How to setup AmneziaWG on OpenWrt

This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.

This guide walks you through installing and configuring AmneziaWG (an obfuscated variant of WireGuard designed to resist traffic detection) on a router running OpenWRT. When complete, all devices on your network will route their traffic
through your Xeovo VPN connection without any per-device setup.

Prerequisites

• Router running OpenWRT version 24.10.3 or later
• SSH access to the router (terminal, PuTTY, or any other SSH client)
• LuCI (OpenWRT's built-in web admin panel) accessible in your browser

Install AmneziaWG Client

1. Open a terminal, PuTTY, or any other SSH client.

2. Connect to your router. In a terminal, run:

      ssh root@<router-ip>

   Replace <router-ip> with your router's IP address. You can find it in your computer's network settings under
   Gateway Address — it is typically 192.168.1.1 or 192.168.0.1.

Note: On your first connection, your SSH client may ask you to verify the host's authenticity. Type yes and
press Enter to continue.

3. Enter your root password when prompted.

Note: If you previously added your SSH public key via LuCI, this step is skipped automatically.

4. Run the following command to install AmneziaWG:

      sh <(wget -O - https://raw.githubusercontent.com/Slava-Shchipunov/awg-openwrt/refs/heads/master/amneziawg-install.sh)

5. When the installer's interactive prompts appear:

   • Russian language pack — type y or n based on your preference.
   • Set up the AWG interface now — type n. The interface will be configured through LuCI in the next section.

6. Once the installer exits, reboot your router:

      reboot

   Wait 30–60 seconds for the router to come back online before continuing.

Download a Configuration File

1. Go to the Xeovo WireGuard generator.
2. Select the country you want to connect through.

Note: Do not select All countries in .zip — the interface supports only one active configuration file at a
time.

3. Select an existing key or generate a new one.
4. Open Advanced Settings and select AmneziaWG under the Client section.
5. Click Download to save the configuration file to your computer.

Configure AmneziaWG Interface

1. In your browser, navigate to your router's IP address (e.g., http://192.168.1.1) to open LuCI.
2. Log in with the root account.
3. Go to Network → Interfaces.
4. Click Add new interface.
5. In the Protocol dropdown, select AmneziaWG VPN.
6. Enter a name for the interface.

Note: Only letters, numbers, and underscores are allowed — for example, xeovo_awg_nl.

7. Click Create interface.

8. In the popup that opens, click Load configuration.

9. Drag in the configuration file you downloaded, or paste its contents into the text field.

   If you pasted the contents manually, click Import settings to apply them.

10. Switch to the Advanced Settings tab.

11. Enable Use default gateway.

    > Note: If you plan to configure routing manually (for split-tunneling), leave this option disabled and set up
    > routing separately afterward.

12. Switch to the Peers tab.

13. Click Edit in the peer row.

14. Enable Route Allowed IPs.

15. Click Save to save the peer settings.

16. Click Save again to save the interface settings.

17. Click Save & Apply to initialize new interface.

Configure Firewall

1. Go to Network → Firewall.
2. Scroll down to the Zones section and click Add.
3. Enter a name for the new zone, for example VPN.
4. Set Input to reject.
5. Set Output to accept.
6. Set Intra-zone forwarding to reject.
7. Enable IPv4 Masquerading (allows your LAN devices to share the VPN's IP address) and MSS clamping (prevents
   oversized packets from breaking the connection).
8. In the Covered networks field, select the interface you created in the previous section.
9. In the Allow forward from source zones field, select your lan zone.

Warning: Make sure you are editing Allow forward from source zones, not Allow forward to destination
zones — these are two separate fields stacked directly below each other.

10. Click Save.

Apply and Verify

1. Click Save & Apply to apply all pending changes.
2. Go to System → Reboot.
3. Click Perform reboot and wait 30–60 seconds for the router to come back online.
4. On any device connected to your router, open a browser and go to DoesMyVPN.work to confirm your VPN connection is active.

If your real IP is still showing, verify that Use default gateway is enabled on the interface and that the firewall
zone is correctly forwarding from the lan zone.