OpenWRT Wireguard server

opkg update
opkg install wireguard luci-app-wireguard
 
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
 
# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genpsk > wgserver.psk
WG_KEY="$(cat wgserver.key)"
WG_PSK="$(cat wgserver.psk)"
WG_PUB="*******[ copy from wg client ]********"
 
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
 
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart

# cat wg0.conf 
[Interface]
PrivateKey = ****************************
Address = 192.168.9.2/24
 
[Peer]
PublicKey = ***********************************
PresharedKey = ****************************
AllowedIPs = 192.168.9.0/24, 192.168.1.0/24
Endpoint = 1.2.3.4:51820
PersistentKeepalive = 15