WireGuard VPN Policy Routing on OpenWRT

Tested on GL-AX1800 with OpenWRT 21.02

Install vpn-policy-routing plugin

  • Go to OpenWRT -> System -> Software
  • Update lists
  • Install vpn-policy-routing and luci-app-vpn-policy-routing
  • Refresh the page. There will be a new VPN tab on header

Add Firewall zone

  • Go to Network -> Firewall
  • Under Zones section, click the Add button
  • I use WGZONE as the name.
  • Choose accept for Output
  • Choose drop for Input and Forward
  • Check Masquerading and MSS clamping
  • Choose WAN for Allowed forward to destination zones
  • Choose LAN and GUEST (if any or if you want) for Allow forward from source zones

Add WireGuard interface

  • Prepare your WireGuard connection information
  • Go to Network -> Interfaces
  • Click Add new interface
  • In the popup dialog, choose WireGuard VPN as Protocol
  • On General Settings tab, enter Private Key and IP Address
  • On Advanced Settings tab, check Force Link
  • If you want to use the DNS from your VPN service provider, uncheck use DNS servers advertised by peer, and enter the DNS IP provided manually
  • On Firewall Settings, choose WGZONE
  • On Peers tab, click Add peer. Enter Public Key, Preshared Key (if any), Endpoint Host and Endpoint Port. Enter 0.0.0.0/0 for Allowed IPs. Do not check Route Allowed IPs.
  • Repeats the steps if you want any more VPN connections.

Config on linux kernal

  • Setup SSH in System -> Administration -> SSH Access if needed
  • SSH to OpenWRT
  • Type ifconfig and find out the WireGuard interface name
  • Modify /etc/sysctl.d/90-wireguard.conf (this file does not exist originally). For other hardware models there may not be /etc/sysctl.d/, modify on /etc/sysctl.conf
  • Put net.ipv4.conf.WIREGUARD_INTERFACE_NAME.rp_filter=2 in the file. Replace WIREGUARD_INTERFACE_NAME with your WireGuard interface name found in the previous step. Each WireGuard interface requires its own line.
  • Save the file
  • Reboot router

Setup policies