🔐 How to Add a VPN to OpenWRT: A Step-by-Step Guide

on

Adding a VPN to your OpenWRT router is one of the best ways to secure your entire home or office network. Whether you want to encrypt your internet traffic, access geo-restricted content, or hide your IP address, OpenWRT makes it possible to route everything through a VPN.

In this guide, I’ll walk you through the process of adding a VPN client (WireGuard or OpenVPN) to your OpenWRT router.

✅ Prerequisites

Before we begin, make sure you have:

  • A router with OpenWRT installed

  • A VPN provider that supports OpenVPN or WireGuard (like NordVPN, Mullvad, ProtonVPN, etc.)

  • SSH access to your router or access to LuCI (OpenWRT web interface)

  • Some basic networking knowledge helps

🛠️ Method 1: Adding a WireGuard VPN Client to OpenWRT

WireGuard is fast, lightweight, and easy to configure.

Step 1: Install WireGuard packages

SSH into your OpenWRT router or use LuCI > System > Software and run:

opkg update
opkg install wireguard luci-proto-wireguard wireguard-tools

Step 2: Get WireGuard configuration from your VPN provider

You'll need the following:

  • Private key

  • Public key (of the VPN server)

  • VPN server IP and port

  • Allowed IPs (usually 0.0.0.0/0 for full tunnel)

Step 3: Configure WireGuard Interface in LuCI

Go to Network > Interfaces > Add new interface

  • Name: wg0

  • Protocol: WireGuard VPN

  • Assign firewall zone: wan (or create a new vpn zone)

Click Create Interface, then enter:

  • Private Key: (from your config)

  • Listen Port: Leave blank

  • MTU: Leave default

Under Peers, add:

  • Public Key

  • Allowed IPs: 0.0.0.0/0

  • Endpoint Host: (VPN server IP)

  • Endpoint Port: (VPN server port)

Step 4: Add DNS and Routing Rules

Go to Network > DHCP and DNS

  • Set DNS Forwardings to something like: 1.1.1.1, or your VPN provider's DNS

Add firewall rule to allow traffic:

uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart

Step 5: Set as Default Gateway (Optional for full tunnel)

Go to Network > Interfaces > wg0 > Advanced Settings

  • Check “Use default gateway”

  • Set custom DNS servers

🛠️ Method 2: Adding an OpenVPN Client to OpenWRT

If your provider supports only OpenVPN, follow this method.

Step 1: Install OpenVPN packages

opkg update
opkg install openvpn-openssl luci-app-openvpn

Step 2: Upload or copy the .ovpn config file

Use LuCI or SCP to upload the .ovpn file to /etc/openvpn/.

Then edit the file:

vi /etc/openvpn/myvpn.conf

Make sure paths to ca, cert, key files are correct. You can also embed them directly if needed.

Step 3: Enable and Start OpenVPN

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

You can manage VPNs in LuCI: Services > OpenVPN

Step 4: Configure Firewall and Routing

Assign the VPN interface to the wan or a custom vpn firewall zone. Also, go to Network > Interfaces, and click Add new interface:

  • Name: tun0

  • Protocol: Unmanaged

  • Interface: tun0 or tap0

Assign firewall zone: vpn

🔄 Testing the VPN

Once connected, check your IP:

curl ifconfig.me

If it shows your VPN provider’s IP, you’re good to go!

🧠 Bonus Tips

  • Use Policy-Based Routing (PBR) if you want only certain devices or websites to use the VPN.

  • Restart the VPN interface if you lose internet:

    /etc/init.d/network restart

  • Use logread -e openvpn or logread -e wireguard for debugging.

🏁 Conclusion

Adding a VPN to OpenWRT is a powerful way to secure and control your network traffic. Whether you prefer WireGuard’s speed or OpenVPN’s compatibility, OpenWRT gives you the flexibility to set it up your way.

Got stuck or have questions? Drop a comment or reach out!

Comments

Post a Comment