Category: Security

wireguard config openwrt
✅ FINAL REVISED & HARDENED WIREGUARD FULL-TUNNEL SETUP ON OPENWRT (LUCI-ONLY)

This configuration:
- provides full-tunnel internet through home
- gives VPN clients secure access to LAN devices
- uses DNS-over-HTTPS for leak-proof DNS
- follows OpenWrt firewall best practices
- corrects all issues found in your shared configuration
- requires no terminal commands
⭐ STEP 0 — Remove unsafe default “vpn” zone

You already created a “vpn” zone. That setup is incorrect for full-tunnel.

LUCI:

Network → Firewall → Zones → delete the “vpn” zone

Click Save & Apply.

Now you should have only:
- lan
- wan
Perfect.

⭐ STEP 1 — Add wg0 to LAN firewall zone

This is the correct & secure model for road-warrior VPN in OpenWrt.

LUCI:
Network → Firewall → Zones → Edit “lan”

Under Covered networks:

✔ lan
✔ wg0 ← CHECK THIS

Default policies (recommended):
- Input: ACCEPT
- Output: ACCEPT
- Forward: ACCEPT
- Masquerading: DISABLED
  (WAN zone handles NAT — as it should)
Under “Allow forward to destination zones”:

✔ wan
(no others)

Under “Allow forward from source zones”:

✔ none required
(but you may see unspecified, that’s okay)

Click Save & Apply.

⭐ STEP 2 — Verify WAN zone has Masquerading enabled

This is required for full-tunnel routing.

LUCI:
Network → Firewall → Zones → Edit “wan”

Ensure these are correct:
- Input: REJECT
- Output: ACCEPT
- Forward: REJECT
- Masquerading: ENABLED
- MSS clamping: OPTIONAL but recommended
Save & Apply.

⭐ STEP 3 — WireGuard interface settings

LUCI: Network → Interfaces → wg0

General Settings:
- Private Key → exists ✔
- Listen Port → 51820 ✔
- IP address:
- 10.0.0.1/24
- “Bring up on boot” → ✔
Firewall Settings tab:
- Assign wg0 to zone: lan
Save & Apply.

⭐ STEP 4 — WireGuard peer (your phone/app)

LUCI → Interfaces → wg0 → Peers → Add peer

Fill in:

Required fields:
- Description: phone
- Public Key: (phone app → generated key)
- Allowed IPs:
- 10.0.0.2/32
Leave endpoint empty (phone connects to router; router does not initiate).

Click Save.

⭐ STEP 5 — Traffic rule (WireGuard port)

You already have this correct — just verify.

LUCI:
Network → Firewall → Traffic Rules

Find rule named wireguard:

Checklist:
- Protocol: UDP
- Source zone: wan
- Source port: any
- Destination zone: Device (input)
- Destination port: 51820
- Action: ACCEPT
If all correct → leave it.

⭐ STEP 6 — Configure the phone (full tunnel & LAN access)

Open the WireGuard app → edit tunnel.

Replace values:
```
[Interface]
PrivateKey = <phone private key>
Address = 10.0.0.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = <router public key>
Endpoint = <your.ddns.or.public.ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25 or leave blank for auto
```
This ensures:

✔ All traffic goes through home
✔ DNS sent to router → goes through encrypted DoH
✔ No leaks
✔ VPN can reach LAN devices (192.168.1.0/24)

⭐ STEP 7 — Enable DNS-over-HTTPS on OpenWrt (LUCI-only, secure)

This step prevents any DNS leaks and improves privacy.

🔹 Install DoH resolver (via LUCI)

LUCI:
System → Software

Search for:
- https-dns-proxy
- luci-app-https-dns-proxy
Install both.

🔹 Configure DoH (Cloudflare recommended)

LUCI:
Services → HTTPS DNS Proxy

Enable an instance:
- Provider: Cloudflare
- Listen address: 127.0.0.1
- Listen port: 5053
Save & Apply.

This sets the router DNS → DoH resolver.

🔹 Point OpenWrt DNS to DoH

LUCI:
Network → DHCP and DNS → General Settings

Under DNS Forwardings:
```
127.0.0.1#5053
```
Apply.

Now all DNS from:
- LAN devices
- VPN clients (10.0.0.2)
- The router itself
is encrypted.

⭐ STEP 8 — Force VPN clients to use router DNS

To prevent DNS bypass:

LUCI:
Network → Firewall → Traffic Rules → Add

Create rule:
- Name: Force-DNS-LAN-VPN
- Source zone: lan
- Destination port: 53
- Action: REJECT
Save & Apply.

Now the phone cannot bypass router DNS.
All DNS → VPN → Router → DoH.

No leaks.

⭐ STEP 9 — Testing (VERY IMPORTANT)

With VPN enabled on phone:

Test external IP:

https://ifconfig.me

→ should show your home public IP.

Test DNS leak:

https://browserleaks.com/dns

→ should show Cloudflare only (not mobile carrier, not Google, not ISP DNS).

If anything leaks → tell me and I will fix it.

🎉 YOUR CONFIGURATION IS NOW FULLY SECURE

You now have:

✔ Fully operational WireGuard full-tunnel
✔ VPN access to LAN for remote management
✔ Encrypted DNS-over-HTTPS (no DNS leaks)
✔ Hardened firewall
✔ Correct OpenWrt zone model
✔ Privacy-safe mobile connection
December 10, 2025
sshfs
For an easy way to obtain temporary access to a directory in a remote location using the sshfs command just type in your terminal:

sshfs remote_user@ip_address:/path_to_dir path_to_local_dir

Make sure you have have already created the local directory to mount the remote directory, that you have the credentials of the remote user and all necessary permissions.

For example:

sshfs admin@192.168.1.130:/media/backup ~/nfs

Now in your local file manager you will have access to the remote directory for the current session. Performance may be reduced with this method in contrast with other alternatives like a network file system setup but for managing small files it’s just perfect if you prefer to have a single secure connection to a remote location without having to use to much the terminal.

NOTE: If you are a local non root user, you need to make sure to create the folder where you want to mount the remote disk somewhere in your home folder so you can have access to it either with CLI or a file explorer.

To disconnect:

fusermount -u /path/to/mount/point
January 13, 2024