In this guide, we walk you through the steps to set up and run WireGuard on a router.
If you run into any issues while testing WireGuard, please contact firstname.lastname@example.org and let us know what you experience.
First, check OpenWrt's list of supported routers to make sure yours is included.
Installing WireGuard and Mullvad on your router comes with some benefits:
What you need in order to proceed:
Follow your router's instructions on how to connect and update the firmware to the OpenWrt firmware that you previously downloaded.
The router normally displays some status information and then restarts. Take extra care in downloading the correct version since doing this incorrectly could "brick" your router, making it completely unusable.
Once logged in to the router, change the password by following the instructions on the screen.
From the System drop-down menu, click on Software and install the package "luci-proto-wireguard". (package name changed?)
If you do not have a public/private key pair to use with WireGuard, then you can use SSH to connect to the router as described earlier, and run:
wg genkey | tee privatekey | wg pubkey > publickey
Your public key will be in the file "publickey" and your private key in the file "privatekey".
If you're running WireGuard on multiple devices, generate a separate key pair for each device. You will otherwise likely run into connectivity issues.
While connected to the router using ssh:
curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY
The IP:address to use will Mullvad will be returned.
In the main menu, select Network- Interfaces and then click on "Add new interface". Name the interface WGINTERFACE and select Protocol WireGuard VPN and press submit in order to start configure the new interface.
Make the following changes:
In the example screenshot below, we used our WireGuard server located in Malmö, Sweden (see the list of all our WireGuard servers). You can use the IP address or DNS name.
Click on the Advanced Settings tab and check the box next to "Force link". Leave the other options on this page as is (Setting does not exist om some versions)
Save and apply settings!
From the Network drop-down menu, click on Firewall.
Scroll down to Zones. Create a new zone and set it up as shown below. We named ours "WGZONE".
Navigate to the DHCP and DNS settings.
Next to DNS forwarding, add 10.64.0.1 like shown below (unlike in our screenshot, you can skip adding 188.8.131.52).
Navigate to Network→Interfaces→LAN and make the following changes:
(If you'd like to learn more about DNS, check out our guide on DNS leaks.)
In order to make everything start properly, restart the router. Some settings require you to restart the WGInterface in order for the changes to be applied. Sometimes you need to restart the router more than once!
Use am.i.mullvad.net to see which IP adress you are using. It should be one of Mullvad's and not your own.
Adding a watchdog will ensure that the router restarts if anything stops working.
Use SSH to log in to the router and add the file wg-watchdog.sh (provided below) in /root.
The wg-watchdog.sh file:
#!/bin/sh # ping mullvad dns that can only be reached via the VPN tunnel # if no contact, reboot! tries=0 while [[ $tries -lt 5 ]] do if /bin/ping -c 1 10.64.0.1 then echo "wg works" exit 0 fi echo "wg fail" tries=$((tries+1)) done echo "wg faild 5 times - rebooting" reboot
Make the file executable using the command
chmod +x /root/wg-watchdog.sh.
Afterward, add the following entry in System → Scheduled Tasks in LuCI:
*/10 * * * * /root/wg-watchdog.sh
With WireGuard, you can make use of multihopping, a process in which your traffic gets routed from one server to another before exiting.
All of our WireGuard servers are connected to all other WireGuard servers via WireGuard tunnels. In addition, each of the servers has the SOCKS5 proxy installed which makes it possible to select a SOCKS5 proxy in a browser (or other program) and multihop.
Below, the top left browser displays that no is proxy set. The bottom browser, however, shows a computer using the SOCKS host for the U.K. The right-hand window shows the browser's connection settings set to gb1-wg.socks5.mullvad.net (for the U.S, use us1-wg.socks5.mullvad.net).
To find out which version of WireGuard you have running, SSH to the router (see instructions above) and issue the command
dmesg | grep -i wireguard.io.
The router will respond with the version of WireGuard, for example "[ 10.339423] wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information."
Restart the router. Some settings, like the watchdog and adding the WireGuard interface, need a restart in order for changes to be applied.