docs/client-openwrt-router-wireguard.md
This guide explains how to configure an OpenWrt router as a WireGuard VPN client, allowing all devices connected to your network to route traffic through your Algo VPN automatically. This setup is ideal for devices that don't support VPN natively (smart TVs, IoT devices, game consoles) or when you want seamless VPN access for all network clients.
You'll need an OpenWrt-compatible router with sufficient RAM (minimum 64MB recommended) and OpenWrt 23.05 or later installed. Your Algo VPN server must be deployed and running, and you'll need the WireGuard configuration file from your Algo deployment.
Ensure your router's LAN subnet doesn't conflict with upstream networks. The default OpenWrt IP is 192.168.1.1 - change to 192.168.2.1 if conflicts exist.
This configuration has been verified on TP-Link TL-WR1043ND and TP-Link Archer C20i AC750 with OpenWrt 23.05+. For compatibility with other devices, check the OpenWrt Table of Hardware.
http://192.168.1.1)root, no password)wireguard-toolskmod-wireguardluci-app-wireguardwireguardkmod-crypto-sha256kmod-crypto-sha1kmod-crypto-md5ssh [email protected]opkg update
opkg install wireguard-tools kmod-wireguard luci-app-wireguard wireguard kmod-crypto-sha256 kmod-crypto-sha1 kmod-crypto-md5
reboot
Before proceeding, locate your WireGuard configuration file from your Algo deployment. This file is typically located at:
configs/<server_ip>/wireguard/<username>.conf
Your configuration file should look similar to:
[Interface]
PrivateKey = <your_private_key>
Address = 10.49.0.2/16
DNS = 172.16.0.1
[Peer]
PublicKey = <server_public_key>
PresharedKey = <preshared_key>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server_ip>:51820
PersistentKeepalive = 25
AlgoVPN (or your preferred name) and select "WireGuard VPN" as the protocolIn the General Settings tab:
10.49.0.2/16)Switch to the Peers tab and click "Add peer":
Algo Server[Peer] section of your config[Peer] section of your config0.0.0.0/0, ::/0 (routes all traffic through VPN)Endpoint lineEndpoint line (typically 51820)25Click "Save & Apply".
Navigate to Network → Firewall
Click "Add" to create a new zone
Configure the firewall zone:
vpnRejectAcceptRejectAlgoVPN)In the Inter-Zone Forwarding section:
lanClick "Save & Apply"
Reboot your router to ensure all changes take effect
Navigate to Network → Interfaces and verify your WireGuard interface shows as "Connected" with a green status. Check that it has received the correct IP address.
From a device connected to your router, visit https://whatismyipaddress.com/. Your public IP should match your Algo VPN server's IP address. Test DNS resolution to ensure it's working through the VPN.
For command line verification, SSH into your router and check:
# Check interface status
wg show
# Check routing table
ip route
# Test connectivity
ping 8.8.8.8
Your OpenWrt network configuration (/etc/config/network) should include sections similar to:
config interface 'AlgoVPN'
option proto 'wireguard'
list addresses '10.49.0.2/16'
option private_key '<your_private_key>'
config wireguard_AlgoVPN
option public_key '<server_public_key>'
option preshared_key '<preshared_key>'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host '<server_ip>'
option endpoint_port '51820'
option persistent_keepalive '25'
If the interface won't connect, verify all keys are correctly copied with no extra spaces or line breaks. Check that your Algo server is running and accessible, and confirm the endpoint IP and port are correct.
If you have no internet access after connecting, verify firewall rules allow forwarding from LAN to VPN zone. Check that masquerading is enabled on the VPN zone and ensure MSS clamping is enabled.
If some websites don't work, try disabling MSS clamping temporarily to test. Verify DNS is working by testing nslookup google.com and check that IPv6 is properly configured if used.
For DNS resolution issues, configure custom DNS servers in Network → DHCP and DNS. Consider using your Algo server's DNS (typically 172.16.0.1).
Check system logs for WireGuard-related errors:
# View system logs
logread | grep -i wireguard
# Check kernel messages
dmesg | grep -i wireguard
For split tunneling (routing only specific traffic through the VPN), change "Allowed IPs" in the peer configuration to specific subnets and add custom routing rules for desired traffic.
If your Algo server supports IPv6, add the IPv6 address to your interface configuration and include ::/0 in "Allowed IPs" for the peer.
For optimal privacy, configure your router to use your Algo server's DNS by navigating to Network → DHCP and DNS and adding your Algo DNS server IP (typically 172.16.0.1) to the DNS forwardings.
Store your private keys securely and never share them. Keep OpenWrt and packages updated for security patches. Regularly check VPN connectivity to ensure ongoing protection, and save your configuration before making changes.
This configuration routes ALL traffic from your router through the VPN. If you need selective routing or have specific requirements, consider consulting the OpenWrt WireGuard documentation for advanced configurations.