Running WireGuard on a router
In this guide, we walk you through the steps to set up and run WireGuard on a router.
If you run into any issues while testing WireGuard, please contact firstname.lastname@example.org and let us know what you experience.
Avoid bricking your router
It's possible that you could end up "bricking" your router, meaning the device will stop working entirely.
In our experience, this happens more frequently if you first install DD-WRT, then install OpenWRT, and then try to change back and forth between different systems. It rarely happens if you go from factory default to LEDE. The Intel NUC running x86 is, however, impossible to brick.
Installing LEDE on your router
First, you'll need to install the LEDE firmware onto your router. Although routers come equipped with vendor-supplied firmware, we are choosing to use LEDE in conjunction with this guide because it installs easily and is frequently updated.
LEDE is a Linux operating system based on OpenWrt.
- Consult the list of supported routers on the LEDE Project's website to see if yours is included.
- Browse the list of latest LEDE release.
- Download and install the build that corresponds to your device.
What you need in order to proceed:
- a router with a fresh installation of LEDE
- a public/private key pair to use with WireGuard (will be desribed below)
- an IP address to use (will be desribed below)
Verify that LuCI GUI is installed and running on your router
The default IP address for a new installation of LEDE is 192.168.1.1. The user login is "root" and the password is "" (blank).
Connect with a browser to 192.168.1.1.
Run som shell stuff, and fix LuCI if needed:
- Open a terminal (Linus and OS X) and run "ssh email@example.com".
- Accept the fingerprint.
- Leave the password blank and login.
- Run the following commands in order
opkg install curl
opkg install ca-bundle
If no web page was loaded , do as follows and then try again to connect with a browser to 192.168.1.1:
opkg install luci
Once logged in to the router, change the password by following the instructions on the screen.
From the System drop-down menu, click on Software and install the package "luci-proto-wireguard".
Public/private key pair
If you do not have public/private key pair to use with WireGuard, then you can use SSH to connect to the router as described earlier, and run:
wg genkey | tee privatekey | wg pubkey > publickey
Your public key will be in the file "publickey" and your private key in the file "privatekey".
Getting an IP to use with Mullvad
While connected to the router using ssh:
curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY
The IP:address to use will Mullvad will be returned.
Add the WireGuard interface
In the main menu, select Network- Interfaces and then click on "Add new interface". Name the interface WGINTERFACE and select Protocol WireGuard VPN and press submit in order to start configure the new interface.
Configure WGInterface settings
Make the following changes:
- IP Addresses – replace 10.99.0.5 with the IP address you received from Mullvad
- Private Key – use your own
- Public Key – use the key that corresponds with the Mullvad WireGuard server of your choosing
- Endpoint Host (Peers)– use the IP address that corresponds with the Mullvad WireGuard server of your choosing.
- Allowed IPs - change to 0.0.0.0/0
In the example screenshot below, we used our WireGuard server located in Malmö, Sweden (see the list of all our WireGuard servers). You can use the IP address or DNS name.
Click on the Advanced Settings tab and check the box next to "Force link". Leave the other options on this page as is (Setting does not exist om some versions)
Save and apply settings!
Add new firewall zone
From the Network drop-down menu, click on Firewall.
Scroll down to Zones. Create a new zone and set it up as shown below. We named ours "WGZONE".
DHCP and DNS settings
Navigate to the DHCP and DNS settings.
Next to DNS forwarding, add 10.64.0.1 like shown below (unlike in our screenshot, you can skip adding 126.96.36.199).
Change DNS on LAN Interface
Navigate to Network→Interfaces→LAN and make the following changes:
- IPv4 address – change this to "192.168.99.1" (this ensures that it won't conflict with our other routers commonly running on 192.168.0.1 or 192.168.1.1)
- DHCP-Options – set this to "6,10.64.0.1".
(If you'd like to learn more about DNS, check out our guide on DNS leaks.)
Restart the router
In order to make everything start properly, restart the router. Some settings require you to restart the WGInterface in order for the changes to be applied. Sometimes you need to restart the router more than once!
Test your IP address
Use https://am.i.mullvad.net/ to see which IP adress you are using. It should be one of Mullvad's and not your own.
Add a watchdog
Adding a watchdog will ensure that the router restarts if anything stops working. Note: Complete this step only after you have confirmed that the router is working properly.
Use SSH to log in to the router and add the file wg-watchdog.sh (provided below) in /root.
The wg-watchdog.sh file:
# ping mullvad dns that can only be reached via the VPN tunnel
# if no contact, reboot!
while [[ $tries -lt 5 ]]
if /bin/ping -c 1 10.64.0.1
echo "wg works"
echo "wg fail"
echo "wg faild 5 times - rebooting"
Make the file executable using the command "chmod +x /root/wg-watchdog.sh".
Afterward, add the following entry in System → Scheduled Tasks in LuCI:
*/10 * * * * /root/wg-watchdog.sh
Multihop using SOCKS5
With WireGuard, you can make use of multihopping, a process in which your traffic gets routed from one server to another before exiting.
All of our WireGuard servers are connected to all other WireGuard servers via WireGuard tunnels. In addition, each of the servers has the SOCKS5 proxy installed which makes it possible to select a SOCKS5 proxy in a browser (or other program) and multihop.
Below, the top left browser displays that no is proxy set. The bottom browser, however, shows a computer using the SOCKS host for the U.K. The right-hand window shows the browser's connection settings set to gb1-wg.socks5.mullvad.net (for the U.S, use us1-wg.socks5.mullvad.net).
To find out which version of WireGuard you have running, SSH to the router (see instructions above) and issue the command "dmesg | grep -i wireguard.io".
The router will respond with the version of WireGuard, for example "[ 10.339423] wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information."
Restart the router. Some settings, like the watchdog and adding the WireGuard interface, need a restart in order for changes to be applied.
Keep in mind that your router needs to have proper time / date, not having so can cause it to not connect properly.