Setting up a Wireguard client VPN on OpenWRT

As I have recently started using OpenWRT on network equipment, I frequently wanted to add an OpenWRT device as a client to my Wireguard VPN. I usually create a Wireguard config like this:

lukas@netherlands:~$ cat devicename.conf
[Interface]
Address = a.b.c.d/32, fc00:0:0:c::d/64
PrivateKey = <redacted>

[Peer]
PublicKey = <redacted>
AllowedIPs = <local subnets>
Endpoint = example.com:port
PersistentKeepalive = 10

This config can be imported into OpenWRT using LuCI after installing the luci-proto-wireguard package (which includes required Wireguard packages as dependencies) and restarting the network component in System -> Startup -> Initscripts. Then just add a new interface in Network -> Interfaces, select “WireGuard VPN” as protocol and set an appropriate name. The interface settings will open, at the bottom of the “General Settings” tab is a button to load an existing configuration, which will accept a configuration in the above format and also set up appropriate peers (which could otherwise be imported individually).

However, after importing the config the interface will start and apparently connect successfully (both RX and TX bytes appear, and the server will show successfull handshakes) but pinging VPN IPs will not work. This is due to missing routes for the private IP blocks accessible through the VPN. OpenWRT does not set such rules by default (in contrast to e.g. wg-quick).

To fix this issue, edit the interface config of the Wireguard interface, and switch to the “Peers” tab. Using the edit button of each individual peer, the peer settings can be adjusted to “Route Allowed IPs” by ticking the corresponding checkbox. After saving and applying the settings and restarting the Wireguard interface, pinging the VPN IPs should work as expected.