- ASUS RT-AC86U router
- Merlin Firmware for ASUS installed
- USB storage device connected to the router
- Download Putty (if running Windows) to connect to your router
- Subscription at a VPN provider that support the WireGuard protocol
- Use a public DNS service as for example Quad9 in your router config or combine it with a Pi-Hole.
Install Entware on the router/USB connected storage with command:
Link to Merlin Instructions about this.
Installation of WireGuard
(Instruction and links collected from SmallNetBuilder forum thread combined with my own experiences.)
Download the WireGuard ipk install package and copy it to your USB storage connected to the router.
Download link <- This file is updated regularly, so check from time to time for an updated version.
Install WireGuard with command:
opkg install wireguard_0.0.20180910-ac28449_aarch64-3.10.ipk (depending on downloaded version)
Download your WireGuard config file from your VPN provider.
When you are using Mullvad you download your config file from here.
Create Wireguard config file with the command. (Name it as you wish, i used Mullvad as name)
Save the information from your VPN provider inside this file but change the setup of the config file a bit.
PrivateKey = **********
#Address = xx.xx.xx.xx
#DNS = xx.xx.xx.xx
Endpoint = xxx.xxx.xxx.xxx:xxxxx
PublicKey = **********
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = xxx.xxx.xxx.xxx:xxxxx
PersistentKeepalive = 25
Remove or write # in front of “Address” and “DNS” to disable those two lines. WireGuard will not start when those are still active.
Add the PersistentKeepallive information at the end.
For some reasons, in the latest version of WireGuard (20180910), the Endpoint IP must be written in the Config file before the PublicKey information.
Otherwise you will get the following error message when trying to connect:
Line unrecognized: `PublicKey=*********’
Configuration parsing error
need at least a destination address
Continuing with the installation by editing the wireguard client config file:
Add your local IP address written in the config file from your VPN provider behind:
export LocalIP= xxx.xxx.xxx.xxx
Now edit wg-up config file
wg setconf wg0 /opt/etc/wireguard/wg0.conf
wg setconf wg0 /opt/etc/wireguard/mullvad.conf (or what ever you called your config file above)
Additional DNS config settings
Because the DNS configuration from the WireGuard config files can not be used in this setup, it is important that you are using an alternative DNS server in your router settings.
As mentioned under Prerequisites, you can use Quad9 or an Pi-Hole setup to get this done. In this case, you are not leaking the DNS servers from your ISP.
Installation and configuration finished
Now you can start the WireGuard connection with the following command:
If you have everything configured correctly, you should not get any error message. 🙂
All your devices on your home network are now routed through your WireGuard VPN connection to the internet.
To check your active WireGuard connection, just type “wg” as command.
This should bring up information similar to the one shown below.
public key: **********
private key: (hidden)
listening port: xxxxx
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 second ago
transfer: 794.16 MiB received, 436.97 MiB sent
persistent keepalive: every 25 seconds
Double check your external IP address and DNS info by visiting: :
To shutdown your WireGuard connection, login to the router and write: