Does OpenWrt support WireGuard?
Yes — OpenWrt has shipped WireGuard support natively since OpenWrt 19.07, released in January 2020. On modern OpenWrt builds (22.03, 23.05, and 24.10) WireGuard is in the default LuCI web interface. On older firmware you install the wireguard-tools and luci-app-wireguard packages from opkg.
The kernel module ships in the standard OpenWrt build for almost every supported architecture — ath79, ramips, ipq40xx, ipq807x, mvebu, x86_64 — which covers the chipsets in nearly every TP-Link, GL.iNet, Linksys, Asus, and NETGEAR router that runs OpenWrt. If your router is on the official supported devices list, you almost certainly have WireGuard available.
There is one exception worth knowing about: very low-RAM devices (16 MB or less) sometimes drop the WireGuard kernel module from the build to save space. If opkg install kmod-wireguard says "package not found," that's the likely cause.
How OpenWrt's WireGuard actually works
WireGuard on OpenWrt is configured the same way every other network interface is — through /etc/config/network, edited either by hand or via LuCI's web UI. There is no separate WireGuard service, no daemon to start, and no userspace tunnel process. The kernel module handles encryption directly; OpenWrt's normal routing table and firewall rules apply to the resulting wg0 interface like they would to any other.
That single design choice — WireGuard as a first-class kernel interface — is why it integrates so cleanly with OpenWrt and why the configuration is so much shorter than the equivalent OpenVPN setup. There is no certificate management, no TLS handshake to debug, no CA to rotate. Every peer has a fixed public key, and a configuration file lists every peer the local node is allowed to talk to.
The result on a working tunnel is summarized by one command: wg show wg0. It prints the local public key, the listen-port, every peer's public key, the last handshake time, and the bytes transferred. If a peer isn't listed in wg show, the kernel has never accepted a packet from it.
Setup with LuCI (recommended for most)
The LuCI flow is the right path for a one-router single-site setup. For multi-router or many-peer setups, the CLI path described next is faster.
- SSH to the router. Connect to your OpenWrt router's LAN address — by default
ssh root@192.168.1.1. - Install the packages. Run
opkg update && opkg install wireguard-tools luci-app-wireguard kmod-wireguard. On modern OpenWrt builds the kernel module is usually already present; opkg will skip what's installed. - Generate the keypair. Either run
wg genkey | tee privatekey | wg pubkey > publickeyon the router itself, or generate the keys on your laptop and paste them in. - Open LuCI in a browser. Navigate to Network → Interfaces → Add new interface. Name it
wg0(or whatever you prefer; the name is local), and select WireGuard VPN as the protocol. - Configure the interface. Paste your private key. Set a listen-port (51820 is the convention but anything works). Set an IPv4 address that won't collide with anything else on the mesh —
10.100.0.2/16is a common choice. Save. - Add a peer. Open the new interface, switch to the Peers tab, and click Add Peer. Paste the remote public key, set Allowed IPs (typically the remote overlay /32 plus any LAN subnet you want to reach behind that peer), set Endpoint Host and Endpoint Port if the remote has a stable public address, and set Persistent Keepalive to 21 seconds if the local router is behind NAT.
- Attach to a firewall zone. Under Network → Firewall → Zones, attach
wg0to thelanzone, or create a dedicatedvpnzone with input/forward rules that match your security posture. - Restart networking. Run
/etc/init.d/network restarton the router and confirm withwg showthat a handshake has completed within a few seconds of the peer also being configured.
Setup with the CLI (for headless or automation)
If you're configuring more than two routers, the LuCI flow becomes tedious. The same configuration can be set via UCI commands directly:
uci set network.wg0='interface'
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key='YOUR_PRIVATE_KEY'
uci add_list network.wg0.addresses='10.100.0.2/16'
uci set network.wg0.listen_port='51820'
uci add network wireguard_wg0
uci rename network.@wireguard_wg0[-1]='wg0_hub'
uci set network.wg0_hub.public_key='REMOTE_PUBLIC_KEY'
uci set network.wg0_hub.endpoint_host='hub.example.com'
uci set network.wg0_hub.endpoint_port='51820'
uci set network.wg0_hub.persistent_keepalive='21'
uci add_list network.wg0_hub.allowed_ips='10.100.0.0/16'
uci commit network
/etc/init.d/network restartThis is the format MeshWG generates if you pick the OpenWrt option in our vendor config picker — paste-ready, no values to edit. For OpenWrt automation, the CLI form is also the format Ansible's community.general.uci_set module expects.
Performance on common chipsets
WireGuard's throughput on OpenWrt is almost entirely CPU-bound: there is no hardware encryption offload on consumer routers, so the symmetric-crypto performance of the SoC sets the ceiling. The realistic numbers across the OpenWrt-supported chipset families:
| Chipset family | Example routers | WireGuard throughput |
|---|---|---|
| IPQ8074 (4-core ARM A53 @ 2.2 GHz) | Linksys MR9600, NETGEAR RAX120 | 500–900 Mbps |
| IPQ807x / IPQ806x | Linksys WRX36, Dynalink DL-WRX36 | 400–700 Mbps |
| IPQ40xx (4-core ARM A7) | GL.iNet B1300, ZyXEL NBG6817 | 150–250 Mbps |
| mt7621 (MIPS dual-core) | Linksys E5600, Xiaomi Mi Router 4A | 50–80 Mbps |
| ath79 (MIPS single-core) | TP-Link Archer C7, GL.iNet AR750 | 30–60 Mbps |
| x86_64 (any modern CPU) | Mini-PC, virtualised firewall | 1+ Gbps (line-rate) |
WireGuard is consistently 3–5× faster than OpenVPN on the same hardware, and 2–3× faster than IPsec in pure-software mode. For most Indian SMB branch deployments the local internet uplink (50–200 Mbps) is the binding constraint, not the router's WireGuard performance, on anything mt7621 or newer.
When one router becomes ten branches
OpenWrt's WireGuard implementation is excellent at one thing: a single tunnel between two specific endpoints. It becomes painful when the operator wants any of the following:
- Three or more sites, fully meshed. Three sites require three peer-pair configurations across six router config files. Ten sites require forty-five. Hand-maintaining this works for a single technical operator; it does not work for a multi-branch business where each branch is configured by a local IT contractor.
- One router goes down and a new key has to be distributed. Every other router in the mesh needs its peer list updated. Without a central place that holds the canonical peer list, half the sites will end up out of sync within a quarter.
- Per-peer access policy. WireGuard's
AllowedIPsis route-and-encryption combined; you cannot say "allow this peer to reach that LAN but not the other LAN" without a firewall rule on top, applied at the destination. For multi-branch, that means firewall rules in every router, with no central place to audit them. - NAT traversal across CGNAT or double-NAT. WireGuard handshakes initiate outbound, so a peer behind CGNAT can reach a peer with a public endpoint. But two peers both behind CGNAT cannot directly reach each other — they need a relay. OpenWrt does not include a relay layer; that's where a managed service that runs the relay (and rotates it across regions for latency) earns its keep.
- Visibility.
wg showis the only diagnostic. Across 10 routers that's 10 SSH sessions to read 10 outputs to answer "is everything working?"
How MeshWG fits with OpenWrt
MeshWG is a hosted mesh layer that runs above OpenWrt's native WireGuard. Your router continues to use exactly the same kernel module and the same /etc/config/network file; MeshWG provides:
- Generated configuration. For each OpenWrt router you add, MeshWG produces a paste-ready UCI command block (the format shown in Setup with the CLI above) with every peer pre-populated. New site joins the mesh, MeshWG regenerates everyone's
AllowedIPsso you don't. - Central policy. Allow / deny rules between any two devices are configured once in the dashboard. The rules are pushed to the controlling layer; the routers don't need per-site firewall changes to enforce them.
- NAT traversal. The relay layer handles the double-CGNAT case automatically; your routers don't change their configuration.
- Visibility. A single dashboard view of every peer's last handshake, transferred bytes, and connection state — no SSH-ing into ten routers to read ten
wg showoutputs. - Honest billing. First two routers are free forever. After that, ₹349/router/month billed annually (or ₹499/router/month month-to-month), in INR via Razorpay. No per-tunnel charges, no enterprise paywall.
The OpenWrt + MeshWG combination is what most multi-branch buyers actually want: keep your existing OpenWrt firmware, your existing routers, your existing firewall rules — add a mesh layer on top that handles the parts that don't scale.
Frequently asked questions
Does OpenWrt support WireGuard?
Yes. OpenWrt has shipped WireGuard support natively since OpenWrt 19.07, released in January 2020. On modern OpenWrt builds (22.03, 23.05, and 24.10) WireGuard is in the default LuCI web interface; on older firmware you install the wireguard-tools and luci-app-wireguard packages from opkg. The kernel module is included in the standard OpenWrt build for almost every supported architecture, including ath79, ramips, and ipq40xx — the chipsets in most TP-Link, GL.iNet, and Linksys routers.
How do I install WireGuard on OpenWrt?
On OpenWrt 19.07 or later, log in to your router by SSH and run: opkg update && opkg install wireguard-tools luci-app-wireguard kmod-wireguard. Then refresh the LuCI web interface. The WireGuard option appears under Network → Interfaces → Add new interface, with 'WireGuard VPN' as a selectable protocol. Most builds ship the kmod-wireguard kernel module pre-installed; the opkg install is what makes the LuCI configuration UI appear.
Can OpenWrt handle WireGuard at wire speed?
On modern ARM-based OpenWrt routers (such as those with the IPQ8074 chipset like the Linksys MR9600 or Asus AX-series) WireGuard typically achieves 200–500 Mbps single-tunnel throughput. On MIPS-based routers (TP-Link Archer C7, many older Linksys models) expect 50–100 Mbps. Throughput is CPU-bound; encryption is unaccelerated, so the CPU's symmetric-crypto performance is the ceiling. WireGuard is consistently 3–5× faster than OpenVPN on the same hardware.
What is the difference between WireGuard as a VPN server and a VPN client on OpenWrt?
OpenWrt's WireGuard interface is symmetric — the same protocol implementation acts as either side of a tunnel. The 'server' role just means the side with a stable public endpoint that the other side connects to. In a hub-and-spoke topology for multiple branches, the central router is the server (with a stable public IP and the listen-port configured); each branch is a client. For peer-to-peer between two specific sites, either side can be the listener.
How do I configure WireGuard between multiple OpenWrt routers?
Each peer pair requires its own keypair exchange and an entry in each side's wg0 peer list. For three sites that's three keypair exchanges; for ten sites it is forty-five. The pragmatic approach for more than three sites is a hub-and-spoke layout (one central listener, each branch peers only with the hub), which reduces the configuration surface from N×(N−1)/2 to N. Hub-and-spoke is what managed mesh services like MeshWG generate automatically; it is what you would end up writing by hand.
What is openwrt wireguard luci?
LuCI is OpenWrt's web administration interface. luci-app-wireguard is the package that adds a WireGuard configuration page to it, under Network → Interfaces. With the package installed, you create a WireGuard interface, paste in the private key and listen port, and add peers (public key, allowed IPs, endpoint) through the web UI rather than editing /etc/config/network by hand. The UI writes to the same UCI configuration file the CLI uses.
Next steps
Try the configuration on your own OpenWrt router with the free tier — two routers, no card required, indefinite. Add a third when you need it.