration file

  10. Click Save.

  11. You will notice that the WG0 interface has 7 pending changes. Click on Save & Apply here to confirm them.

Configure the VPN zone


  1. Go to the Network tab and select Firewall at the bottom.

  2. You will find various zones on your network. At the bottom, you will find the VPN zone you created earlier. We need to change the input, output, forward, and masquerading options to match the “wan” zone.

  3. Change the input from Accept to Reject and check the masquerading box. After doing so, click Save.

  4. lan to wan zone needs to be edited, so click on Edit.

  5. Enable MSS clamping in the new window.

  6. In the Allow forward to destination zones section, click on this little arrow and select the VPN zone that we created.

  7. Click Save.

  8. Next to Zones, make sure to click on Save & Apply and reboot your router.

  9. To verify your connection, click on Network > Interfaces. The WG0 interface we created should be receiving and sending packets.


Ensure the connection is successful


We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.


You may also be interested in:

Was this article helpful?
Thank you for your feedback!