How To Set Up A VPN On A Router // Wireguard on OpenWrt

There are too many use cases to count! encrypting your traffic over air is no brainer, encryption itself is self explanatory that by itself holds a lot of mass. You have choice to choose your ISP, or subscribe to a VPN service that at least claims to respect your privacy. Most importantly, it depends on which VPN provider you trust as you are essentially now routing your communication to a different provider, while thus still getting your internet connection supplied of course from your ISP. I recommend everyone do their research on which VPN is most suitable for them, I would consider them mandatory.
Since BitTorrent makes up a large proportion of total traffic, some ISPs have chosen to "throttle" (slow down) BitTorrent transfers.
In August 2007, Comcast was preventing BitTorrent seeding by monitoring and interfering with the communication between peers.
en.wikipedia.org/wiki/AT%26T#Criticism_and_controversies
Here is an interesting example, this one here was the fault of an incompetent employee at AT&T that resulted in "Sim Swap" attack thus losing one man quite a fortune arguably.
www.zdnet.com/article/at-t-dragged-to-court-again-over-sim-hijacking-and-cryptocurrency-theft/
We see continuously how power is abused with great power, centralized through ISPS. VPNS take back the extensive amount of power they have, they are absolutely essential. Everything has it's own use case, it's own threat model.
VPNS along with encrypted DNS over TLS (Network Layer 3) with DNSSEC can go a long ways.

Fascinating write up @TheGreatNorris I couldn't agree more! In my opinion, networking / internet / etc are all about freedom and choice, and generally comes at the cost of privacy or convenience. VPNs do certainly help with the freedom aspect, where you pay them not to "mine your data" AKA privacy. But also that comes with trust where you have to believe they aren't logging your network traffic. We can't personally validate that but all we can do is place our faith in them. Thats really what you pay for with a VPN, trust. Everyone should do their due diligence before going with a VPN provider, some have been even taken advantage of and they actually logged their traffic of their users.
Not surprised about them slowing down BitTorernt. I personally believe the internet is a utility and should not have traffic throttled based on type. I do understand why but I don't think the benefits outweigh the costs, especially to consumers. VPNs can certainly help get around that, though at the cost of going out another server.
Another interesting article with regards to AT&T. Its surprising, and yet it isn't, how these small things happen that cause huge damages, and the consumer is left out to hang.
I do like the idea of community mesh networks, that get away from decentralized ISPs, but thats not prevalent enough yet, still in its infancy. But until then VPNs help in their own way, and we all have to evaluate it from many perspective, ever increasingly via a threat model.
Lastly, that extra DNS over HTTPS (DoH) or TLS will get ever increasing adoption, and DNSSEC is a great addition too so you can have confidence in the DNS responses you get. Actually my next video is getting into setting up your own DNS a bit more, and how that can improve your security posture. All in all, a few configurations, that are fairly static, can go a very long way.

​There might be problems with network adapter network icon status connection using vpn , adapter is not working correctly to be connected i am connected with vpn using ip address i take a blame network adapter@@DevOdyssey

@@ramonoesamuel1506 That is possible the virtual network adapter could be having issues, though the code base for wireguard is pretty solid to be able to spin up virtual network adapters / interfaces, so there may be something else conflicting with it, like the physical adapter itself. It's definitely hard to tell without some good debugging logs that specifically say where any failures or conflicts are happening. At least with the log information, you can google those errors and see where it leads you.

Hi, I have a problem, with my LTE-Router, with based on OpenWRT. Would you help me please?

You're welcome, thanks for watching @gowtham1598!
I have been seeing my viewers saying they are able to get it working with WARP successfully. As for IPv6 not routing, I can't be so certain why. I assume you have set it up with the correct routing rules (i.e. Allowed IPs to be all IPv6 IPs, ::0/0. A good follow up is if WARP is giving you an IPv6 IP to use for your VPN. If not, that could be a reason. Or if IPv6 to IPv4 translation isn't being done (depending on the origin type of the traffic and what IP version its going out on, 4 or 6). What troubleshooting have you done in regards to IPv6 routing?

Thanks for watching @MightyTinker! I appreciate the compliment and happy to hear it worked easily for you 😊

Thanks for watching @Anonym12393! Glad to hear it worked.
So what this seems to indicate here is that your DNS server is not accessible outside of the tunnel, and therefore DNS requests are failing (and therefore any other requests that rely on DNS). You can remediate this by using a cloud flare DNS or simply making sure the DNS server is accessible outside of the tunnel. I believe Mullvad has DNS servers that are public that you can use, but obviously feel free to use one you trust.

Thanks for watching wzn zgq!
Great question. So for this, I'm not sure exactly what steps you are referring to, but if you do this process once, you shouldn't have to do it again after creating a 2.4 GHz and 5GHz WiFi radios / interfaces. The most important part, to have devices that connect to those WiFi networks, is to make sure that those WiFi networks, use the same LAN network. This is because at 9:00 in the video, we configure the VPN zone, and we have the LAN zone forward traffic out through the VPN zone, which allows our traffic on the local network to go out through the VPN.
This can also be a great use case for it you don't want a certain WiFi network to use the VPN. You simply chose (or create) a different network, thats not connected to the VPN zone, and it should use the WAN interface for internet.

@@DevOdyssey thanks a lot

@@DevOdyssey one other question, how can I make exceptions for certain apps after I installed wireguard on my openwrt router. for example I want steam and videogames to connect directly without vpn, for a better ping. or maybe other apps too.

@@wznzgq1354 Sure, another good question. Sorry for the late reply, this comments ended up in my spam for some reason. Anyway, the way you would deal with this scenario, is by using VPN policy routing. This allows you define specific domains / IP addresses to bypass the VPN, and go directly through the WAN connection. I do not have personal experience with this yet, but I hope to try it out one day. You can refer to the links below to get more information and get started.
forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389
docs.openwrt.melmac.net/vpn-policy-routing/

Thanks for watching @taksela!
Yes it is certainly possible. While you could create these three wireguard tunnels and do some manual routing to send traffic from there different clients to this servers / wireguard tunnels. You can also utilize a Policy Based Routing to achieve this same functionally without having to write the manual routing rules. I actually made a video on this (linked below) which should be perfect for what you’re looking for.
ruclips.net/video/FN2qfxNIs2g/видео.html

@DevOdyssey Thanks you really appreciated for your prompt response. Keep up the good job! 👍

@@taksela You're welcome! glad to help and happy to have another fan. More to great videos to come 😊

In this set up, if the Mullvad server stops working, technically your internet connection for devices that are using the VPN for internet, will stop. This is because of the metrics for the routing table prioritize the VPN interface over the WAN interface. Shutting down the VPN interface automatically shifts the internet through the WAN connection as the routing metrics as used to determine the priority of the route for the packet to take.
Now, there is a package called mwan3, that is more configurable and actually shift internet connect automatically from the VPN to the WAN interface, if the internet through the VPN interface goes down / stops working / etc. This is usually determined by ping tests going out through the VPN interface to monitor its uptime / status. So if you are looking to achieve this automatic shifting of routes between the interfaces, I'd recommend implementing mwan3. The link below should have some good documentation on mwan3 and for setting it up for yourself.
openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

@@DevOdyssey thanks. no I wanted this setup as you did in video, i want internet to be shut down if vpn stops working, unless i stop the wireguard interface in luci myself. thanks a lot

Thanks for watching @vanhoeppen! When I read this, it sounds to me like your traffic is not being through the tunnel. When you look at the TX and RX traffic for the WireGuard interface, do you notice it increasing normally, or is it barely increasing? Given your gateway metrics, it should prioritize the VPN Gateway.
Can you check your route table and make sure the default route is set to the WireGuard VPN interface / IP? You can also try running a curl command and specify the WireGuard interface within your command and that should help you verify if traffic can go through that interface.

Wow! It is a rare thing to have a YT creator actually answer to a comment/question! Much appreciated, good Sir! Thanks!
Alright. Sadly the traffic count of the VPN interface does not change anymore after some initial MBs directly after configuration. Also, I get a handshake confirmation in the Wireguard status section. But that's it.
Please, I cannot for the life of me find the default route setting! Where is this?

@vanhoeppen you’re welcome! I try my best to respond to everyone, and while it takes a lot of effort, your appreciation is felt and admired!
So it does seem like it’s a routing issue. So you can find your routes by logging in over SSH and simply typing in “route” command. That will spit out all your routes, including the default one, which will be at the top, and it should show you if this default route is the VPN. If it’s not, then you can go back to your vpn peer configuration and check off a box that “Route Allowed IPs”. I did this in the video and it should work, but if for some reason it doesn’t, you’d have to create that route manually. But you don’t want it in there twice (it shouldn’t even work if you tried) so first make sure this is the situation. If so, then create the route using the route command. Googling it should help you get the proper command and switches.
Be cautious here since if you do the route wrong you can basically cut off internet access so you’ll want to know how to delete the route too just in case it doesn’t work.

That is a very good questions wzn zgq.
To be honest, I am not 100% sure of what is the answer here. From what I have read, IPv6 is backwards compatible to IPv4 to some extent, where it will make an IPv4 Address into an IPv6 address for networking purposes. However, I believe that is more in terms of address assignment, versus making requests to an already IPv4 address.
I'm inclined to say that it won't work, but, it might. It's worth a shot to see if it does, and if it doesnt, you have your answer. I'd be happy to hear how it goes for you. Something I may have to tinker around with later, but ideally, VPN providers likely will provide IPv4 and IPv6 addresses for their VPN servers, especially as the transition to IPv6 continues.

@@DevOdyssey It works for my Proton VPN configuration:
Do it. Add the same DNS address for Wan6, click on save, save and apply. Restart Network, and restart the router. Check that RX is operational, wait, quite long, depends on the flow of your connection.
Note: If your ISP assigns you an IPv6 addresses and you do not enter DNS from the commercial supplier, in WAN6, you will have DNS leaks. Besides, check that you don't have webrtc leaks.

@@gerardderuel1604 Thanks for sharing! So was our DNS address an actual hostname / domain name or IP Address? In particular, is the address a IPv6 Address? I'd imagine it would work with an IPv6 address, but with an IPv4 address probably not. And if its a domain name, and they have created a AAAA record (IPv6 Address) in the DNS records, then this should work no problem.

@@DevOdyssey Hello The stable version of OpenWRT 23.05.0 has made corrections.
For Wan6, simply uncheck "use the DNS servers published by the Distant" without adding anything.

Thanks for trying that out@@gerardderuel1604 ! I'm gonna have to see this for myself and upgrade my instance to this new version. Appreciate you sharing that with everyone.

Thanks for watching tri har!
Great question. I'm actually looking to make a video around vpn policy routing for OpenWrt, and using wireguard too, though it shouldn't matter what VPN protocol you're using. I've had a few people asking on how to set this up, and I'm personally interested in trying it out too.
There are so many great use cases for policy routing (and exceptions), like banking, and another big one, streaming services like Hulu, Netflix, etc, where its generally better to connect to your ISP.
This video is scheduled a few videos out, but I do plan on getting to it.

Thanks for watching Adam!
I don't have too much experience with Android, so there isn't much I can honestly offer here. I wouldn't know why Android 13 does not include L2TP protocol for VPNs, but likely because those are more outdated protocols for VPNs, and less secure. I am reading that Hola VPN does support IKEv2/IPSec, which you can try to with your Android 13 phones and see if that works. While that is also an older protocol, its still commonly used in the corporate world and is secure. I'd explore that route if I were you.
If that doesn't work, and you aren't tied Hola VPN, then I'd recommend exploring other VPN providers that work with your work site. You could downgrade to Android 12, but I'm sure Android 13 is more secure, with bug fixes and improved stability, so I can't inherently recommend that, and would only treat that as a last resort if Hola VPN is an absolute must.

Thanks for watching Aurora LG!
Given my experience, I can provide you with some information and insight. By no means is this a recommendation, and you can do this at your own risk. Nonetheless, here is what you'd hypothetically have to do.
First, using a VPN provider would not work. Thats likely because depending on the size of the organization and their security team, they can likely see that the IP address you'd be using, would be a VPN IP address. Depending on their structure, there could be rules to alert on this, or none at all if their main concern is traffic that originates in the United States. So using a VPN provider is probably not the best solution.
A better scenario is the following. You'd want your company to believe you are logging in from home. So in that case, you'd want to set up a VPN Server at your home (could be on the router or another device on the network, doesn't necessarily matter). You can use Wireguard for this whole set up too. Then, use the Raspberry Pi that has OpenWrt and Wireguard, that you'd travel with, to connect back to the home VPN Server (also Wireguard). Of course, you'd have to connect to the hotel WiFi or LAN first before the VPN. Anyway, once you've established that connection, and set up the correct tunneling rules (like allowed IPs being 0.0.0.0), then all your internet traffic will look like its coming from your home. In order to accomplish this, you'll have to pre-configure OpenWrt on the Raspberry Pi to automatically connect to the VPN Server at home (like when the Raspberry Pi boots up), but also, you'd have to connect it to the WiFi first, and should be done not using a work device, but say your smart phone. This is to isolate any potential international traffic (from an external IP side) from your work device.
Lastly, you'd want to not create the dynamic routing metrics as I've done in this video. Thats because if the VPN goes down, you don't want your laptop sending a VPN request over IPSec from the international public IP to your work VPN, as that will surely be a red flag and a give away. Rather, you want all your internet connection to go down, to reduce the chance that your international public IP isn't "leaking".
So to answer your question in full, yes it should work just fine. It's effectively a tunnel (IPSec), within a tunnel (Wireguard). Depending on the connection quality, it might not be the strongest / best, but could be doable. You'll definitely have a lot of overhead in this set up, and significant latency is likely. It just really depends on the speeds you'll get with hotel internet, your home internet (Upload speed will be important here), and work internet speed.
It's possible to do this, but also has a lot more complications.
Best of luck with whatever you decide to do!

Thanks for watching Alex!
So can you verify that you do indeed have an internet connection? I'm not sure what else you would be seeing, unless for some reason you are getting blocked from checking for packages in the opkg repository. I'd imagine it uses HTTPS and port 443 to do that, so I don't imagine you'd have any issues from a local network perspective but I can't be so sure.
You can also try the command "opkg update" in the terminal, which should be the same as under the "Software" tab. If that doesn't work either, then you might have a connection issue to the internet from your OpenWrt device.

@@DevOdyssey Thank you so much !

@@Alex-kk8op You’re welcome! 😊

Hi Muhammaad Haseeb,
Thanks for watching! I'm not familiar with Algo VPN, but doing a quick google search looks like it supports the Wireguard VPN protocol. Check out the ReadMe on their github.
github.com/trailofbits/algo
I'm not sure which version of Algo VPN Server supports it, but nonetheless it looks like you can use Wireguard. As a result, you should have no problem connecting the Wireugard VPN on OpenWrt to a Algo VPN server in the cloud. As long as you can generate a Wireguard config file for Algo VPN that includes the OpenWrt router as a client, then it should work. I'm not too familiar with how and where Algo VPN implements Wireguard, but if you know where the server configuration file is, then I believe thats all you'd need to know.

Thanks for watching 谭子明!
That would be interesting and fun to do. I currently don't have any Mikrotik routers, but if I do get a hold of one, i'd certainly test it out and maybe try a Wireguard VPN on it. In the mean time, you can refer to the links below I found that should be helpful.
help.mikrotik.com/docs/display/ROS/WireGuard
ruclips.net/video/vn9ky7p5ESM/видео.html
ruclips.net/video/YZGHf70Eyj4/видео.html

Thanks for watching Stan!
It should technically still be possible to use a local Pi-hole instance. All you would simply do is keep the DNS server settings on your WAN interface, as your local Pi-hole instance. That way, DNS queries are still routed to your Pi-hole for resolution, and then the resulting connection will still be routed over the VPN.
Now depending on your VPN service provider, they could say that you are leaking DNS queries, because its not going through their DNS service, but, if you want, you can change the DNS settings in Pi-hole to point the upstream DNS server to the VPN provider. However, thats not necessary and I'd consider that a preference. This is just a way of them telling you that your DNS queries could be going to your ISP and as a result, still tracking your internet activity.
For example, many people use Cloudflare DNS server as their upstream DNS, and if thats a DNS provider you trust, thats really all that matters.

@@DevOdyssey Have you ever heard of unbound? It's kind of your own DNS Resolver. It would be nice to use it without leaking the DNS Server.

@@stanlaurel672 Yes I have, I believe that’s what Pi Hole uses. It’s a very common DNS server solution, other than dnsmasq.
Anyway by DNS leaking, what I mean is that your DNS queries aren’t, by nature, tunneled over the VPN, because first your router need to identify the IP behind the host before it’s tunneled over the VPN, and that can happen outside of the VPN and act as a means of tracking you on the internet. This should not reveled your use of Pi Hole on your home network, but rather this is about dns privacy.
So it should “leak the DNS” server. You just want your upstream DNS server to be one you trust, for example the IP address of your VPN providers DNS server, or another DNS provider.

You're welcome! @CC

Thanks for watching Rich F!
Great question. So the use case for this video is how to tunnel all your local network traffic through a VPN. This is useful in ways where you don't want to (or can't) put a VPN client on every device on your network, which there are plenty reasons why you'd want to, and not want to, do this. Here, the router acts as a VPN client.
However, there is room left in this video to set up your OpenWrt router as a Wireguard server. In this use case, it lets you access your home network from anywhere, which there are plenty of reasons why you would do that. I'll be making a site to site VPN video where it talks somewhat about this, and the same concepts should suffice.
Let me know if you have any additional questions!

Thanks for watching Tiger hack!
For making a VPN server using Wireguard and a static IP, you can follow part of my Site to Site VPN video here
ruclips.net/video/2dH-O0crThk/видео.html
Basically, you need to install Wireguard, create the virtual interface, and the network, configure the appropriate zone forwarding settings, and the proper port forwarding. Then with your static IP address, provided by your ISP, you should be able to access the VPN.

@@DevOdyssey thnks sir I am tried without static IP address.. ok will purchase static then will be create

@@naeem6988 You're welcome! A static IP is necessary if you want your router to act as the server, or use that as a point to connect to. Now if you can't get a static IP for that router, you can use a cloud server to act as an intermediary, and then create a tunnel from the router to the cloud server, that can then carry your requests back to your router once you create another tunnel to the VPN server in the cloud. Thats a little more involved and would not recommend it for any beginners, but its a great way to get around NAT limitations.
If you can get a static IP that you control, that is the first thing I'd recommend. Good luck!

​@@DevOdyssey sir I have vpn server on vpn ubuntu but I can access internet data and speed with wiregured server of vps so plz tell i will make vpn server for internet using outside. Can I will make wiregured vpn server in router for internet

@@naeem6988 I'm not sure I understand what it is you are asking. Would you be able to better phrase your question?
I assume you are asking to to make a WireGuard VPN on your router for internet access, which of course, as thats exactly what this video is on. Are you trying to connect your Ubuntu to your server to your WireGuard VPN Server / VPS thats in the cloud? It should be the same process as I've shown in this video, except you are using text files for configuration as opposed to a web interface like with OpenWrt.

Thanks for watching Miko!
Thats a topic I'm still exploring. I have not used Tor before, I have just watched videos and read about it. So I understand the concepts, but need to actually try it out myself before getting into a video. Once I do, I'd be more comfortable making a video with it, along with using OpenWrt for tor browsing.

Thank you and thanks for watching @belyrodriguezmorales8032!
I'm not sure why you wouldn't see that, other than if you didn't update your list of packages. Did you first update your lists of packages by clicking update lists? It goes without say, but make sure you do this with an upstream internet connection to your Raspberry Pi 4B
Given the hardware and software you are using, you shouldn't have any issue finding that package, and there wouldn't be an alternative (other than using terminal commands).

Thanks @mikeclites8407! Awesome to hear from another happy viewer.
I can't honestly say if or when I'd get to it, but if you do try it out yourself, I'd be happy to give my 2 cents. I haven't used mwan at all yet, but my understanding of it is pretty straight forward. Do you have a reference that says it works with ipsets using a specific script?

Thanks for watching @wanttotree and great question.
Yes, you certainly can by using a package called pbr, or "Policy Based Routing". I created a video on how to do that, which you can follow here:
ruclips.net/video/FN2qfxNIs2g/видео.html

Thanks for watching Dom!
Yes, you can install Wireguard on Home Assistant and on OpenWrt, and. then connect them so all your devices that use Home Assistant are tunneled through the VPN. However, if the Home Assistant is on the same network as your OpenWrt router, i.e. your OpenWrt router is serving your home network, then this setup isn't really necessary.
You can achieve the same thing by setting up Policy Based Routing (PBR). You'd first set up the VPN on OpenWrt like in this video, then you'd use PBR to route all Home Assistant traffic over the VPN. This is also if you want to decide which traffic should go over the VPN. As it stands in this video, all network traffic will go over the VPN, including Home Assistant. Using PBR is just another way to split tunnel your traffic if you want some traffic over the VPN, and some through your local gateway. Below is the video on Policy Based Routing if you want to try that out.
ruclips.net/video/FN2qfxNIs2g/видео.html

Thanks for sharing @rysterstech!
I have't used Cloudflare WARP myself, but I see it's WireGuard based and happy to hear this helped you set it up. Should be easier then when I get trying it out.
I wouldn't expect it to break tailscale, given they'll simply be different interfaces. Its honestly really neat to see how much you can do with these little boxes and Open Source Software. Let alone, it really gives you insight into how much manufacturers have limited consumer ability to customize their devices. It's grown a ton since the early days, but still you won't get that level of customization using off the shelf software for the hardware you buy.
Plus this is more fun, especially when you get your use cases working 😊

Interesting question! Theoretically, yes, you could use a failover package called mwan3, which you'd use to set up your second WireGuard interface, as a failover interface. It effectively operates on pings, and if the pings fail on the first WireGuard interface, traffic will begin to be routed over the second WireGuard interface.
All you'd need to do is set up 2 WireGuard interfaces, then setup the mwan3 package. I haven't used mwan3 yet, but it should be pretty simple to follow.
openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

Thanks for watching!
I'm sorry you're having this issue, that's very surprising. Since wireguard effectively acts as a regular network interface, it should have that option for setting the DNS server, just like the WAN and the LAN interface both have that option. Did you uncheck the option to "Use DNS servers advertised by peer", as shown at 7:17? If so, the option to "Use custom DNS servers" option should show up, allowing you to put whatever DNS server you have from your VPN provider.
Thats also a good question, and is referred to as "split tunneling". I didn't actually set this up on this router, but I have experience with this type of setup on a different firewall (OPNSense actually). In theory, what you'd want to do is create a firewall rule for your device (shield, xbox), where internet traffic is routed through WAN interface, or WAN zone, as opposed to the default route, which would be through the wireguard interface (WG0), or the VPN zone that is created in this video. You can refer to my latest video where I create a couple firewall rules in OpenWrt (ruclips.net/video/XTk8eZ4NmFc/видео.html at 23:29 in this video)
Then for devices you want on the VPN, you wouldn't need to do any rules, because the default route they'd take would be through the VPN.
I haven't tried this on OpenWrt, so I am not sure if it would work, but from my understanding, it should.
However, what you can also do, and technically the proper way, is policy based routing, but I don't know much about that, as I don't have personal experience with it on OpenWrt. But I am familiar with the concept itself from my work experiences. Here are some links that get into good detail about it:
forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389
docs.openwrt.melmac.net/vpn-policy-routing/
Hope this documentation is comprehensive and helpful!

@@DevOdyssey Thank you. I'm not sure why when I install the wireguard on my router it doesn't even give me the option of unchecking "Use DNS servers advertised by peer" which I thought was really weird. I have it under the Wan interface and can use a custom DNS under the lan, but it doesn't show up on the Wireguard. I've tried uninstalling and reinstalling the wireguard package and I just might do a factory reset before I try reinstalling again.
Thanks for the info. I'm not a network admin and probably know just enough to get myself in trouble, but I understand the processes or logical steps, so I do understand the process you outlined. I'll check out the other links to see if I can figure it out. Cheers!

@@shawncochran2410 You're welcome. I am not sure either, and seems strange to me, as it sounds like you are doing everything right. If it still doesnt show up after the factory reset, I wouldn't be too concerned then an I'd just move forward with it. Just be sure to set the DNS server on the WAN interface to prevent DNS leaking you you should be alright.
By chance, what version of OpenWrt are you using? I could try changing my OpenWrt router to that version to see if I end up seeing the same thing.
And you're welcome on the info, I'm basically the same haha. I'm only a home network admin, but I've learned quite a bit to be dangerous. (I've accidentally taken out the WiFi a couple times or blocked the internet from my IoT devices a couple of times).
Nonetheless I'm glad you understand it and let me know if you have any questions once you get around to it.
Policy based routing looks cool and I might just do a video on it once I learn enough about it.

@@shawncochran2410 Maybe you install a custom Openwrt just me before no DNS and other options like this shows, then install a basic Openwrt version install Wireguard,yes, all the same now

Thanks for watching Gabriel!
According to their website, they do support Wireguard, so thats good news.
surfshark.com/blog/what-is-wireguard
However, I'm not sure if you can use Surshark and Wireguard with OpenWrt. Thats because I can't seem to find documentation stating they they provide a config file. Likely, they expose the Wireguard option in their applications you can download for your clients, like iOS, macOS, Windows, Android, etc. But they might not provide the actual config file. Further, they do say they provide a dynamic IP address when using Wireguard, to help mitigate the concern that you're getting a static IP with Wireguard and being monitored by their (Surfshark) VPN servers. This means they less likely to provide a Wireguard config file, since here you do get a static IP address (static private IP address that is).
I suggest reaching out to their support and asking if they provide a Wireguard config file to their customers. They might, but I can't be sure, and signs point to that not being the case. But then again, I could be wrong.
Let me know if you do reach out to their support and find out that they indeed provide Wireguard config files.

Thanks for watching @spacesuitdiver 😊
Thats an interesting observation. My initial thoughts on troubleshooting are to make sure the VPN is working. I imagine you have verified that and that your traffic is being tunneled out the VPN.
Once you have done that, we can likely determine the issue being with the VPN or as you said with the website itself, but not that the VPN isn't working, so to speak. It may be possible that those websites block known VPN providers? Have you tried to change to a different VPN server to go out through and see if the websites that are failing actually load?
Troubleshooting something like this would be difficult to say the least, and the best bet is to first try different VPN servers to see what works. Otherwise, what you can do its do a Wireshark packet capture, attempt to visit the website over the VPN, and then stop the packet capture. Then you can dump the packets you're looking at for your specific interface where the traffic occurred, and then see if there's anything suspect in there. That will certainly take time to comb through, but would provide the most detail.
Is there no where else on screen that you see an error for website not loading? Or is it just a white screen? If there's no error to go off of to begin with, then I can't think of anything else now other than a packet capture (and assuming you use the same VPN server and not change it).
Hope this helps!

Hi Francisco! Appreciate you watching my video.
Yep it should be possible to create a VPN on a router with a SIM card slot. Your limitation will be dependent on the software provided by your router hardware. If it supports OpenWrt, then thats even better and you can squeeze more features out your hardware. If not, then check with the manufacturer and their software documentation to see if VPNs are supported.

Thanks for watching Evan!
I’m happy you were able to follow my video without and trouble. I truly appreciate the compliment 😊

Thanks for watching ner0!
As for where the VPN Server config is, you will have to get that from a VPN provider that supports Wireguard. I use Mullvad ( mullvad.net ) but you can also use plenty of other services. I believe Private Internet Access (PIA) does support Wireguard, but not sure if they give you a Wireguard server config file. Also I believe NordVPN supports Wireguard as well, but again I haven't tried with them yet. Once you find a VPN provider that supports Wireguard and generating the server config file, you should be good to go.

Thanks for watching ani91!
Thats a great use case, and one I also covered in another video, if you wanted to refer to it.
ruclips.net/video/2dH-O0crThk/видео.html
If you are saying you have 3 network interfaces, regardless of how many, you should be able to use the gateway metric with no problem on the interface you want traffic to default from, and fail over subsequenlty. You can continue failover beyond two, to use all of the link you have.

Thanks for watching mehdi orangpour!
Honestly, I have not had any experience setting up an IPSec Site to Site VPN / tunnel. However, I believe this is done in OpenWrt with Strongswan package. These blog posts / documentation from OpenWrt should help.
openwrt.org/docs/guide-user/services/vpn/strongswan/start
openwrt.org/docs/guide-user/services/vpn/strongswan/site2site

Thank you and thanks for watching @shahriyarmamun4481!
In your load balanced scenario, I image its load balanced for outbound connections. Regardless of what outbound connection you are using at the moment, your Wireguard interface will chose one, and continue to use that for the duration of its session / connection. If everything is being tunneled through that Wireguard connection, then I do not believe that mwan would matter here, as the routing would force you to use the VPN connection.
I have never used or set up mwan, let alone with an outbound VPN connection, so I'm not sure what would happen from experience, but I believe that while the VPN connection is running, mwan should no disrupt your connections traveling over the Wireguard tunnel.

Thanks for watching @200332631 and you're welcome! Glad you were able to follow along and get it working!

Hi Fl, you're welcome! Thanks for watching.
One thing I will say, before I begin, is I've worked with Wireguard for a number of deployments. When troubleshooting Wireguard, I will say that its difficult to do so, thats because there really isn't much logging, or anything to point you to where something is broken. Rather you have to check the configuration, and network connection in between to see where the problem may be,, rather than pinpointing to one specific thing.
Given that, I will try my best to help. To start, usually the issue may be a configuration one. So to start, can you try setting up this Wireguard tunnel on a different device, using the same Wireguard configuration? Say on your computer or on your phone. You'll have to use the wireguard tools command line, or whats even easier is the Wireguard application which has a GUI.
www.wireguard.com/install/
If you can set up the configuration on your computer or phone successfully, using the same configuration file, then it's likely that you have a configuration problem on OpenWrt. It shouldn't matter what server you are using, just so long as you are properly configuring it.
If that's not the issue, then maybe something else on OpenWrt isn't configured properly, and we can try to look there. My only other thoughts are around configuring the VPN Zone properly at 9:00.
Try all the above, and we'll go from there.

Thanks for watching Jonas!
Glad my video tutorial could help you out!
Well, just for my understanding, it seems like you want to be able to switch between two different servers (locations) easily, and so you added a second peer / server as a result. With that, I understand what you're trying to do, and why, however, it gets technically somewhat complicated.
If you are replicating the same configuration for each peer, where you are tunneling all traffic to two peers / locations (0.0.0.0 for AllowedIPs for each peer), then you create somewhat conflicting configurations. Thats because you can't really tunnel all traffic to two different peers (destinations) at the same time, it just wont work. While I have not tried this, what I believe happens is all the traffic will go to the first peer, because it's the first configuration read. The second peer never gets touched because all the traffic will be going through the first one.
This is not to say that you can't connect to two peers at the same time. You absolutely can. However, you would have to use different sets of "AllowedIPs" for each peer. Effectively this is split tunneling your traffic. For general internet traffic though, this is some thing you likely don't want to do.
So for your use case. Really the best and easier thing to do, to switch between peers / locations / destinations, is to comment out one peer in your config, then restart the Wireguard server. I don't think there is a way to easily disable a peer, other than commenting it out int he config file.
You could maybe make two wireguard interfaces, each with a different peer, and then switch between them by keeping one disabled, and keep one enabled. Then when you need to switch between them, its just a matter of disabling one interface and enabling the other one. That should work, and is probably the best solution for easily moving between different peer connections that tunnel all your network traffic.

You're welcome! Thanks for watching Z Au.
Now that is a very good question, that I am not sure if I have the right answer, but I think I'm close. So, you want to use IPv6. I assume you _don't_ use IPv6 internally. If you do, you can follow the same steps as in my video, but add in the IPv6 IPs at the same time. You can refer to 7:58 to see the example config where I do that. This should basically move all internal IPv6 traffic through the tunnel (in addition to the IPv4 set up in this video)
Now, even with those IPv6 additions, It would not prevent leakage of your IPv6 public address. I did find a Mullvad IPv6 IP for a DNS server, but those only seem to support DNS over HTTPs or DNS over TLS (DOH / DOT). It doesn't seem to support regular DNS, or rather its not explicitly mentioned, you can find that here.
mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Now in their guide, I do see a Mullvad DNS entry for IP (as also seen in my video), but this is for a DNS server after you've established the VPN connection.
mullvad.net/en/help/running-wireguard-router/ (Under DHCP and DNS Settings portion of the page).
This should prevent your IPv6 leakage, I believe, if there is IPv6 to IPv4 translation going on. But I'm not sure where that would be enabled in OpenWrt if not by default.
What I'd suggest trying is to set up DoH or DoT in OpenWrt, and use those IPs in the first article. That I believe should prevent your IPv6 leaking, while all your traffic would still be going through the VPN (which is likely all IPv4 anyway, and your router then must be translating it to IPv6 if that IP is in use, otherwise it likely will first be using the IPv4 address assigned by your ISP, if they are assigning you one.)
Let me know if this works!

@Rick Poeling you’re welcome! Thanks for watching and for the compliment.
Glad I could thoroughly explain in this video how to solve your DNS leaking issues.
That usually happens where the WAN connection is using a DNS server from the ISP (or not the one given by your VPN provider). So if you ever see this issue again, you know where to go and how to fix it 😊.

Thanks for watching Ролики с фоторамки!
I have not configured mwan3 personally yet, though it's something I plan to try out and make a video on.
As for your use case, and knowing what mwan3 does, you should be able to set it up that way where if "pings fail over the VPN interface" because a payment was missed, then traffic should re-route automatically over WAN.
For now I'd recommend looking at the OpenWrt docs here:
openwrt.org/docs/guide-user/network/wan/multiwan/mwan3
You can also look at Van Tech Corner's videos where he's configured mwan3. I haven't tried it out myself, but it could be helpful for you:
ruclips.net/video/vHWYH_5ooEY/видео.html

Thanks for watching Pray4ragE!
I do appreciate the tip. You're right in that aspect, as that information can be used for reconnaissance and iterated over. I will say I'm not a master at IPv6, as I'm still learning a lot about it from some books I'm reading, but I applied the same "masking principles" as I would to IPv4.
What I probably should've done more so is block the MAC Address on the WAN interface and WLAN (radio0) interface, or BSSID (not shown in the video above anyway). I have heard how this information is collected and can be associated with your internet connection and your WiFi as well, to create a geo location map of Mac Address. Its interesting what information can be gathered from public networks.
If you're curious, the biggest way I try to protect my internal network information is by using testing equipment. A lot of the hardware I test in here is not always in production on my home network. I find ways to repurpose it for other videos, but use other hardware as well for my home network. Another thing I do is use a a cellular connection for my internet, as opposed to my ISP for my home network. So even with a Public IP address exposed (IPv4 or IPv6), it doesn't get too specific about my location, but rather gets to the general area, which is already public knowledge anyway.
Plus with the cellular ISP (Verizon), they use Carrier Grade NAT (CGNAT), and as a result, that public IPv4 address is not my public IPv4 address our on the internet. That public address is actually shared by multiple customers of Verizon.
en.wikipedia.org/wiki/Carrier-grade_NAT
Hope this information was insightful 😊

Thanks for watching @zyghom!
When you see TX and RX only in bytes, its definitely not working. I have encountered this before and it was pretty apparent my tunnel wasn't working.
To troubleshoot this, it will simply come back down to ensuring your configuration is correct and both ends, and that your routing rules are correct.
This is where looking at traffic logs is helpful, though with OpenWrt, its not really easy to get traffic logs for allowed traffic. I would verify your connectivity to the endpoint as well in addition to the configuration, such as with a few pings. Now a failed or successful ping doesn't guarantee your WireGuard VPN will work, but its indicative of proper routing.
Assuming you are using a public (paid) VPN server, I'd first make sure that everything is set up properly. If that doesn't work, try configuring the WireGuard with a different endpoint and see if that is successful. If so, then it could be a problem with the VPN server. There are always a number of variables to consider, but this is how I'd start troubleshooting.

@@DevOdyssey yeap, but the same config file works on my laptop (macos) so the problem has to be somewhere else, not the config from VPN provider

@@zyghom Interesting, its good you tried that out. So it seems to me your issue may be something outside of the config on OpenWrt, my first go to is to always look at the routing rules, since I've been burned by it often. On macOS those rules are likely happening automatically, and on OpenWrt, they should be if you set up the config that way, but its still good to check.
Another way I troubleshoot is I by running a full tunnel (if you weren't before), where I know if that works, then I have an issue with my routing rules. I do remember awhile ago that if my subnets were written incorrectly, that the routing rules would not be created automatically, which took awhile to figure out. Nonetheless, if you are running a full tunnel and seeing this issue, there isn't much else you can look at, other than determining if your outbound connection is somehow being blocked, which then you'd have to do a packet capture to figure out.

@@DevOdyssey thank you brother - I got it working using a bit different tutorial - WG on Opnsense

Seems like you're talking about WiFi which is out of scope for this video. Not sure what you're referring to with DFS or where you're seeing that. Legal concerns are around what your country allows you to transmit, in terms of power / frequency for radio waves. Thats general WiFi configuration, not related to VPN, and it looks like you got the answer to from ChatGPT according to your other comment replying to my pinned comment. I would've recommended research anyway since I can't speak to what county you're broadcasting your WiFi in. It's always good to continue your research efforts and find a solution.

Thanks for watching Uzair!
That is a very common use case, as many people probably only want certain devices, or certain websites to go through the VPN, and then everything else via the default route through WAN. You can do this in a couple different ways.
One, is you would create a VLAN, designated for specific network clients, and place them on that VLAN. Then you'd create a route for that VLAN, on the router, to route all traffic through the VPN interface / IP address. Then the route after it, as a catch all, can move traffic via the WAN interface / IP Address.
Otherwise, you can do something called VPN Policy Routing, that gives you very fine tuned control over what traffic is routed through which interface / IP. I'm working on learning this myself, so in the mean time, feel free to refer to this very well written article.
docs.openwrt.melmac.net/vpn-policy-routing/

Thanks for watching @ivannicolas166!
If I'm understanding your question correctly, which I think I am, then yes, you can have two WireGuard interfaces running, where one acts as an "inbound" VPN that lets you connect into your home, and one as an "outbound" VPN, that you use to tunnel traffic out through a VPN. You'd simply have to set up the routes properly to facilitate this but its definitely possible, and something I'm looking to explore setting up in the future.

Base what i found out that gateway metric was necessary after all to make it seemless when switching to wireguard to regular internet

Thanks for watching @@zandatsu07!
Glad its working well, but if you want to stop using Wireguard and want to use your default internet connection, you can stop off the Wireguard interface, or as you noted, change the gateway metric. I don't think I had to restart the WAN interface, I can't recall, but I would recommend changing the gateway metric in your scenario if you want to make it more seamless.
Shutting down the Wireguard interface should work, as then the gateway metric would kick in, and route all traffic over that interface because the Wireguard interface is down, and the WAN is next in line in terms of priority, at least to my understanding. Nonetheless, glad you got it working in a way that works for you.
You can explore using PBR, which seems like you already have with your comment on my other PBR video, and be more selective with split tunneling your traffic.

@@ravand1990 thanks for watching! I’ve tried to get openwrt containers working, but I haven’t worked on it enough, especially within proxmox. I’ve only gotten VMs to work. Anyway that shouldn’t matter. What matters is you have a handshake, so that’s good. Your issue is probably routing at the point.
How are you validating the IP address check? Are you doing a curl request within the container? Or a device connected from the outside, like a laptop or smart phone? Wherever your request is originating, it’s likely not being routed through the tunnel. And if you’re trying to make clients connected to OpenWrt route through the VPN, you need to make sure they’re on the OpenWrt network, and that the routes are set to move traffic all through the tunnel. If you take a look at this, it’ll likely fix your issue.

@@DevOdyssey thanks for your answer, i got it working after all, the resolv.conf was not correctly set up.
# --- BEGIN PVE ---
domain lan
search lan
nameserver 10.50.50.1
# --- END PVE ---
it was not referencing the interface name ("lan" in my case) for everyone who is facing similar issues.

Thanks for watching @saswatachakraborty!
Yup it does, you can create multiple WireGuard interfaces, each with a different peer in a different physical location, then from there you'd have to route to the different WireGuard interfaces so you can change your location. Now you can put all of these different peers (locations) under one WireGuard interface, but you can't route to all of them in the same way (say for example have a full tunnel to each / default route of all traffic), it simply wouldn't know how to route your traffic. So separating them out by new WireGuard interfaces would make it easier to move between them, and effectively you'd change your route between each WireGuard interface. This is all taken care of by the "Allowed IPs" section in your peer configuration that will create the necessary routes for you automatically.
However, in order to forcibly change which location you are routing you, you'd have to do that manually, or potentially using failover configuration (such as mwan3).

You're welcome! Thanks for watching neese415. I really appreciate the compliment. 😊

Thanks for watching tubasweb!
Yes I certainly can, and I’m actually getting ready to record a site to site vpn which would be using my own VPN.
However the setup doesn’t change from using a VPN provider, or your own VPN. You’ll just simply have to generate the server side config, which will be covered in that site to site vpn video.

Thanks for watching @ThePwig! So this video is targeted for making your router a VPN client, as opposed to a VPN server. While I did cover the ground work for making a router a VPN server with Wireguard, I didn’t finish configuring it that way. The configuration from a VPN provider only applies when you are using your router as a VPN client, and not a server as you’re intending to.
While I am working on a video to cover it from a VPN server configuration with Wireguard, I did essentially cover this in my site to site VPN video below. It covers additional steps that wouldn’t be needed in just a VPN server router setup, but all the necessary steps laid are used in this video. Essentially, you just need to set up the wireguard interface, port forwarding, and peer configurations on the router, and the client, such as a smartphone, or laptop. In the mean time, I’d refer to that video for guidance.
ruclips.net/video/2dH-O0crThk/видео.html

I can definitely relate. I’ve spent countless hours on problems, and when I figure it out, everything clicks. But going through the weeds of it becomes frustrating, especially when nothing is working as expected. Then every keyboard press is full of pent up anger.
I hope this video helps! Technology is often a pain for those implement, and a pleasure for those who get to use what you make (until it doesn’t work anymore) 😂

Thanks for watching @mahimrizvi8225!
Honestly, that price point will be difficult to reach, especially for anything native and "out of the box".
You can use a Netgear R6080 which you will have to flash OpenWrt, where you can then set up a WireGuard VPN, but not with its stock Netgear firmware. However, I don't fully recommend this router for the sake of out of date hardware. It's rated at 100 Mbps, for its WAN / LAN ports, so this is not something you'd want in your network, except low bandwidth applications. But if you don't need much and are okay with being throttled at 100 Mbps, then see what you can find on this router, as should be able to get it for less than 50 dollars.
Otherwise, you can look into GL.iNet routers, which you'd have to pay more than $50 for, but you can find some for less than $100 with WireGuard built in, as their OS is basically their flavored version of OpenWrt.
bit.ly/devodyssey-gl-inet-us
It really comes down to what hardware you are willing to pay for.

Thanks for watching @Paul Do and for supporting the channel!
As for a Samba Share tutorial, I will look into it. For now, they do seem to have good documentation on setting up a Samba Share, thought I do not have personal experience trying it out myself.
openwrt.org/docs/guide-user/services/nas/samba_configuration
Let me know if this is helpful!

You're welcome Eddy! Thanks for watching.
That is a a strange bug, I haven't tried out Wireguard on OpenWrt 22.03. Thats always a strange config for me, because with Wireguard on linux you have the option to set the DNS within the application. With OpenWrt I haven't found that DNS option, it seems to be masked possibly. Thanks for sharing that work around as it'll likely be useful in a future project I'll be working on.

Thank you @eddybledoeg and @DevOdyssey I am using the video to setup the wireguard and the same bug still persists, I need to remove the custom DNS in the wan interface to get working the wg0 interface after a reboot. Same on openwrt 22.03.04. Now I am looking why all of my connections in wifi and wired are bypassing the wireguard IP

@@richardrobinson9999 You're welcome, thanks for watching! Also thanks for letting my know you are experiencing this issue still. Have you tried it with OpenWrt 23.05?
I don't think I have come across this issue, but I might have some ideas of what may be going on, based on my more recent experience.
What IP are you setting for the custom DNS server? Is it a private, or public IP? If its public, it should still work, assuming your VPN provider gives you a public IP that anyone can use, regardless if they pay for the VPN service or not. If its private, i.e. a DNS server over the tunnel, then you can get into issues, and here's why.
If your WireGuard peer endpoint host is a domain name, and not an IP address, it will need DNS to resolve the domain name. So if the DNS server is a private IP over the tunnel, they DNS will fail because the WireGuard tunnel needs to work first. So in this instance, you'd want your endpoint peer to be an IP address where you don't need DNS.
Other than this potentially being a bug, this is the only scenario that comes to mind where you'd experience this issue.

Thanks for watching Carl!
In term of protocol, it is according to tests. I haven't done speed tests between the two, but from design, and testing I have seen elsewhere, Wireguard is faster than OpenVPN. Now this all still depends on your ISP connection to the endpoint hosting the VPN server, but for the tunnel over that internet connection, Wireguard will be faster.

Thanks for watching!
After doing some research and familiarizing myself with passwall, and Openwrt compatibility with TP-Link AX1800 (Archer AX20 chipset), it looks like this won’t be possible for you. That’s because the chipset is Broadcom based (although initially reports said it was MediaTek) and Broadcom chipsets are not open source friendly. Given that, there are no supported drivers for Broadcom.
As for passwall, It sounds like a vpn protocol using vmess and v2ray. You might be able to install it once you can flash OpenWrt onto a compatible router. Additionally, I did find that someone on Reddit claimed to have made a build of OpenWrt with Passwall already on the build image, but since I can’t verify that, I’m not gonna link to it. You can google OpenWrt and Passwall to find this Reddit post / user.
But to start off, I’d recommend looking at OpenWrt’s table of hardware to find a router that’s compatible with OpenWrt.
openwrt.org/toh
Hope this helps!

Thanks for watching Cyberjin!
Glad you got Wireguard up and running. So I cover setting up the DNS using my VPN provider, Mullvad's, DNS at 08:27, however I know that is static and remains the same even when the VPN is off. Sadly there isn't a custom DNS you can set specifically for the Wireguard interface, like with other implementations of Wireguard, and doing a search for this in the OpenWrt forum confirmed it for me. It looks like your best option is to follow this forum post and these docs.
forum.openwrt.org/t/wireguard-dns-in-21-02-x/110853
openwrt.org/docs/guide-user/base-system/dhcp_configuration#dns_forwarding
openwrt.org/docs/guide-user/base-system/dhcp_configuration#split_dns
Doing DNS Forwarding and Split DNS should be what you're looking for, though I haven't tested it out myself.

@@DevOdyssey it's hard for me to understand sadly.

@@Cyberjin No worries, what are you having trouble with?
According to the documentation, follow these Steps in LuCI to get DNS forwarding to work.
LuCI → Network → DHCP and DNS → General Settings → DNS forwardings. Then in here you should have multiple options for DNS servers. For the first one, choose a DNS server that you want, in particular, to resolve first then second DNS Server.
For settings up DNS Split, you can do the following:
LuCI → Network → DHCP and DNS → Resolv and Hosts Files → Ignore resolve file. As noted in their documentation, this assists in the changes you did abouve, where "Ignore resolvfile option and limit upstream resolvers to server option".
Doing those options can help, but from my understanding, it's not complete. There is no easy way to completely set the DNS server for the Wireguard interface. Even in reading the thread I noted earlier, there are multiple suggestions to try and get it tuned as possible, but because you can't set the DNS specifically on the Wireguard interface, that messes with everything. It seems like DNS splitting is your best option, but not fool proof. Otherwise, really all you can do is set the DNS server on the WAN interface, to the DNS server you want for Wireguard. Sorry I don't have much else for you, this one is a a tricky.

Thanks for watching Olanda!
Thanks a good question. So if you want to port forward with the WAN Interface, that would work just fine, and set up like normal. However, if you want to port forward through a VPN interface from a VPN provider, you would need that access and ability from that VPN provider. So for ProtonVPN, it looks like you can do that, however, not the way I'd imagine you would. It looks like you can do it via their client app, bittorent, or vuze. The way I though you could do it would be through a specific profile, where you can choose what port is open on the provider VPN interface so you can tunnel through it. At least this is how it works with Mullvad. So from my understanding, it doesn't seem like it would work when using ProtonVPN on your router.
protonvpn.com/support/port-forwarding/
mullvad.net/en/help/port-forwarding-and-mullvad/

Thanks for watching @bb-em7xf!
I'm sorry to hear this. I'm not sure whats going on, but maybe we can figure it out. Do your LAN based connection route over the regular WAN / ISP? as is its still able to access the internet, just not going over the internet, as opposed to not working at all (i.e. no internet access at all?)
Are you seeing any TX traffic when the Wireguard interface is up? Are you able top create a handshake with the VPN server? With some more context, I'd be able to discern what could be wrong, but with limited information, other than your symptoms, I can't really tell whats going on.

Thanks for watching Welshtralian! I appreciate the compliment.
Actually, thats a video idea I've been thinking about, and taking this video one step further with policy routing. While the documentation I've found looks nice ( docs.openwrt.melmac.net/vpn-policy-routing/ ) I haven't played around with it at all, and it feels like it might not be so straight forward, and I'll likely have some headaches of my own getting it to work. But once I do figure it out, I'll make a video on it, as it would definitely compliment this video well.
I'm a visual learner myself, so I can understand the significance of having an instructional video guide through somethings thats especially difficult to document.
You're welcome, glad you found it useful 😊

@@DevOdyssey Thank you for taking your time to respond. Yes, instructional videos are much better for me as I'm dyslexic. And while I would say I am "technically sound", sometimes documentation is just alphabet spaghetti to me, haha.
I have a GL.iNet router, so it comes with a VPN policy feature out of the box, but I have had problems with it, not routing, and I think it's to do with the DNS settings (it's hard to explain).
Anyway, I have now set up the VPN routing using the Luci packages, and it works fine (touch wood). I have switched my interface metrics so that I use WAN by default and VPN for certain sites. It works well alongside the pi-hole (based on your other video settings).
If you have time, I would love for you to have a go at setting up AdGuard Home. I personally prefer it because of natively using DNS-over-HTTPS/TLS but also can tell some sites (like BBC for example) to just use DNS-over-HTTP because I get CORS errors otherwise.
The problem I have with AGH is, depending on how I set up pointing the DNS server to my Raspberry Pi, I either get 2 outcomes: VPN policy works, but AGH clients show as just router, or AGH lists all the devices on the network, but VPN policy doesn't route the traffic.
Anyway, I've waffled on for too long, so I have I sort have explained as good as possible and thanks again.

@@welshtralian You're welcome! Thanks for your reply as well, it's cool to hear about your setup. Sorry for taking long to get back, I've had a busy few days breaking and fixing my network (let's just say I tried to set up LAG LACP between my UniFi switch and virtual firewall, and it didnt go well. But I did get new UniFi gear deployed so thats a plus.)
Oh I see, well I can definitely see why then its easier to watch a video versus reading documentation. I'm glad my videos can then help you out in that way 😊.
Never heard of that router, but I'd say its pretty neat to come with out of the box VPN policy routing. Can't say I hear that often.
That's awesome! I'm happy to hear you got VPN policy routing working in OpenWrt with the proper LuCI packages. Sounds like you configured those interface metrics properly along with your routing table, nice job! Also, thanks for watching my pi-hole video 😊.
You are the second person to tell me about AdGuard. Someone else commented on my Pi-hole video saying they'd use pi-hole to replace their AdGuard instance. That's convenient it uses DNS over HTTPS / TLS out of the box, and be smart enough to prevent CORS issues (if I understood that correctly).
Interesting issue you have there. How are you setting up your clients to point to the DNS server? I imagine if you are using both the Raspberry Pi and AdGuard as your DNS servers, you may run into issues since only one can be your DNS server. You might be able to point your clients to one DNS server (the pi or AdGuard), and then point the AdGuard or pi to one or the other as the upstream DNS Server ( say pi -> AdGuard or AdGuard -> pi), and you might be able to fix your issue. However, depending on how the VPN policy routing works, this may be failing because the DNS over HTTPS / TLS is encrypting the DNS request and therefore the VPN policy routing can't see it? I honestly have to read more of exactly how the VPN policy routing works on OpenWrt (DNS based or IP based), but I could see how this might be an issue.
It's cool to hear about your set up, so no worries. I'm sure I waffled on here just as long if not more haha. I think I understood your issue enough, but if not let me know. As for making a video on AdGuard, I'll have to learn more about it. As more people keep commenting on my videos, I'm getting more and more ideas piling up haha. So it's gonna take me some time to get to these ideas, especially while working a full time job.
Anyway, I appreciate you sharing, and hope something I've said here helps!

Thanks for watching Patrik!
Not sure why adding Mullvad's DNS would prevent the VPN interface from starting. Unless there is a reason why you can't reach that DNS server via your ISP. It's a publicly accessible DNS server, so you should be able to reach it, regardless if you pay for Mullvad or not.
It's difficult to tell if your ISP is blocking it, but see if you can try using it as a DNS server directly, to resolve a domain. If that does work, say from your personal device that is on the same network, then it may be your ISP blocking it. At that point you'd need a new ISP or choose a different DNS provider that you trust.

A VPN can help here, but not necessarily. It may help access torrenting, and masking your IP address. It also adds another "hop" in your network and might make torrenting take longer depending on the endpoint location. Also depending on the content you are torrenting, it doesn't inherently make it any safer, especially if the download has anything malicious in it. It basically just encrypts your connection one more step, so it will mask your WAN IP, and thats really about it.

@alkardo332 You're welcome, thanks for watching!

Thanks for watching @dutchdisney!
I'm sorry to hear it stopped working, though at least it did work at some point. The changes you made to try and fix it don't seem like they'd impact your ability to get a handshake, those settings are generally more application specific, but I guess in theory your infrastructure could have issues with the frame size.
Key pairs shouldn't matter either, so long as they are the same on both ends (i.e. public and private). Has changing the key pair and location fix the issue before? Are you using the same VPN provider? Its possible the VPN provider is having issues, or your ISP connecting to that VPN provider.
I'd first explore those avenues as if you get it working, you shouldn't have any issues once it works, outside of maintenance and infrastructure (i.e. ISP connection, VPN provider up time, router performance).

@@DevOdyssey Thanks for your reply. I had a private IP for a period. Now I'm back to shared IP again. I use the same VPN provider.
Of course I tried to talk to the VPN provider (Surfshark) but they are not very helpful. I tried all their suggestions, but doesn't change anything. Very frustrating!
I've now also setup openVPN on openWRT, but this is costing a lot of performance on my raspberry Pi 4. So I rather have wireguard working again.

@@dutchdisney You're welcome. Interesting, could you share more detail around the IPs? For WireGuard to work, you will need your own private IP for each configuration (unless, you use the same configuration on more than one devices, at which point, then only one can be connected at any given time). Your public IP will definitely be shared among anyone else using the VPN.
I am not surprised at their level of support, as with most VPN providers its about "set it and forget it". Have you considered changing your providers?
Well I'm glad you were able to get some VPN working on your router. I'm actually working on a video right now for OpenVPN client on OpenWrt. But definitely as you noted, its gonna cost you in performance, and depending on what you are trying to do over the VPN, it could make things very undesirable.
Sadly, I can't offer much help without direct troubleshooting, but since VPNs providers are relatively cheap, it might be worth trying a different one out for a month and seeing if they are more reliable.

​ @DevOdyssey One more, thanks for your reply's. Yes I had a private public IP. Surfshark offers that option, to avoid issues with blacklists, etc. But the private IP addresses they provide are already on a blacklist before you get them :D. So I got refunded for that service and am now on a shared public ip.
The big advantage of Surfshark is you can use it on unlimited devices, and with a household of 5 people and a load of devices, that is a big plus.
Unfortunately I have a 3 year contract. Of course I can try another provider for a month, but for now it is ok with openVPN.

Thanks for watching @GMCrelan!
I haven't played around with tor too much yet, but I'd like to. Given that, I'd probably look into seeing if its possible to tunnel all your traffic through a tor interface. I'm not 100% certain if thats actually possible, so I'd need to do some research and testing to ensure that it would work, let alone if I can do that on OpenWrt. I know there are tor plugins for OpenWrt, I just haven't used them.
I've seen its possible with GL.iNet, which is based on OpenWrt, so I'd imagine I can do it. It's just a matter of testing / trying it out.

Thanks for watching jaFar!
So the R7000 Netgear is compatible with an OpenWrt flash, as you can see here.
openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=Netgear&dataflt%5BModel*%7E%5D=R7000
However, I'm not sure if the chipset for the R7000P is the same as the R7000 and it might not work with an OpenWrt flash. I'd recommend looking up that chipset first to make sure they are compatible so you don't brick your router.
If you are trying to do this natively with Netgear software, chances are you can't. I'm not familiar with the software on R7000P Nighthawk series, but from the Netgear software I've used, its definitely not compatbile.

Thanks for watching @rizwanulhuq7086!
Wireguard is not the easiest to troubleshoot, since you don't really get any logging from Wireguard, as its intended to be pretty silent. But all the networking it relies on should be enough of an indicator troubleshoot the issue.
First, are you seeing and outbound traffic from the interface, such as TX traffic? That should be happening so you can at least initiate the handshake. You can try pinging out to any internet address via the Wireguard interface while in the terminal of OpenWrt (ping -I wg0 8 . 8 . 8 . 8) to forcibly send traffic out that interface.
If that works, then you might have a routing issue, and you'd want to revisit your routing configuration at 8:00 in the video. That creates the proper routing rule to send all traffic via that interface, since our allowed IPs is all zeros.
If that doesn't work, then you might want to see if you are being blocked somewhere by looking at firewall logs. The default set up of OpenWrt should not be blocking this, so its unlikely to be that. Lastly, you could be blocked by your ISP if they do not allow Wireguard traffic out. This does depend on the country your traffic is originating from, but thats another issue entirely.
Taking these steps should help you figure out where the problem is, and potentially resolve the issue if its something you can control.

Thanks for watching Jason!
I have not done a video on that, but I can help here and explain it in theory. I've complete this somewhat in OPNSense, just not in OpenWrt. You can do this with policy routing, which you can find a link to it below. I do plan on making a video around this, and I'll use this article as a reference, among other forum posts.
docs.openwrt.melmac.net/vpn-policy-routing/
forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389
Anyway, I agree 100%, no need to VPN tunnel "cat videos". This video was meant to address the easiest use case, but not always the most realistic. It really depends on what you are trying to accomplish. As noted, you should be able to do this via MAC Address (according to the first article), or also use hostname, IP Address, subnet, or all.
You could accomplish this without policy routing package, but it's easier to use this package. The way you would do it without it is by creating firewall rules per local IP addresses, to a specific destination IP address (and port), using a specific interface (such as the VPN interface) . It does the same thing as policy routing, but being all IP based is very non ideal, and makes it much more difficult, as website IPs change frequently.

@@DevOdyssey Looking forward to your video on how to do this selective VPN on OpenWRT.
Instead of putting MAC addresses on some list to allow some clients to use the VPN and others not use it, which is tedious in an environment where new clients join the LAN often, why not use something already existing which is VLANs. Have these policies apply to a particular VLAN and not others. Then when a client joins a VLAN, that client automatically has a VPN policy apply to that client. In general, a VLAN for IoT devices shouldn’t use the VPN. A special VLAN can be created for some IoT devices that need geo-shifting to allow it to play some streaming services blocked by local restrictions. A VLAN that is for a site-to-site VPN so servers from multiple sites can be synced.

@@jasonluong3862 Thanks! As am I!
Using MACs can be exceptionally tedious unless they are clients that are on your network consistently. VLANs / subnets would definitely be a better approach in this scenario, and should work easily too. I would also apply that VPN policy on VLAN specific devices for geo based content, as you noted.
Site to site would be the cherry on top, especially if you have a site to site with a residential IP to grab content from that location where you aren't blocked by the content provider. I have made site to site VPNs with Wireguard (another video I look forward to making), so you are hitting all the great points.
I do appreciate you sharing those thoughts with everyone. Lots of not-so-difficult provisioning you can do with the right tools / packages.

@@DevOdyssey Selective and conditional VPN connections is indeed a ripe and fruitful topic to explore. As said, I and many of your subscribers are looking forward to watch such a tutorial.

@@jasonluong3862 Indeed. Looking forward to it as well!

Thanks for asking @Meysam!
There are a couple of ways you could achieve this, from my knowledge.
You can create a new routing table for the VPN interface, and router specific IP based traffic out the VPN, and traffic unspecified to go out the WAN interface.
You can also do policy based routing, which can effectively do split tunneling as well.
openwrt.org/docs/guide-user/network/routing#policy-based_routing
openwrt.org/docs/guide-user/network/ip_rules
A great LuCI GUI for policy based routing as well:
docs.openwrt.melmac.net/vpn-policy-routing/
It can get complicated implementing this, but with this level of configuration, it makes a VPN's use case far more valuable on a router, than just on a personal device.

You're welcome Abdelgader! Thanks for watching and the compliment! 😊

Hi Netrich!
Thanks for watching! I haven't used PureVPN, but in general, the steps should be the same, regardless of the VPN provider, so long as they are providing you with raw Wireguard parameters, and expect you to use native Wireguard, as opposed to any technology built on top of it.
Doing a it of research, I was able to find this support link from PureVPN where it talks about Wireguard Configuration File for Linux. This seems promising. Check out these instructions.
support.purevpn.com/setup-wireguard-on-linux

@@DevOdyssey Thank you so much for your help, you are the best on youtube 💯✅

@@netrich-ib9xw You're welcome, you're too kind 😊 Glad to help.

Thanks for watching!
I have not looked into OpenConnect, and have mostly focused on OpenVPN and Wireguard, due to their ease of use and widespread adoption among VPN providers, from a consumer standpoint. However, it looks like OpenConnect, client and server, has widespread adoption with multiple large IT network companies, like Cisco, Palo Alto, Juniper, F5 and more, likely since its an open source project with roots as a replacement for Cisco's proprietary AnyConnect VPN.
It looks interesting to me and may be something I'd explore. To really be useful, it seems like it would be best for organizations or small businesses that utilize hardware and software from major IT network companies mentioned above, and want to create VPN connections on new network hardware, without having to buy their hardware, which can often cost much more than generic hardware.
Appreciate you sharing your thoughts and potentially giving me another opportunity to learn more.

Thanks for watching @pzrkstinger and you’re welcome!

You're welcome! Thanks for watching Thomas.
Can you elaborate on what it means to have a severe connection issue? What symptoms are you seeing? With more information I can help troubleshoot.
If your issue is no connection when you enable the interface, then that may be expected, as this is something I ran into. This issue is typically when you're going after internal IPs, in your AllowedIPs section. When a wireguard interface is initialized, the VPN connection is typically not set up. This is because wireguard tries to be a silent protocol by nature. It does not initiate until it is needed. It only initiates once any form of network connection is trying to reach a destination that is within the AllowedIPs list. So if you aren't seeing a handshake establish, without trying to send network traffic to an AllowedIP, then that is expected. As soon as you try to send network traffic to an allowed IP, like a ping, http, etc, then it will attempt establish a VPN tunnel to the wireguard peer, and forward the traffic appropriately.
The whole gist is that you need to initiate traffic to start the tunnel.
Another way you can do this forcible is by using the PersistentKeepalive feature, where wireguard will automatically send packets to the interface.
If this is not your issue, feel free to elaborate.
Here is an example output of the wg command as asked.
Note: I have added brackets around the periods in the IPs, so they are not linked in the browser. Those, of course, are not actually in the config file.
interface: wg0
public key: abcdefg=
private key: (hidden)
listening port: 30497
peer: hijklmnop=
preshared key: (hidden)
endpoint: 10[.]10[.]10[.]10:51820
allowed ips: 192[.]168[.]0[.]0/24, 192[.]168[.]1[.]0/24, 192[.]168[.]2[.]1/24
latest handshake: 10 seconds ago
transfer: 4.22 KiB received, 6.36 KiB sent
This wireguard article should be helpful as well.
www.wireguard.com/quickstart/

Thank you @mastacos! Appreciate the compliment and your viewership 😊

Thanks for watching @bogdangusak4573!
Glad the step by step instructions worked for you exactly as expected. Enjoy your VPN router!

Thanks for watching JB Grenouille!
So looking at the table of hardware compatibility chart, it looks like the Belkin f9k1103 router is not on the list.
openwrt.org/toh/start?dataflt%5BModel*%7E%5D=f9k
While it may work with the f9k1109 firmware image, it may also have some problems with it, and seems like you already have. I'm not sure how you can get the WiFi working on the router, as it might be a hardware issue that has no solution to it. If you are set on using this router, you can try adding a WiFi access point.
I checked DDWRT and it looks like that is also not compatible. I don't know of any other 3rd party firmware that would work, and looks like your best bet is to the stock firmware, or to get hardware thats supported by OpenWrt.

Thanks for watching @robyee3325! If you are running OpenWrt on a Raspberry Pi, then you'd configure the VPN the same way as you would shown in this video. The Raspberry Pi running OpenWrt would be your main router handing internet traffic directly. At this point, I'd make the ISP router an access point. First, I'd follow this video I made (below) to setup a Raspberry Pi router, with OpenWrt, and then use this video (above) to set up the VPN.
ruclips.net/video/_pBf2hGqXL8/видео.html
But before you proceed, make sure the Raspberry Pi router works with your ISP. Sometimes, bringing your own router might not work if you've been provided one by your ISP, it depends on how strict they are, though they certainly should let you use whatever router hardware you want. Once you can confirm it works, then follow the steps laid out to set up a VPN.
Lastly, you can refer to the below video to set up the ISP router as an access point.
ruclips.net/video/WyUlzFO90KA/видео.html

@@DevOdyssey oh man thank you so much for replying!

You're welcome@@robyee3325! Happy to help however I can😊

Thanks for watching saif ali!
In this video, the VPN service provider, Mullvad, is not free, and to my knowledge, I do not know of any free VPN providers that offer Wireguard. I personally can't recommend those in full confidence either because free VPN service providers come with their own costs, just not monetary. Often, free VPN service providers will come at the cost of your personal data and privacy, which is one of the biggest reasons users get VPNs to begin with. So I can't suggest anyone use a free VPN service provider, same goes with proxy services too.

Thanks for watching @algolove185!
So what your VPN provider should give you all the configuration items needed to make a connection. Technically, that doesn't necessarily need to include the private key of your Wireguard interface, but they do that to give you everything needed to easily set up the connection on your end, and to have the IP address and public key of your interface, as those are necessary for ProtonVPN to have on their end as a Wireguard peer (your peer) connecting on their end to their (or their Wireguard interface / server).
The version of OpenWrt and LuCi you have should not impact this connection from not working.
On your end, you need the public key of their Wireguard server, and Endpoint Host, in order for your Wireguard interface to properly make the handshake (e.g. 07:49). Given you say the handshake is being make, it sounds like you have everything correct on the public key portion, and Endpoint Host portion, of your peer configuration. All I can think of in this scenario is you don't have your traffic being routed through the Wireguard interface. This usually happens automatically if you have your Allowed IPs set to 0 . 0 . 0 . 0 / 0, and very importantly, "Route Allowed IPs" checked off.
Can you confirm that this is what you have set? If so, then all your traffic should be routed over the Wireguard VPN connection.

Good morning,
Even if it does not seem consistent to you, you must glue the public key of the "peer" provided by Proton VPN, under the private key (otherwise "save" is impossible). Then, click Save, this public key, will be automatically replaced by its real public key from the private key.

@@gerardderuel1604 Thanks for watching!
I must say this doesn't seem accurate to me, though I can't say I've tested this out with Proton VPN.
The private key cannot be derived from the public key, rather the public key is derived from the private key. In addition, the Wireguard protocol does not handle the transfer of keys, so any attempts to set up a connection with improper keys will not have a tunnel created and then the keys updated to the right ones. I might be misunderstanding what you are referring to, but I'd imagine Proton VPN would give you a Wireguard configuration for a interface they "accept", with a private IP address of their choosing. Then, you use this information to create your Wireguard interface on your server. Then their available peers are endpoints you can tunnel out. Use that information to create a peer in your interface configuration, and that should be enough to create / establish a tunnel. This is the way Mullvad does it, as shown in the video.
So again, not sure how Proton VPN does it, but the way it was described seems off to me.

@@DevOdyssey Hello Dev Odessey,
I may have explained myself badly.
My configuration results from a groping path: failure and success. Let me explain:
With the version of OpenWRT since October 30, 2022, interfaces, general parameters, after having glued the private key, it is impossible for you to change tabs to "Advanced parameters", even by clicking on "Save". It may be an openwrt bug.
To get around this, you must "lure" OpenWRT. So, you are forced to enter the PAIR public key provided by Proton VPN under the private key. Or maybe anything to make the red line disappear, I have not tested.
Then, from there you can click on "Advanced settings". Then, return to general parameters, you will find that the private key to Proton VPN generated the public key derived from its private key. Make a copy of this new public key.
Control: Delete your configuration. Create a new configuration. Under the private key, glue the public key generated by the private key. You can change tabs and continue the configuration. I tested it and it works.
I will point out to report this problem to the OpenWRT forum.

@@gerardderuel1604 Thanks for the follow through and explanation. I now understand what you meant, this is a graphical / GUI issue, rather than suggesting how to implement the Wireguard tunnel.
I appreciate you taking the time to point out the issue in the OpenWrt forum so that the devs can fix it. I have not experienced this before, but if I do run into it, I'll report the issue as well.
Enjoy your ProtonVPN tunnel on your router!

Thanks for watching Enrique! I appreciate the compliment 😊
Great question and yes you achieve your goal by doing what I did in this video, but also you can do it another way too that would be easier, but both come with some caveats.
First Scenario: The way I do it in this video, is you set up a VPN connection to a VPN server ( I use wireguard ), and if your VPN provider supports port forwarding, you can do that ( Mullvad does support port forwarding ). Then you would do port forwarding on your router as well, as you normally would. However this scenario I would caution, because this VPN server could be used by others and so if you're port forwarding, you should have some sort of security behind that IoT application,
Second Scenario: Same as first scenario, but instead of using a public VPN provider, you pay to host a server in the cloud (Google, AWS, Azure, etc), and set up a wireguard VPN server there. Then you configure port forwarding on the wireguard VPN server, and also on the router as well as you would normally. This is a bit better since this server is isolated to your use only, as you pay for it, and likely has a static IP. You could also pay for a domain name and set it up on the server as well and that would help.
Third Scenario: You don't use a VPN at all. Rather, you first buy a domain name, and then you set up a client on the mobile hotspot (say a Raspberry Pi), and set up a Dynamic DNS client. What this will do is if your IP address changes for that mobile hotspot, that Raspberry Pi with the Dynamic DNS client will update your IP address automatically in the DNS server thats hosting your domain name. That way, the Domain name always matches the IP. Then you can do your port forwarding on the router only, and use the domain name to communicate with your mobile hot spot network. Last word of caution here: If your ISP uses CGNAT (Carrier Grade NAT) for your IP address, this third scenario will not work. You would have to use scenario 1 or 2.
Let me know if you have any questions regarding the three scenarios above.

Thanks @mikenyc1589! Really appreciate the compliment.

@@DevOdyssey I would like that info on mwan3....I wouldn't want wifey getting pissed if internet knonks out while shes working..:(

Thanks for watching @Milktoast Weeb 🙂
To do this, you will need to get a wireguard configuration file from your VPN provider. You can do a search on VPN providers that use wireguard and from there once you sign up, you should be able to get this information.

Thanks for watching Kevin! I don't believe I took a speed test when doing this video, but given the VPN tunnel is coming from the US and going to Serbia, its not going to be great, even with a fast and efficient VPN protocol such as Wireguard. If you are looking for speed, my recommendation is to chose a VPN server that is closest to you, so you do not lose much bandwidth, but still get the privacy benefits of your VPN connection.

You’re welcome @neolinux4023! Glad it helped you out 😊

Hi Raman,
Thanks for watching! I genuinely appreciate hearing the compliment, and calling out the gateway metrics. I've known about metrics for awhile, but when I discovered I can use it this way, I was ecstatic.
Sounds like you have quite a few questions 😊.
1. For guests vpns - You'd basically have to create a second "guest" network with its own IP address range, (this would be a VLAN), and then create a firewall rule that tells all network traffic to go out through the VPN interface you create. Then for another network to go out directly through the WAN, you wouldn't have to add any additional rules, since by default, traffic exits the WAN interface. However in this scenario, you do not need to set up Gateway Metrics as that changes the routing table. I know this is speaking to it on a high level, but if you know enough with OpenWrt firewall rules that's generally how to do it.
2. Bypassing VPN for IPs and Web sites - This you would need to do policy routing. There is a package for this, however, I'm not sure if it's updated for OpenWrt 21.02. This is something that can be accomplished with the vpn-policy-routing (and luci-app-vpn-policy-routing) package, and the documentation here is very useful - docs.openwrt.melmac.net/vpn-policy-routing/. This is something I'm planning on making a video as well.
The information above should be a great start, I think it does implement firewall rules on the back end, but gives you a nice front end to make it easy to understand.
Hope this helps!

Thanks for watching JAI BALA JI!
Could you explain a little more what you are seeing? Are you referring to when making a new interface at 6:39?
Likely this is due to not having all the packages installed for Wireguard. I would first verify you installed the necessary wireguard packages, covered at 5:26. After the download, try doing a reboot of the router as well, and then return to creating a new interface to see if Wireguard shows up.

@hichamelouali Thanks for watching. I got the settings from my VPN Provider so I could connect to their WireGuard Peer / Endpoint (treating it as a server in this case). But you can generate this config on your own if you have your own WireGuard endpoint you want to connect to.
When using this to connect to a VPN provider, they should give you the config you need.

@@DevOdyssey thank you sir, I will get back to you later and let you know how it would go

@@hichamelouali You're welcome and good luck!

Thanks for watching Ell Dee!
So just to level set, DNS leaking is where your router is passing DNS requests to a DNS server that’s not considered “privacy minded”. For example, Google’s DNS of quad 8’s wouldn’t be privacy oriented, and considered a DNS leak. With that regard, you just need ti use a DNS provider you trust that wouldn’t sell your data.
That being said, the way I prevented DNS leaking is by specifying a DNS Server that Mullvad provided, in my WAN interface, so that when DNS requests are made, it would use that server. However, this can be overridden in man ways, including LAN DNS settings, or DNS settings specified on the client devices themselves. That being said, you want to be sure that the devices use the router as the DNS server, which will then forward DNS requests to the DNS server specified in your WAN interface. You can set this to something like Cloudflare's DNS (1 . 1 . 1 . 1) which is a generally recommended more private DNS server. In addition you can test out where your DNS requests are going by using software / terminal commands like nslookup or dig, which should validate if you are having DNS leaking (aka DNS requests going to a DNS server that you didn't specify).
Lastly, you said your router doesn't support wireguard. If thats the case, then what way are you setting up Wireguard? If you are using something like a Raspberry Pi, you can specify the DNS in the wireguard interface using the syntax "DNS=Server IP", where Server IP is the IP address of your DNS server you want to use. If you can elaborate here, that would be helpful in understanding your setup.

@@DevOdyssey Hi. I posted a reply to your awesome reply but it disappeared. It was a long story but to make it short, my VPN supplier doesn't support Wireguard on routers and I had issues configuring a VPN on OpenWrt anyway, so I went back to DD-WRT. (I was following your steps during a trial with Proton, but the file contact I downloaded didn't jibe with yours from Mullvad.) Thank you again for your insights. When my VPN supplier starts supporting Wireguard I will be back to your vid. Cheers!

@@elldee1297 No worries, I've seen that happen to me sometimes.
Ah thats a shame they do not. It's likely in the future they will as more companies adopt Wireguard. Nonetheless, I am glad you have a working set up from the sense of an VPN on your router, regardless of the firmware vendor.
You're welcome! Glad to share them. When you do revisit, if you have any questions, feel free to ask again. Best of luck!

Thanks for watching Michael!
I appreciate the complement 😊.
So given what you’ve stated, it seems like you have a problem with making the handshake with your VPN provider. The TX packets, indicates that you’re Wireguard client is sending out traffic to the VPN provider, but the lack of RX traffic would indicate to me that your handshake with the Wireguard VPN server is not happening. You can also check the status of the Wireguard handshake under the status menu, and clicking Wireguard.
This may be difficult to troubleshoot as it involves the VPN provider that might be having issues on their end, but you can do your best to rule out any issues on your end. First, make sure the public key is correct for that endpoint your connecting to, given to your by the VPN provider. Make sure the port is correct as well, and make sure the DNS name, or IP Address are correct, again, provided by your VPN provider. There’s a good chance that your issue lies here.
Then, if it’s still not working, you can check to make sure that your outbound traffic to that Wireguard server is not being blocked. If you’re using a default firewall ruleset, all outbound traffic should be allowed, so this likely wouldn’t be the issue unless you’ve put some rules the block specific out bound traffic on specific destination ports.
Once you can verify this is all correct, then you might want to contact your VPN provider for any additional troubleshooting, and make sure your account is in good standing order, or that they don’t have any issues on their end.

@@DevOdyssey It was the key, you were right, I corrected it and also removed preshared key in peers settings, thanks a lot! And all videos I found, have 0 information on firewall rules for WG, I could find firewall settings only on your tutorial, you're the best, thanks again!

@@michaelsmulsky Ah great! Glad you were able to fix it. The pre shared key can be a confusing addition. Most VPN providers don’t use it to my knowledge. The Preshared Key is basically an additional layer of security where the payload is encrypted again, on top of what’s already done with the public key. It’s not really necessary at all, and really a matter of choice. But if you put the public key in the preshared key spot, you’re certain it won’t work.
I’m happy to provide that additional information on firewall rules with wireguard! I know I didn’t dive too deep into it, and in future videos I’ll talk about it more, but essentially since wireguard creates a virtual interface, creating firewall rules will be the same as any other interface. The zoning I touched on in this video is certainly important, and not a concept that all firewalls have, so it’s good to learn, as it can be powerful.
You’re welcome, and I do sincerely appreciate your kind words 😊

Hi Gosha,
Thanks for watching!
So just to preface this, the static IP address should not be conflicting with this in any way. I remember when I first started setting up wireguard tunnels, troubleshooting it was difficult, because it's a silent protocol by nature. The best thing you can do to troubleshoot not getting a connection is by checking to make sure nothing is blocking it. So on the other end of the wireguard tunnel, make sure that you have the specific port open on that router / device, that wireguard is listening on. Otherwise if it's blocked, it's not gonna work. Use traffic logs in your router to achieve this. I havent gotten enough experience with syslogs in OpenWrt which I believe has the firewall logs, but thats where you want to check to see if a connection is being sent (from the initiating side), and if a connection is being received (from the receiving side).
Lastly, what really tripped me up was depending on the IPs you are tunneling, if you don't generate any traffic to that endpoint, the wireguard tunnel does not initiate. Thats on purpose, as it only initiates on demand. However you can set up a persistent ping to always keep the tunnel alive, which you can google that for more information.
But, if you are tunneling all traffic (0 . 0 . 0 . 0), then it should initiate because all traffic will attempt to be forwarded via the tunnel / VPN.
The best place to start is the logs to see where the traffic might be getting blocked or dropped.

@@DevOdyssey thanks for such a detailed answer i will try to check traffic logs

@@grammatoncleric You’re welcome! Hope you’re able to get it working.

Thanks for watching @asanengineer_ and you’re welcome!
Really appreciate the compliment 😊

Спасибо за просмотр Олег! Добро пожаловать! Рад слышать, что это работает с NordVPN!

Thanks for watching sapronin!
That is strange. I don't think this would significantly change with OpenWrt 22.03. The general concepts should be the same, including creating the Wireguard tunnels, port forward rules, and routing. Did you check your configuration to see if there were any glaring issues? You do mention routing, were the routes actually creating for the VPN tunnel? You can check this using the route command in the terminal. This could be due to the writing of the networks in your peer configuration, as this is very easy to mess up. I know because I have done so myself, and took me forever to figure it out.
You can also write the routes manually.
Regardless, if you are happy using the microtik client, then I'm glad it works for your situation.

@@DevOdyssey Hi, thank you for your answer. I already know where the problem was. On my VPS I deleted the profile for Tplink Client and I created it again. And it all started to work. I create and cancel the profiles using the script ./wireguard-install.sh. Your video tutorial is great :) Thank you

@@sapronin You're welcome! I'm glad you were able to troubleshoot it and find a way to solve it. Scripting out the creation of wireguard profiles is a nice touch, and makes it easy to spin up new wireguard interfaces on the fly. I appreciate the compliment 😊

Thanks for watching PACKAGEMODS!
I'm not sure what you are seeing, but if you can explain more, I may be able to help.
It sounds like you aren't able to see any wireguard package when trying looking for it at 5:28. Is this what you are experiencing?
If so, make sure you update your package lists at 5:34. This is necessary after every reboot of the router since its cleared out.
Also what version of OpenWrt are you running? Also is it a "flavored" version of OpenWrt and not one you flashed yourself from OpenWrt's repository? If so, you might not be seeing the wireguard packages for those reasons. I'm just speculating but could be one of the reasons I mentioned here.

@@DevOdyssey I have the belkin RT3200 I’m on snapshot version. I download the upgrade file unchecked keep settings but nothing changes the router restarts and I’m still on snapshot version any possible way you can help please?

@@PACKAGEMODS Thanks for elaborating. It seems like you are speaking in regards to par 5:18 in the video. What snapshot are you currently running? I assume you have uploaded the latest snapshot version for your Belkin RT3200 that you downloaded from OpenWrt's repositories?
And when you attempt to flash the new firmware, you are saying you still remain on the old firmware? I am not sure what could be going on in this scenario, of course other than the flash failing for some reason. You might be able to find some information in OpenWrt system logs (System -> Logs).
You might be able to get some help from the OpenWrt community as well, and it would likely be easier to troubleshoot there being able to upload log data and what not.
forum.openwrt.org/
You can try to do a search first before posing a question in the community.
forum.openwrt.org/search?q=Belkin%20RT3200%20snapshot
I'd look there first before posting a topic on your issue.
Lastly, I'm not sure if this page would help but you could take a look here.
openwrt.org/toh/linksys/e8450

Sweet, thanks for sharing this set up to, especially for others who can learn and use this information if they're in the same situation as you.
Your set up makes sense to me. A Raspberry PI can be very convenient for routing traffic as your gateway, where you might have more configuration options available, or you have certain clients that you want to route their traffic differently from other network clients. So many use cases for that, I know I've thought of a few.
Nice! it's certainly nice when you don't have to touch too many things when making configuration changes, since it makes it more likely for things in your network to break. It's really awesome when you can have all your network clients use a VPN, and fall back to the WAN connection if the VPN fails. I thought it was important to have this feature so I really looked into it and tried my best to figure it out so anyone who watches this video could do the same. So its really cool for me to hear that you did this 😊. While I don't think its necessary for all client devices to use a VPN, its good to know that you can do that.
You're welcome, I really appreciate the compliment.

@@DevOdyssey Sent you a Network Diagram If you can help others by sharing it through your channel or your accounts elswhere.

Perfect thanks for sending it Jaleel! It looks good and I’ll figure out the best way to share it, a good resource to hold onto for later 😊. I appreciate your contribution!