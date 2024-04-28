Update April 2023: It is now possible to shorten the setup process a bit and download a configuration file from the Shellfire Customer Center.

The Wireguard VPN is becoming increasingly popular among VPN users. Wireguard enables VPN download speeds that were previously unheard of. This is especially true for devices that don’t have a lot of processing power, such as your home router. While VPN routers often used to be stuck with single-digit Mbps speeds, powerful routers can now even achieve triple-digit values! Wireguard does not make compromises when it comes to security and uses strong state-of-the-art encryption.

Warning: The installation of OpenWRT and Wireguard may not be suited for beginners. Some commands may have to be entered via the Linux command line. Read these instructions carefully first and then decide if you are up to it. For all users who would like to enjoy a Wireguard VPN connection without manual configuration, we recommend the Shellfire Box. Here, everything is pre-configured and you can even change the VPN server at any time with just a few clicks.

Installing Wireguard on the router

Wireguard VPN Key Generation

Configure Wireguard VPN Cilent

Creating a firewall zone

DNS settings

Establishing the Wireguard connection

Verifying the Wireguard VPN connection

Troubleshooting

First of all, you need a home router that runs on the free OpenWRT operating system with the LuCI interface installed. OpenWRT can be installed on many routers, but you may void your warranty by installing it. Warning: An error during the installation of the OpenWRT firmware may permanently “brick” your router! Therefore, it may be worth looking for a router that already comes with OpenWRT pre-installed. It is important to have a relatively recent OpenWRT version installed that already supports Wireguard. We’re using a Shellfire box in this guide for simplicity’s sake, although of course we don’t actually need a manual Wireguard installation here.

You also need a VPN server that provides Wireguard access. Your VPN provider will provide you with the necessary credentials. We will use Shellfire VPN here.

Finally, you need a PC with an internet browser and the possibility to establish an SSH connection (optional since April 2023). Mac OS and Linux offer this possibility via the built-in terminal, under Microsoft Windows we use PuTTY for the SSH connection.

Installing Wireguard on the router

First we install the Wireguard software packages on the OpenWRT router. To do this, log into the LuCi web interface. It can typically be found at http://192.168.1.1/, but some routers use a different address. Depending on the installed OpenWRT version, the displayed windows may look slightly different, but the procedure is the same for all versions. First navigate to System -> Software.

Now click on “Update lists”. OpenWRT will now search for the latest available software packages.

Once this process has finished, search for the term “wireguard” and install the packages “kmod-wireguard”, “luci-proto-wireguard” or “luci-app-wireguard” and “wireguard-tools”.

Once the installation is complete, the next step is to create the keys.

Wireguard VPN Key Generation

Update April 2023: In the customer center on shellfire.net you can now find a configuration file download. This file already contains all keys, so you don’t have to generate your own keys. However, generating your own keys has certain advantages regarding the security of the encryption.

Wireguard uses so-called public key encryption. Both the VPN server and the client generate their own key pair. One of these keys is public (public key), while the other remains secret (private key). In order for the encryption to work, both partners need to know their own private keys as well as the public key of the other party. The first step is to create the key pair. To do this, we log in to the router via SSH, as mentioned above either via Terminal (mac OS / Linux) or via PuTTY (Windows). To log in via SSH, we need the IP address of the router and the router password. The username is “root”. In some circ*mstances you may need to enable SSH access in the router’s web interface first. So typically you would connect via SSH to 192.168.1.1.

Once successfully logged in, we first create the /etc/wireguard folder and then change to that folder.

mkdir /etc/wireguardcd /etc/wireguard

Now we generate the key pair.

wg genkey | tee privkey | wg pubkey > pubkey

Finally, we display both keys.

cat privkeycat pubkey

IMPORTANT: The private key must never fall into the wrong hands! As soon as an attacker knows your private key, he can decrypt any data encrypted with it.

With our keys we can now configure the Wireguard connection.

Configure Wireguard VPN Cilent

We now switch back to the LuCI web interface and navigate to Network -> Interfaces. Click on “Add new interface”.

Next, select a name for your connection as shown in the screenshot (we use “wg0” here) and specify “Wireguard VPN” as the protocol.

We now need to edit the settings of the new interface. Enter the connection parameters that we get from our VPN provider. In the case of Shellfire VPN, you will find these after logging into the customer center at shellfire.net and then selecting your VPN from the gray QuickAccess bar at the top of the screen. First we need the internal VPN IP address, the server address and the public key of the VPN server. Transfer this data to the OpenWRT web interface as shown in the screenshot.

Next, transfer the private key that you generated via the SSH connection (or the private key from your downloaded VPN configuration file) into the “Private Key” field (marked as 1. in the screenshot).

The following step can be skipped if the configuration file was used:

Click on “Edit” in the Customer Center (marked with 2.) and enter your public key generated via SSH there.

Enter 25 as Persistent Keep-Alive.

Warning: We would like to point out once again that you should never give away your private key.

If all values are correct, click on “Save & Apply”. The Wireguard interface is now almost completely configured.

Creating a firewall zone

Your router now needs a firewall configuration. This way it knows how to handle the data flowing through the Wireguard interface. Click in the OpenWRT LuCI interface on Network -> Firewall and then on “Add”. You can find the necessary settings in the following screenshot. When you are done, click “Save and Apply” here as well.

DNS settings

Your router now needs one or more DNS servers so that queries such as shellfire.de can be translated into the corresponding IP address. You can make this setting under Network -> DHCP and DNS. We enter the IP addresses 8.8.8.8 (Google DNS) and 208.67.222.222 (OpenDNS) under DNS forwarding. Other DNS services are also possible, you can find an overview here. Again, click on “Save & Apply”

Establishing the Wireguard connection

Everything should now be configured. In order for Wireguard to work, it is usually necessary to restart the router. To do this, you can restart the router under System -> Reboot. Alternatively, you can disconnect your router from the power supply for a few seconds and then reconnect it.

After the restart you can click on “Connect” under Network -> Interfaces next to your wg0 interface. The VPN connection is now established!

Verifying the Wireguard VPN connection

Once you have established the VPN connection, all data should automatically flow through the VPN. You can check your protection status at https://www.shellfire.net/status/. If you use another VPN provider, you can use websites like https://www.wieistmeineip.de/.

Troubleshooting

The most common problem with Wireguard connections is that an existing connection is displayed, but no data is flowing. This usually happens if either the wrong public/private key have been transmitted or a wrong internal ip address has been specified. So check these values first. When changing the VPN server, the internal ip address and the key of the server will always change and need to be updated in the router settings.

