Installing VPN on an OpenWrt Router

Step 1. Install OpenWrt on the Router

1. Check that your router supports OpenWrt 23.05.0 or later:
   • https://openwrt.org/toh/start
   • https://firmware-selector.openwrt.org (alternative resource)
2. Install OpenWrt 23.05.0 or later on your router, ensuring you select the appropriate version for your specific router model.

You cannot use this guide to set up VPN on a router running OpenWrt 22.03.x or older.

---

Step 2. Install AmneziaWG on the OpenWrt Router

Before you begin, turn off the VPN on the device you will use to connect to the router.

1. Open a command line/terminal and run ssh root@192.168.1.1, where 192.168.1.1 is your router's IP address. Depending on your network settings, your router may use a different IP address, for example, 192.168.0.1.
2. Confirm that you want to continue by entering yes.
3. Run ping github.com to make sure the router has internet access.

4. Run the script below to install the AmneziaWG package on your router:

sh <(wget -O - https://raw.githubusercontent.com/Slava-Shchipunov/awg-openwrt/refs/heads/master/amneziawg-install.sh)

5. When the script finishes, enter n.

Special thanks to Slava Shchipunov for creating the script!

For more details about the script, see the author’s repository on GitHub.

---

Step 3. Create a VPN Connection on the Router

1. Open the router settings in a web browser. To do this, enter the router's IP address in the address bar, for example, 192.168.1.1.
2. Go to Network → Interfaces.

3. Click Add new interface.

4. Enter any name for your VPN interface, select the AmneziaWG VPN protocol, and click Create interface.

5. Click Load configuration.

6. Paste the full contents of the configuration file or drag and drop the file into the window, then click Import settings.

How to get a configuration file:

• in your Personal Dashboard (mirror) if you have an Amnezia Premium subscription
• in the AmneziaVPN app if you have your own server — share VPN access in the AmneziaWG native format

7. Go to the Advanced Settings tab and clear the Use default gateway checkbox.

8. Go to the Firewall Settings tab. In Create / Assign firewall-zone, enter any name for the new zone (for example, awg) in the field below the list of existing zones, then press Enter.

9. Go to the Peers tab and click Edit next to the imported configuration.

10. Enable Route Allowed IPs, click Save, then click Save again.

11. On the Interfaces tab, click Save & Apply.

---

Step 4. Configure the Router Firewall

1. Go to Network → Firewall.

2. Click Edit next to the lan zone.

3. In Allow forward to destination zones, select the firewall zone you created earlier, then click Save.

4. Click Edit next to the wan zone.

5. Go to the Advanced Settings tab, set Use gateway metric to 100, and click Save.

6. Click Edit next to the firewall zone you created earlier (for example, awg).

7. Enable Masquerading and MSS clamping, then click Save.

8. Click Save & Apply.

---

Step 5. Synchronize the Time on the Router

1. Go to System → System.

2. Go to the Time Synchronization tab, add the IP address of a time synchronization server (for example, 194.190.168.1), and click Save & Apply.

---

Step 6. Configure Routing

1. Go to Network → Routing.

2. Click Add to create a new rule.

3. In Interface, select wan. In Target, enter the IP address of the time synchronization server and add /32 after it.

4. Go to the Advanced Settings tab, set Metric to 1, and click Save.

5. Click Add to create one more rule.

6. In Interface, select your VPN interface. In Target, enter 0.0.0.0/0.

7. Go to the Advanced Settings tab, set Metric to 20, and click Save.

8. Click Save & Apply.

9. Hover over System in the top menu and click Reboot.

10. Click Perform reboot.

---

How to Update the VPN Settings Using a Different Configuration File

1. Go to Network → Interfaces.

2. Click Edit next to the VPN interface you created earlier.

3. Click Load configuration.

4. Paste the full contents of the new configuration file or drag and drop the file into the window, then click Import settings. Click OK to confirm the changes.

5. On the Peers tab, click Delete next to the old configuration and Edit next to the new one.

6. Enable Route Allowed IPs, click Save, then click Save again.

7. On the Interfaces tab, click Save & Apply.