WireGuard on a router
In this guide, we walk you through the steps to set up and run WireGuard on a router.
If you run into any issues while testing WireGuard, please contact email@example.com and let us know what you experience.
Installing OpenWrt on your router
First, check OpenWrt's list of supported routers to make sure yours is included.
Installing WireGuard and Mullvad on your router comes with some benefits:
- You can secure your whole network and all devices connected to the router.
- You can run Mullvad on more than five devices (all devices connected to the router).
- Via the router, you can even run Mullvad on devices that have no support for WireGuard.
- A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.
What you need in order to proceed:
- a router with a fresh installation of OpenWrt
- a public/private key pair to use with WireGuard (will be described below)
- an IP address to use (will be described below)
Update the router's firmware to OpenWRT
Follow your router's instructions on how to connect and update the firmware to the OpenWrt firmware that you previously downloaded.
The router normally displays some status information and then restarts. Take extra care in downloading the correct version since doing this incorrectly could "brick" your router, making it completely unusable.
Initial configuration of OpenWrt
- Open a browser and navigate to http://192.168.1.1/.
- Click the Login button. This logs you in with the default root user and no password.
- Once the Status page loads, you will see a message at the top saying “No password set!” Click the link below it to configure a password.
- On the Router Password page, set a secure and memorable password. Click the Save & Apply button at the bottom of the page.
- On the same page, in the SSH Access section, set the interface to LAN. Click the Save & Apply button.
Once logged in to the router, change the password by following the instructions on the screen.
From the System drop-down menu, click on Software and install the package "luci-proto-wireguard". (package name changed?)
Public/private key pair
If you do not have a public/private key pair to use with WireGuard, then you can use SSH to connect to the router as described earlier, and run:
wg genkey | tee privatekey | wg pubkey > publickey
Your public key will be in the file "publickey" and your private key in the file "privatekey".
If you're running WireGuard on multiple devices, generate a separate key pair for each device. You will otherwise likely run into connectivity issues.
Getting an IP to use with Mullvad
While connected to the router using ssh:
curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY
The IP:address to use will Mullvad will be returned.
Add the WireGuard interface
In the main menu, select Network- Interfaces and then click on "Add new interface". Name the interface WGINTERFACE and select Protocol WireGuard VPN and press submit in order to start configure the new interface.
Configure WGInterface settings
Make the following changes:
- IP Addresses – replace 10.99.0.5 with the IP address you received from Mullvad
- Private Key – use your own
- Public Key – use the key that corresponds with the Mullvad WireGuard server of your choosing
- Endpoint Host (Peers)– use the IP address that corresponds with the Mullvad WireGuard server of your choosing.
- Allowed IPs - change to 0.0.0.0/0
In the example screenshot below, we used our WireGuard server located in Malmö, Sweden (see the list of all our WireGuard servers). You can use the IP address or DNS name.
Click on the Advanced Settings tab and check the box next to "Force link". Leave the other options on this page as is (Setting does not exist om some versions)
Save and apply settings!
Add new firewall zone
From the Network drop-down menu, click on Firewall.
Scroll down to Zones. Create a new zone and set it up as shown below. We named ours "WGZONE".
DHCP and DNS settings
Navigate to the DHCP and DNS settings.
Next to DNS forwarding, add 10.64.0.1 like shown below (unlike in our screenshot, you can skip adding 126.96.36.199).
Change DNS on LAN Interface
Navigate to Network→Interfaces→LAN and make the following changes:
- IPv4 address – change this to "192.168.99.1" (this ensures that it won't conflict with our other routers commonly running on 192.168.0.1 or 192.168.1.1)
- DHCP-Options – set this to "6,10.64.0.1".
(If you'd like to learn more about DNS, check out our guide on DNS leaks.)
Restart the router
In order to make everything start properly, restart the router. Some settings require you to restart the WGInterface in order for the changes to be applied. Sometimes you need to restart the router more than once!
Test your IP address
Use am.i.mullvad.net to see which IP adress you are using. It should be one of Mullvad's and not your own.
Add a watchdog
Adding a watchdog will ensure that the router restarts if anything stops working. Note: Complete this step only after you have confirmed that the router is working properly.
Use SSH to log in to the router and add the file wg-watchdog.sh (provided below) in /root.
The wg-watchdog.sh file:
# ping mullvad dns that can only be reached via the VPN tunnel
# if no contact, reboot!
while [[ $tries -lt 5 ]]
if /bin/ping -c 1 10.64.0.1
echo "wg works"
echo "wg fail"
echo "wg faild 5 times - rebooting"
Make the file executable using the command "chmod +x /root/wg-watchdog.sh".
Afterward, add the following entry in System → Scheduled Tasks in LuCI:
*/10 * * * * /root/wg-watchdog.sh
Multihop using SOCKS5
With WireGuard, you can make use of multihopping, a process in which your traffic gets routed from one server to another before exiting.
All of our WireGuard servers are connected to all other WireGuard servers via WireGuard tunnels. In addition, each of the servers has the SOCKS5 proxy installed which makes it possible to select a SOCKS5 proxy in a browser (or other program) and multihop.
Below, the top left browser displays that no is proxy set. The bottom browser, however, shows a computer using the SOCKS host for the U.K. The right-hand window shows the browser's connection settings set to gb1-wg.socks5.mullvad.net (for the U.S, use us1-wg.socks5.mullvad.net).
To find out which version of WireGuard you have running, SSH to the router (see instructions above) and issue the command "dmesg | grep -i wireguard.io".
The router will respond with the version of WireGuard, for example "[ 10.339423] wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information."
Restart the router. Some settings, like the watchdog and adding the WireGuard interface, need a restart in order for changes to be applied.
Important: Your router needs to have the proper time and date, otherwise you'll likely run into connectivity issues.