Fj Graf

Category: OpenWRT

  • wireguard config openwrt

    FINAL REVISED & HARDENED WIREGUARD FULL-TUNNEL SETUP ON OPENWRT (LUCI-ONLY)

    This configuration:

    • provides full-tunnel internet through home
    • gives VPN clients secure access to LAN devices
    • uses DNS-over-HTTPS for leak-proof DNS
    • follows OpenWrt firewall best practices
    • corrects all issues found in your shared configuration
    • requires no terminal commands

    ⭐ STEP 0 — Remove unsafe default “vpn” zone

    You already created a “vpn” zone. That setup is incorrect for full-tunnel.

    LUCI:

    Network → Firewall → Zones → delete the “vpn” zone

    Click Save & Apply.

    Now you should have only:

    • lan
    • wan

    Perfect.

    ⭐ STEP 1 — Add wg0 to LAN firewall zone

    This is the correct & secure model for road-warrior VPN in OpenWrt.

    LUCI:
    Network → Firewall → Zones → Edit “lan”

    Under Covered networks:

    lan
    wg0CHECK THIS

    Default policies (recommended):

    • Input: ACCEPT
    • Output: ACCEPT
    • Forward: ACCEPT
    • Masquerading: DISABLED
      (WAN zone handles NAT — as it should)

    Under “Allow forward to destination zones”:

    wan
    (no others)

    Under “Allow forward from source zones”:

    ✔ none required
    (but you may see unspecified, that’s okay)

    Click Save & Apply.

    ⭐ STEP 2 — Verify WAN zone has Masquerading enabled

    This is required for full-tunnel routing.

    LUCI:
    Network → Firewall → Zones → Edit “wan”

    Ensure these are correct:

    • Input: REJECT
    • Output: ACCEPT
    • Forward: REJECT
    • Masquerading: ENABLED
    • MSS clamping: OPTIONAL but recommended

    Save & Apply.

    ⭐ STEP 3 — WireGuard interface settings

    LUCI: Network → Interfaces → wg0

    General Settings:

    • Private Key → exists ✔
    • Listen Port → 51820
    • IP address:
    • 10.0.0.1/24
    • “Bring up on boot” → ✔

    Firewall Settings tab:

    • Assign wg0 to zone: lan

    Save & Apply.

    ⭐ STEP 4 — WireGuard peer (your phone/app)

    LUCI → Interfaces → wg0 → Peers → Add peer

    Fill in:

    Required fields:

    • Description: phone
    • Public Key: (phone app → generated key)
    • Allowed IPs:
    • 10.0.0.2/32

    Leave endpoint empty (phone connects to router; router does not initiate).

    Click Save.

    ⭐ STEP 5 — Traffic rule (WireGuard port)

    You already have this correct — just verify.

    LUCI:
    Network → Firewall → Traffic Rules

    Find rule named wireguard:

    Checklist:

    • Protocol: UDP
    • Source zone: wan
    • Source port: any
    • Destination zone: Device (input)
    • Destination port: 51820
    • Action: ACCEPT

    If all correct → leave it.

    ⭐ STEP 6 — Configure the phone (full tunnel & LAN access)

    Open the WireGuard app → edit tunnel.

    Replace values:

    




    [Interface]
PrivateKey = <phone private key>
Address = 10.0.0.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = <router public key>
Endpoint = <your.ddns.or.public.ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 or leave blank for auto

    




    This ensures:
    




    ✔ All traffic goes through home
    ✔ DNS sent to router → goes through encrypted DoH
    ✔ No leaks
    ✔ VPN can reach LAN devices (192.168.1.0/24)
    




    




    ⭐ STEP 7 — Enable DNS-over-HTTPS on OpenWrt (LUCI-only, secure)
    




    This step prevents any DNS leaks and improves privacy.
    




    




    🔹 Install DoH resolver (via LUCI)
    




    LUCI:
    System → Software
    




    Search for:
    




      

    • https-dns-proxy
      • 




    • luci-app-https-dns-proxy
      • 

    




    Install both.
    




    




    🔹 Configure DoH (Cloudflare recommended)
    




    LUCI:
    Services → HTTPS DNS Proxy
    




    Enable an instance:
    




      

    • Provider: Cloudflare
      • 




    • Listen address: 127.0.0.1
      • 




    • Listen port: 5053
      • 

    




    Save & Apply.
    




    This sets the router DNS → DoH resolver.
    




    




    🔹 Point OpenWrt DNS to DoH
    




    LUCI:
    Network → DHCP and DNS → General Settings
    




    Under DNS Forwardings:
    




    




    127.0.0.1#5053
    




    Apply.
    




    Now all DNS from:
    




      

    • LAN devices
      • 




    • VPN clients (10.0.0.2)
      • 




    • The router itself
      • 

    




    is encrypted.
    




    




    ⭐ STEP 8 — Force VPN clients to use router DNS
    




    To prevent DNS bypass:
    




    LUCI:
    Network → Firewall → Traffic Rules → Add
    




    Create rule:
    




      

    • Name: Force-DNS-LAN-VPN
      • 




    • Source zone: lan
      • 




    • Destination port: 53
      • 




    • Action: REJECT
      • 

    




    Save & Apply.
    




    Now the phone cannot bypass router DNS.
    All DNS → VPN → Router → DoH.
    




    No leaks.
    




    




    ⭐ STEP 9 — Testing (VERY IMPORTANT)
    




    With VPN enabled on phone:
    




    Test external IP:
    




    https://ifconfig.me
    





    → should show your home public IP.
    




    Test DNS leak:
    




    https://browserleaks.com/dns
    





    → should show Cloudflare only (not mobile carrier, not Google, not ISP DNS).
    




    If anything leaks → tell me and I will fix it.
    




    




    🎉 YOUR CONFIGURATION IS NOW FULLY SECURE
    




    You now have:
    




    ✔ Fully operational WireGuard full-tunnel
    ✔ VPN access to LAN for remote management
    ✔ Encrypted DNS-over-HTTPS (no DNS leaks)
    ✔ Hardened firewall
    ✔ Correct OpenWrt zone model
    ✔ Privacy-safe mobile connection
    

    
			
    
		
    
		
	
  • 
		
		
    
			
			
    USB Mass Storage Devices compatibility – OpenWRT
    
			
    

    

    




    

    To enhance compatibility with USB 3.0 mass storage devices on OpenWRT, you may need to install specific kernel modules and packages. Here are the general steps to maximize compatibility:
    




    Install USB Support Packages:
    




    • opkg update opkg install kmod-usb-core kmod-usb2 kmod-usb-storage
    




    




    Install USB 3.0 Driver:
    




    USB 3.0 support may require additional kernel modules. Install the appropriate package based on your hardware. For many systems, the kmod-usb3 package is relevant:
    




    opkg install kmod-usb3
    




    Install File System Support:
    




    Ensure that your OpenWRT device supports the file systems commonly used by USB storage devices, such as vfat (FAT32) and ext4. Install the relevant file system packages:
    




    opkg install kmod-fs-vfat kmod-fs-ext4
    




    Install USB Utilities:
    




    • opkg install usbutils
    




    




    Reboot Your OpenWRT Device:
    




    • reboot
    




    




    Check for USB Device Recognition:
    




    • lsusb
    




    With that you should be able to see the device in the list of usb connected devices.
    




    Keep in mind that the package names and availability may vary based on the specific OpenWRT version and the hardware architecture of your device. Verify the compatibility of packages with your OpenWRT version and target hardware.
    




    If you encounter issues or have specific hardware requirements, consider checking the OpenWRT forums or documentation for device-specific recommendations and community support.
    

    




    

    

    
			
    
		
    
		
	
  • 
		
		
    
			
			
    Resize OpenWRT partition
    
			
    

    

    




    

    After OpenWrt installation on a 8GB sd card I noticed that I only had 104 MB of disk space left for future software installation. The file system was only using a fraction of the 8GB so I needed to expand the size of the partition as well as for the file system.
    




    Boot up your openwrt device and perform the following steps from CLI.
    




    First of all and just to be safe, remove all external disks attached.
    




    Install software (preferably via Luci):
    




    opkg lsblk parted resize2fs tune2fs
    




    Now lets gather information about block devices:
    lsblk
    sda                   179:0    0 8G   0 disk   
    ├─sda1                179:1    0   16M   0 part
    ├─sda2               179:2    0   104M  0 part /  
    




    Now lets enter to parted and Resize Partition
    




    parted
p
Number  Start   End     Size    Type      File system  Flags
1      33.6M   50.3MB  16.8MB  primary   ext2         boot
2      67.1MB  104MB   104MB   primary

resizepart 2 8GB #Decide how much you want to expand according to sd card capacity
q
    




    Resizing the file system
    




    Remount root as read only:
    




    mount -o remount,ro / 
    




    Remove reserved GDT blocks:
    




    tune2fs -O^resize_inode /dev/sda2
    




    Fix part, answer yes to all. This will remove GDT blocks remnants.
    




    fsck.ext4 /dev/sda2
    




    Now reboot, log back in again and then resize the partition:
    




    Expand root filesystem
    




    resize2fs -f /dev/sda2
    




    To apply changes, reboot  the system again and finish.
    




    Sources
    




    https://openwrt.org/docs/guide-user/installation/installation_methods/sd_card#fn
    




    https://openwrt.org/docs/guide-user/installation/openwrt_x86#resizing_filesystem
    




    https://openwrt.org/toh/friendlyarm/nanopi_r4s_v1#installation