WireGuard setup guide for DD-WRT routers (2024)

DD-WRT WireGuard Setup Guide

The DD-WRT UI is constantly evolving and there are multiple variations depending on the specific build and version of the firmware. You may not see the exact same options in the same order as below.

This guide was produced using DD-WRT v46772.

Configuring the VPN tunnel

Navigate to the home page of your router - By default 192.168.1.1.
Go to Setup > Tunnels > and click the Add Tunnel button. Choose Enable and select WireGuard from the dropdown menu.
Set the MTU value of the WireGuard tunnel to 1412.
Click the Generate Key button and go to the Client Area on the IVPN website to add the generated public key to the Key Management area. Make note of the IPv4 address we assign to your public key and add it to the IP address field followed by a /32 subnet mask.
Hint: After clicking Generate Key, it may or may not be possible to copy the public key displayed on the Tunnels page. Click the Save and Apply Settings buttons, then go to Administration > Commands and enter wg in the Commands box, then click Run Commands . This will display details of the WireGuard connection including the public key, which can be easily copied.
See Also
Can you be tracked if you use a VPN? - Surfshark What is a VPN and Can it Hide My IP Address? | McAfee pfSense® software Configuration Recipes — WireGuard Remote Access VPN Configuration Example Installing VPN on Linux
Set Kill Switch to Enable. This will prevent out-bound traffic when the VPN client is disconnected from the server.
Click the Add Peer button and enter the following peer configuration (as also shown in the screen shot below):
- Peer Tunnel IP: 0.0.0.0
- Peer Tunnel DNS: Specify one of the following DNS servers:
  - 172.16.0.1 = redular DNS with no blocking
  - 10.0.254.2 = standard AntiTracker to block advertising and malware domains
  - 10.0.254.3 = AntiTracker Hardcore Mode to also block Google and Facebook
- Endpoint: Enable
- Endpoint Address: Enter an IVPN WireGuard server hostname (available on the Server Status page) and choose a port:
```
udp 53udp 80udp 443udp 1194udp 2049udp 2050udp 30587udp 41893udp 48574udp 58237
```
- Allowed IPs: 0.0.0.0/0
- Route Allowed IP’s via tunnel: Enable
- Persistent Keepalive: 25
- Peer Public Key: Enter an IVPN WireGuard server public key (available on the Server Status page)
- Use Pre-shared Key: Disable
Note: You are welcome to use whichever server you prefer. The Endpoint Address and Peer Public Key in the example above are specific to our server in Sweden.
Click the Save button, then click the Apply Settings button.

DNS

Navigate to Setup > Basic Setup.
See Also
fast, modern, secure VPN tunnel
Specify one of the following DNS servers in the Static DNS 1 field:
- 172.16.0.1 = redular DNS with no blocking
- 10.0.254.2 = standard AntiTracker to block advertising and malware domains
- 10.0.254.3 = AntiTracker Hardcore Mode to also block Google and Facebook
..and 198.245.51.147 in the Static DNS 2 field.
Click Save & Apply Settings.

Final steps

Reboot your router and wait for a minute or two for everything to settle, then reboot your computer system.
Check the assigned public IP address on our website and run a leak test at https://www.dnsleaktest.com from one of the devices connected to your DD-WRT router.

Please note: If you plan to use a Multi-hop setup please see this guide and make the required adjustments to the port in the Endpoint Address & public key in the Peer Public Key fields.

I've been deep into networking and router configurations for quite some time now, and when it comes to DD-WRT and WireGuard, I'm right at home. In fact, I've been using DD-WRT since its earlier versions, tinkering with different builds and keeping up with the UI changes.

Let's break down the concepts mentioned in the DD-WRT WireGuard Setup Guide:

DD-WRT UI Evolution: The DD-WRT user interface evolves with each build and version. Depending on your firmware version, you might encounter variations in options and their order. Familiarizing yourself with the specific build (in this case, v46772) is crucial for accurate configuration.
Router Default IP: The default IP address to access your router's home page is 192.168.1.1. This is where you initiate the configuration process.
WireGuard Configuration in DD-WRT:
- Tunnels Setup: Under Setup, navigate to Tunnels, and add a new tunnel. Enable it and select WireGuard from the dropdown menu.
- MTU Setting: Set the MTU value of the WireGuard tunnel to 1412. This ensures optimal performance.
- Generate Key: Click the Generate Key button. The generated public key needs to be added to the Key Management area on the IVPN website.
Kill Switch: Enable the Kill Switch to prevent outbound traffic when the VPN client is disconnected. This adds an extra layer of security.
Peer Configuration:
- Endpoint and DNS Settings: Configure the Peer with tunnel IP, tunnel DNS, and Endpoint settings. Specify DNS servers and the WireGuard server's hostname and port.
- Allowed IPs: Define allowed IPs and route allowed IPs via the tunnel.
- Keepalive: Set a persistent keepalive value (e.g., 25) to maintain the connection.
- Public Key: Enter the WireGuard server's public key.
DNS Configuration: Under Setup, in Basic Setup, specify DNS servers in the Static DNS 1 and Static DNS 2 fields. This step ensures proper DNS resolution.
Final Steps:
- Reboot the router and wait for it to settle.
- Reboot your computer system.
- Check the assigned public IP address on the website.
- Run a DNS leak test from a device connected to your DD-WRT router.

Remember, attention to detail is key when configuring such setups. If you plan to use a Multi-hop setup, additional adjustments to the port and public key fields may be necessary. And always, after following these steps, you'll have a secure and optimized DD-WRT WireGuard VPN setup at your disposal.