OpenWrt on Linksys EA7300 V2#

Stock firmware runs on partion A. OpenWrt must be installed from partition B. Thus:

A --[ install stock firmware ]--> B
B --[ install OpenWrt ]--> A

Flash Linksys firmware to partition B, wait for reboot#

  • Connectivity > Router Firmware Update: manual

  • open browser dev tools: shows diagnostics in console 🤓

  • select file, confirm

  • ends with [Fw update complete]

Flash openwrt#

  • Connectivity > Router Firmware Update: manual

  • open browser dev tools: shows diagnostics in console 🤓

  • ends with "_Rebooting"

First Login and SSH#

Configure SSH locally

cat <<'EOF' >> ~/.ssh/config
Host wrt
  User root

ssh wrt

Tail Logs#

logread -f


opkg install less ripgrep htop curl
df -h /


uci set
uci set

# list physical devices
iw phy | rg '^Wiphy (.+)' -or '$1' | sort

# show bands
iw reg get
iw phy0 reg get
iw phy1 reg get

uci commit
iw phy phy0 info
iw phy phy1 info

show bands

iw phy phy0 channels
iw phy phy1 channels


root@wrt:~# iw phy1 reg get
country DE: DFS-ETSI
	(2400 - 2483 @ 40), (N/A, 20), (N/A)
	(5150 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW
	(5250 - 5350 @ 80), (N/A, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW
	(5470 - 5725 @ 160), (N/A, 26), (0 ms), DFS
	(5725 - 5875 @ 80), (N/A, 13), (N/A)
	(5945 - 6425 @ 160), (N/A, 23), (N/A), NO-OUTDOOR
	(57000 - 66000 @ 2160), (N/A, 40), (N/A)

hostname and timezone#

uci set system.@system[0].hostname=wrt
uci set system.@system[0].timezone='Europe/Berlin'
uci commit


Follow for basic setup. The VPN network will be with the server on and a client on

opkg update
opkg install wireguard-tools


umask go=
wg genkey | tee wgserver.key | wg pubkey >
wg genkey | tee wgclient.key | wg pubkey >
wg genpsk > wgclient.psk

VPN_KEY="$(cat wgserver.key)"
VPN_PSK="$(cat wgclient.psk)"

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list"${VPN_IF}"
uci add_list"${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set"Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set"ACCEPT"
uci commit firewall
service firewall restart

uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"

uci -q delete network.wgclient
uci set network.wgclient="wireguard_${VPN_IF}"
uci set network.wgclient.public_key="${VPN_PUB}"
uci set network.wgclient.preshared_key="${VPN_PSK}"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
uci set network.wgclient.route_allowed_ips=1
uci commit network
service network restart

To add another peer called wgclient3 given the IP address


umask go=
wg genkey | tee ${name}.key | wg pubkey > ${name}.pub
wg genpsk > ${name}.psk
VPN_PUB="$(cat ${name}.pub)"
VPN_PSK="$(cat ${name}.psk)"

uci -q delete network.${name}
uci set network.${name}="wireguard_vpn"
uci set network.${name}.public_key="${VPN_PUB}"
uci set network.${name}.preshared_key="${VPN_PSK}"
uci set network.${name}.description='foo'
uci add_list network.${name}.allowed_ips="${VPN_ADDR%.*}.${host_num}/32"
uci add_list network.${name}.allowed_ips="${VPN_ADDR6%:*}:${host_num}/128"
uci set network.${name}.route_allowed_ips=1
uci commit network
service network restart

See Network > Interfaces > "vpn" > Peers

QR Code for WG Tunnel#

opkg install qrencode

OpenWRT needs the client’s private key to generate a QR code.

uci set network.${name}.private_key="$(cat $name.key)"
uci commit network
  • Network > Interfaces > “vpn”: edit

    • tab “Peers”: edit

    • scroll down, click Generate configuration

See also

In WG Tunnel:

  • Add from QR code

  • long-press, edit

  • check settings

  • note “Endpoint”

To verify:

  • disable wifi

  • enable tunnel

  • in termux: ifconfig

Linux Client#

Xubuntu 22.04. Example public server IP:

First, get a wireguard config we can use to paste stuff from LuCI:

  • Network > Interfaces > “vpn”: edit

    • tab “Peers”: add

      • Description: foo

      • hit Generate new key pair

      • DO NOT generate preshared key (NetworkManager bug? cannot set it)

      • Allowed IPs:

      • [x] Route Allowed IPs

    • scroll down, click “Generate configuration”

Install dependencies on notebook:

sudo apt-get update
sudo apt-get -y install resolvconf wireguard
  • Connection name: wg0

  • Interface name: wg0

  • Private key: <paste>

  • [x] Add peer routes

  • Peers > Add:

    • Public key: <paste pub key of server>

    • Allowed IPs:

    • Endpoint:

  • IPv4 Settings: Manual

    • Address:

    • Netmask: 24

    • Gateway: -

    • DNS servers:


It’s important to NOT set gateway. This way, NetworkManager sets a default route based on a custom route table. See thaller’s blog below.

Commands cheatsheet:

nmcli --overview connection show wg0
nmcli --show-secrets connection show wg0

nmcli connection down wg0; nmcli connection up wg0
ip route get  # dev wg0 table 52044 ...
ip route get  # dev lo ...
ip route get  # dev wg0 ...
ip route get  # dev wg0 table 52044 ...

See also