WireGuard on OpenWrt Router with WAN6
Using WireGuard on an OpenWrt router is already straightforward for IPv4 traffic, but if your router also has a WAN6 interface, you’re dealing with dual-stack networking and need to decide how IPv6 will behave.
This guide explains how to configure WireGuard to work alongside WAN6 in different scenarios — from IPv4-only VPN setups to full IPv4 + IPv6 tunneling.
Understanding the Components
Before touching the configuration, you need to understand what’s happening under the hood.
| Term | Meaning |
|---|---|
| WAN | Your IPv4 internet interface on OpenWrt |
| WAN6 | Your IPv6 internet interface on OpenWrt |
| WireGuard Interface (wg0) | Virtual network interface for the VPN tunnel |
| Allowed IPs | Determines which IP ranges will be routed through WireGuard |
| Route Allowed IPs | Tells OpenWrt to create routes for those Allowed IPs |
Key Point:
WAN and WAN6 are separate in OpenWrt’s firewall. If you want both IPv4 and IPv6 traffic to pass through WireGuard, your VPN configuration and firewall rules must handle both.
Installing WireGuard on OpenWrt
SSH into your router or use LuCI’s web interface.
bashCopyEditopkg update
opkg install wireguard-tools luci-proto-wireguard
This will:
- Install the
wgcommand for managing WireGuard - Add LuCI GUI support for WireGuard
Creating the WireGuard Interface
In LuCI → Network → Interfaces → Add New Interface:
- Name it
wg0 - Protocol: WireGuard VPN
- Assign firewall zone:
wan(which should already include WAN6 for IPv6 outbound) - Add your private key
- Add addresses (IPv4 and IPv6 if supported):
Example:
cppCopyEdit10.8.0.2/24, fd00:abcd::2/64
If your VPN only supports IPv4, omit the IPv6 address.
Adding a Peer
Still in the wg0 settings:
- Public Key: Provided by your VPN server
- Allowed IPs: Controls what traffic goes into the tunnel
| Scenario | Allowed IPs Example |
|---|---|
| IPv4 only | 0.0.0.0/0 |
| IPv6 only | ::/0 |
| IPv4 + IPv6 | 0.0.0.0/0, ::/0 |
| Split tunnel IPv4 only, keep ISP IPv6 | 0.0.0.0/0 (leave wan6 active) |
- Endpoint Host: VPN server hostname or IP
- Endpoint Port: Usually
51820 - Persistent Keepalive:
25seconds for NAT connections
Firewall Setup with WAN6
OpenWrt uses zones to control traffic. The wan zone should already include both wan and wan6 interfaces.
In LuCI → Network → Firewall → Zones:
- Add
wg0to the same zone aswanso it shares rules for both IPv4 and IPv6. - Ensure Masquerading is enabled if needed by your VPN.
- Enable MTU fix to avoid fragmentation issues.
Example /etc/config/firewall snippet:
plaintextCopyEditconfig zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wg0'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
Routing Strategies
Option A – Tunnel Both IPv4 and IPv6
- Set
Allowed IPsto0.0.0.0/0, ::/0 - Disable native WAN6 interface if you don’t want leaks
- All traffic goes through VPN
Option B – Tunnel IPv4 Only
- Set
Allowed IPsto0.0.0.0/0 - Keep WAN6 active for direct IPv6 access via ISP
- Lower latency for IPv6 sites
Option C – Tunnel IPv6 Only
- Set
Allowed IPsto::/0 - Keep WAN active for IPv4 direct access
Testing and Verification
Check interfaces:
bashCopyEditip addr show wg0
Check routes:
bashCopyEditip route show
ip -6 route show
Verify VPN connection:
bashCopyEditwg show
Check your IP:
- For IPv4:
curl -4 ifconfig.co - For IPv6:
curl -6 ifconfig.co
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| WireGuard not connecting | Wrong keys, blocked port | Check server config, try a different port |
| IPv6 leaks | WAN6 still active when tunneling both | Disable WAN6 interface |
| Slow speeds | MTU mismatch | Set MTU to 1420 on wg0 |
| Only IPv4 works | VPN provider doesn’t support IPv6 | Use IPv4-only routing |
Final Guide WireGuard on OpenWrt Router with WAN6
