Back to Guides

Running WireGuard on a router

In this guide, we walk you through the steps to set up and run WireGuard on a router.

If you run into any issues while testing WireGuard, please contact support@mullvad.net and let us know what you experience.

Avoid bricking your router

It's possible that you could end up "bricking" your router, meaning the device will stop working entirely.

In our experience, this happens more frequently if you first install DD-WRT, then install OpenWRT, and then try to change back and forth between different systems. It rarely happens if you go from factory default to LEDE. The Intel NUC running x86 is, however, impossible to brick.

Installing LEDE on your router

First, you'll need to install the LEDE firmware onto your router. Although routers come equipped with vendor-supplied firmware, we are choosing to use LEDE in conjunction with this guide because it installs easily and is frequently updated.

LEDE is a Linux operating system based on OpenWrt.

  1. Consult the list of supported routers on the LEDE Project's website to see if yours is included.
  2. Browse the list of latest LEDE release.
  3. Download and install the build that corresponds to your device.

Installing WireGuard

What you need in order to proceed:

  • a router with a fresh installation of LEDE
  • a public/private key pair to use with WireGuard (will be desribed below)
  • an IP address to use (will be desribed below)

Verify that LuCI GUI is installed and running on your router

The default IP address for a new installation of LEDE is 192.168.1.1. The user login is "root" and the password is "" (blank).

LEDE login screen
Click image to enlarge.

Connect with a browser to 192.168.1.1.

Run som shell stuff, and fix LuCI if needed:

  1. Open a terminal (Linus and OS X) and run "ssh root@192.168.1.1".
  2. Accept the fingerprint.
  3. Leave the password blank and login.
  4. Run the following commands in order

opkg update
opkg install curl
opkg install ca-bundle

If no web page was loaded , do as follows and then try again to connect with a browser to 192.168.1.1:
opkg install luci
/etc/init.d/uhttpd start
/etc/init.d/uhttpd enable

Change password

Once logged in to the router, change the password by following the instructions on the screen.

Install WireGuard

From the System drop-down menu, click on Software and install the package "luci-proto-wireguard".

screenshot of LEDE software install

Public/private key pair

If you do not have public/private key pair to use with WireGuard, then you can use SSH to connect to the router as described earlier, and run:

wg genkey | tee privatekey | wg pubkey > publickey

Your public key will be in the file "publickey" and your private key in the file "privatekey".

Getting an IP to use with Mullvad

While connected to the router using ssh:

curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY

The IP:address to use will Mullvad will be returned.

Add the WireGuard interface

In the main menu, select Network- Interfaces and then click on "Add new interface". Name the interface  WGINTERFACE and select Protocol WireGuard VPN and press submit in order to start configure the new interface.

Configure WGInterface settings

Make the following changes:

  • IP Addresses – replace 10.99.0.5 with the IP address you received from Mullvad
  • Private Key –  use your own
  • Public Key – use the key that corresponds with the Mullvad WireGuard server of your choosing
  • Endpoint Host (Peers)– use the IP address that corresponds with the Mullvad WireGuard server of your choosing.
  • Allowed IPs - change to 0.0.0.0/0

In the example screenshot below, we used our WireGuard server located in Malmö, Sweden (see the list of all our WireGuard servers). You can use the IP address or DNS name.

screenshot of LEDE interfaces page
Click image to enlarge.

Click on the Advanced Settings tab and check the box next to "Force link". Leave the other options on this page as is (Setting does not exist om some versions)

Save and apply settings!

Add new firewall zone

From the Network drop-down menu, click on Firewall.

Scroll down to Zones. Create a new zone and set it up as shown below. We named ours "WGZONE".

 


Click image to enlarge.

DHCP and DNS settings

Navigate to the DHCP and DNS settings.

Next to DNS forwarding, add 10.64.0.1 like shown below (unlike in our screenshot, you can skip adding 193.138.218.228).

screenshot of LEDE DHCP and DNS settings page
Click image to enlarge.

Change DNS on LAN Interface

Navigate to Network→Interfaces→LAN and make the following changes:

  • IPv4 address – change this to "192.168.99.1" (this ensures that it won't conflict with our other routers commonly running on 192.168.0.1 or 192.168.1.1)
  • DHCP-Options – set this to "6,10.64.0.1".

(If you'd like to learn more about DNS, check out our guide on DNS leaks.)

Restart the router

In order to make everything start properly, restart the router. Some settings require you to restart the WGInterface in order for the changes to be applied. Sometimes you need to restart the router more than once!

Test your IP address

Use https://am.i.mullvad.net/  to see which IP adress you are using. It should be one of Mullvad's and not your own.

Add a watchdog

Adding a watchdog will ensure that the router restarts if anything stops working. Note: Complete this step only after you have confirmed that the router is working properly.

Use SSH to log in to the router and add the file wg-watchdog.sh (provided below) in /root.

The wg-watchdog.sh file:

#!/bin/sh
# ping mullvad dns that can only be reached via the VPN tunnel
# if no contact, reboot!

tries=0
while [[ $tries -lt 5 ]]
do
        if /bin/ping -c 1 10.64.0.1
        then
                echo "wg works"
                exit 0
        fi
        echo "wg fail"
        tries=$((tries+1))
done
echo "wg faild 5 times - rebooting"
reboot

Make the file executable using the command "chmod +x /root/wg-watchdog.sh".

Afterward, add the following entry in System → Scheduled Tasks in LuCI:

*/10 * * * * /root/wg-watchdog.sh

Multihop using SOCKS5

With WireGuard, you can make use of multihopping, a process in which your traffic gets routed from one server to another before exiting.

All of our WireGuard servers are connected to all other WireGuard servers via WireGuard tunnels. In addition, each of the servers has the SOCKS5 proxy installed which makes it possible to select a SOCKS5 proxy in a browser (or other program) and multihop.

Below, the top left browser displays that no is proxy set. The bottom browser, however, shows a computer using the SOCKS host for the U.K. The right-hand window shows the browser's connection settings set to gb1-wg.socks5.mullvad.net (for the U.S, use us1-wg.socks5.mullvad.net).


Click image to enlarge.

Troubleshooting

To find out which version of WireGuard you have running, SSH to the router (see instructions above) and issue the command "dmesg | grep -i wireguard.io".

The router will respond with the version of WireGuard, for example "[   10.339423] wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information."

Restart the router. Some settings, like the watchdog and adding the WireGuard interface, need a restart in order for changes to be applied.

 

Keep in mind that your router needs to have proper time / date, not having so can cause it to not connect properly.