Fj Graf

wireguard config openwrt

Written by

fjgraf

in

,

FINAL REVISED & HARDENED WIREGUARD FULL-TUNNEL SETUP ON OPENWRT (LUCI-ONLY)

This configuration:

  • provides full-tunnel internet through home
  • gives VPN clients secure access to LAN devices
  • uses DNS-over-HTTPS for leak-proof DNS
  • follows OpenWrt firewall best practices
  • corrects all issues found in your shared configuration
  • requires no terminal commands

⭐ STEP 0 — Remove unsafe default “vpn” zone

You already created a “vpn” zone. That setup is incorrect for full-tunnel.

LUCI:

Network → Firewall → Zones → delete the “vpn” zone

Click Save & Apply.

Now you should have only:

  • lan
  • wan

Perfect.

⭐ STEP 1 — Add wg0 to LAN firewall zone

This is the correct & secure model for road-warrior VPN in OpenWrt.

LUCI:
Network → Firewall → Zones → Edit “lan”

Under Covered networks:

lan
wg0CHECK THIS

Default policies (recommended):

  • Input: ACCEPT
  • Output: ACCEPT
  • Forward: ACCEPT
  • Masquerading: DISABLED
    (WAN zone handles NAT — as it should)

Under “Allow forward to destination zones”:

wan
(no others)

Under “Allow forward from source zones”:

✔ none required
(but you may see unspecified, that’s okay)

Click Save & Apply.

⭐ STEP 2 — Verify WAN zone has Masquerading enabled

This is required for full-tunnel routing.

LUCI:
Network → Firewall → Zones → Edit “wan”

Ensure these are correct:

  • Input: REJECT
  • Output: ACCEPT
  • Forward: REJECT
  • Masquerading: ENABLED
  • MSS clamping: OPTIONAL but recommended

Save & Apply.

⭐ STEP 3 — WireGuard interface settings

LUCI: Network → Interfaces → wg0

General Settings:

  • Private Key → exists ✔
  • Listen Port → 51820
  • IP address:
  • 10.0.0.1/24
  • “Bring up on boot” → ✔

Firewall Settings tab:

  • Assign wg0 to zone: lan

Save & Apply.

⭐ STEP 4 — WireGuard peer (your phone/app)

LUCI → Interfaces → wg0 → Peers → Add peer

Fill in:

Required fields:

  • Description: phone
  • Public Key: (phone app → generated key)
  • Allowed IPs:
  • 10.0.0.2/32

Leave endpoint empty (phone connects to router; router does not initiate).

Click Save.

⭐ STEP 5 — Traffic rule (WireGuard port)

You already have this correct — just verify.

LUCI:
Network → Firewall → Traffic Rules

Find rule named wireguard:

Checklist:

  • Protocol: UDP
  • Source zone: wan
  • Source port: any
  • Destination zone: Device (input)
  • Destination port: 51820
  • Action: ACCEPT

If all correct → leave it.

⭐ STEP 6 — Configure the phone (full tunnel & LAN access)

Open the WireGuard app → edit tunnel.

Replace values:






[Interface]
PrivateKey = <phone private key>
Address = 10.0.0.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = <router public key>
Endpoint = <your.ddns.or.public.ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 or leave blank for auto






This ensures:





✔ All traffic goes through home
✔ DNS sent to router → goes through encrypted DoH
✔ No leaks
✔ VPN can reach LAN devices (192.168.1.0/24)










⭐ STEP 7 — Enable DNS-over-HTTPS on OpenWrt (LUCI-only, secure)





This step prevents any DNS leaks and improves privacy.










🔹 Install DoH resolver (via LUCI)





LUCI:
System → Software





Search for:





    

  • https-dns-proxy
    • 




  • luci-app-https-dns-proxy
    • 






Install both.










🔹 Configure DoH (Cloudflare recommended)





LUCI:
Services → HTTPS DNS Proxy





Enable an instance:





    

  • Provider: Cloudflare
    • 




  • Listen address: 127.0.0.1
    • 




  • Listen port: 5053
    • 






Save & Apply.





This sets the router DNS → DoH resolver.










🔹 Point OpenWrt DNS to DoH





LUCI:
Network → DHCP and DNS → General Settings





Under DNS Forwardings:










127.0.0.1#5053





Apply.





Now all DNS from:





    

  • LAN devices
    • 




  • VPN clients (10.0.0.2)
    • 




  • The router itself
    • 






is encrypted.










⭐ STEP 8 — Force VPN clients to use router DNS





To prevent DNS bypass:





LUCI:
Network → Firewall → Traffic Rules → Add





Create rule:





    

  • Name: Force-DNS-LAN-VPN
    • 




  • Source zone: lan
    • 




  • Destination port: 53
    • 




  • Action: REJECT
    • 






Save & Apply.





Now the phone cannot bypass router DNS.
All DNS → VPN → Router → DoH.





No leaks.










⭐ STEP 9 — Testing (VERY IMPORTANT)





With VPN enabled on phone:





Test external IP:





https://ifconfig.me






→ should show your home public IP.





Test DNS leak:





https://browserleaks.com/dns






→ should show Cloudflare only (not mobile carrier, not Google, not ISP DNS).





If anything leaks → tell me and I will fix it.










🎉 YOUR CONFIGURATION IS NOW FULLY SECURE





You now have:





✔ Fully operational WireGuard full-tunnel
✔ VPN access to LAN for remote management
✔ Encrypted DNS-over-HTTPS (no DNS leaks)
✔ Hardened firewall
✔ Correct OpenWrt zone model
✔ Privacy-safe mobile connection



		
		

			
		

		
		
		


	
	
	




		


	
	
Comments

	
	
	

	

		

		
Leave a Reply 
Your email address will not be published. Required fields are marked *
 
 



 


 


 


	

	




	

	
	


	
	
More posts