How to set up WireGuard on OpenWRT router

In this article, you will learn how to set up a manual WireGuard connection on your OpenWRT firmware router.


Here are the steps we will go through:



Get your key pair


There are two routes we can take at this stage - either you have already generated a key pair and will use them for this setup, or you have never generated them in the first place. If you have a key pair, continue the tutorial as usual, and if you have not created a key pair, click here.


I have a key pair


  1. Go to this page, choose the Router option and click on WireGuard.

  2. In the next window, click on I have a key pair.


  3. Enter your public key and hit Save.


I don't have a key pair


  1. Go to this page, choose the Router option and click on WireGuard.


  2. In the next window, click on I don't have a key pair.

  3. Click on Generate a new key pair.

    Note: once the key pairs are generated, copy them and store them on your device, as you will not be able to check them again.



Choose a server


In the end, even if you already did or didn't have a key pair, you will see a Choose a location button, click on it and you will see a full list of available locations to connect to. Select one and hit the download button.





Install and configure WireGuard


  1. Firstly, you need to access your router by accessing one of the following websites on your browser:

    Routers flashed with OpenWRT firmware image initially accept connections only through the telnet protocol, so you should connect to telnet with the following IP address: and change the root password with the command "passwd".

  2. Once logged in, click on System and select Software.


  3. On this page, we will download the WireGuard package. To do so, click on Update lists.


  4. Once the lists are updated, in the search field type WireGuard, and install the WireGuard package first, following with luci-app-wireguard.


  5. Now you will need to restart the router. To do so, click on System, and then click Reboot. After the reboot is done, log in to your router again.

Configure the interface


  1. Now we will need to install the WireGuard interface. Click on Network, then select Interfaces, and at the bottom of the page select Add new interface.


    Name: wg0
    Protocol: WireGuard VPN

    Lastly, select Create Interface.


  2. Now you will need to enter the Private key which you generated at the beginning of the article. Copy and paste it into the Private Key area.


    In the IP Address box, enter the IP address from the Surfshark WireGuard server file. In our case, it's

  3. Now click on the Advanced Settings tab and uncheck Use DNS servers advertised by peer and enter Surfshark DNS addresses which are:

  4. Now you will need to assign a firewall zone. To do so, click on Firewall settings. Here click on unspecified and then in the bottom field enter vpn.

  5. Now click on the Peers tab and select Add peer.

  6. Now let's add the last piece of information:

    Description: you can name it whatever you like
    Public key: paste your public key which you generated earlier
    Allowed IPs:
    Route allowed IPs: check the box
    Endpoint host: enter the endpoint IP address of the configuration file (note that it should end with
    Endpoint portEnter the last 5 digits from the IP address of the configuration file

    Lastly, click Save.


  7. You will notice that the WG0 interface has 7 pending changes, click on save and apply here to confirm them.


Configure the VPN zone


  1. Now the last step - configuring the VPN zone. Go to the Network tab and select Firewall at the bottom.

  2. Here you will see various zones on your network, and at the bottom, you will find the VPN zone you created earlier. We need to change the input, output, forward and masquerading options to match the “wan” zone. In this case, change the input from Accept to Reject, And check the masquerading box here. After doing so, click Save.

  3. Now, lan to wan zones need to be edited, so click on Edit over here, and in this Allow forward to destination zones section click on this little arrow and select the VPN zone that we created.

  4. Lastly, click Save.


The VPN is now active and your connection is secure. Just to verify that, click on Network, then select Interfaces. The WG0 interface we created should be receiving and sending packets.



Congratulations! Now you know how to set up a manual connection on your OpenWRT router using the WireGuard protocol.


You may also be interested in:

  1. How to make sure if my connection was successful?
  2. How to enable 2FA on your Surfshark account?
  3. How to set up a VPN-protected Wi-Fi hotspot using Windows?
Was this article helpful?
Thank you for your feedback!