# WireGuard da zero: guida completa per configurare il tuo router (OpenWrt, road-warrior e site-to-site)
Questa guida ti porta **da zero a VPN funzionante** anche se non hai mai toccato WireGuard. Faremo:
– **Road-warrior** (telefonino/PC -> casa)
– **Site-to-site** (due reti che si vedono tra loro)
> In breve: WireGuard è una VPN moderna, veloce e semplice. Usa coppie di **chiavi** (pubblica/privata) e **peer**; si autorizza il traffico con `AllowedIPs`.
—
## 1) Prerequisiti (senza sorprese)
– **Router con OpenWrt** (consigliato) o firmware che supporti WireGuard.
– **Porta UDP 51820** aperta verso il router (sul modem fai *port-forward*).
– **IP pubblico o DDNS** se l’IP cambia.
Se ti serve un router economico già pronto alla VPN:
– 🛒 [Cerca “router wireguard wifi 6”](https://www.amazon.it/s?k=router+wireguard+wifi+6&tag=accperlatuaal-21) *(affiliazione)*
—
## 2) Installare WireGuard su OpenWrt (LuCI/GUI)
1. **Sistema → Software** → `Aggiorna elenco`.
2. Installa: `luci-app-wireguard` e `wireguard-tools`.
**CLI (SSH):**
“`sh
opkg update
opkg install luci-app-wireguard wireguard-tools
“`
—
## 3) Genera chiavi sul router
“`sh
umask 077
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key
“`
Salva **privata** (non condividerla) e **pubblica**.
—
## 4) Modalità Road-warrior (telefono/PC → casa)
### 4.1 Interfaccia `wg0` (server)
“`sh
uci set network.wg0=”interface”
uci set network.wg0.proto=”wireguard”
uci set network.wg0.private_key=””
uci set network.wg0.listen_port=”51820″
uci add_list network.wg0.addresses=”10.8.0.1/24″
uci commit network
/etc/init.d/network restart
“`
### 4.2 Firewall
“`sh
uci add firewall zone
uci set firewall.@zone[-1].name=”wgzone”
uci set firewall.@zone[-1].input=”ACCEPT”
uci set firewall.@zone[-1].output=”ACCEPT”
uci set firewall.@zone[-1].forward=”ACCEPT”
uci add_list firewall.@zone[-1].network=”wg0″
uci add firewall forwarding
uci set firewall.@forwarding[-1].src=”lan”
uci set firewall.@forwarding[-1].dest=”wgzone”
uci add firewall forwarding
uci set firewall.@forwarding[-1].src=”wgzone”
uci set firewall.@forwarding[-1].dest=”lan”
uci add firewall rule
uci set firewall.@rule[-1].name=”Allow-WireGuard”
uci set firewall.@rule[-1].src=”wan”
uci set firewall.@rule[-1].dest_port=”51820″
uci set firewall.@rule[-1].proto=”udp”
uci set firewall.@rule[-1].target=”ACCEPT”
uci commit firewall
/etc/init.d/firewall restart
“`
### 4.3 Peer per smartphone
Assegna **10.8.0.2/32** al telefono:
“`sh
uci add network wg0
uci set network.@wireguard_wg0[-1].public_key=”CHiavePubblicaTelefonoBase64==”
uci set network.@wireguard_wg0[-1].description=”iphone-di-mario”
uci add_list network.@wireguard_wg0[-1].allowed_ips=”10.8.0.2/32″
uci commit network
/etc/init.d/network restart
“`
### 4.4 Config nell’app WireGuard del telefono
“`
[Interface]
PrivateKey =
Address = 10.8.0.2/32
DNS = 10.8.0.1
[Peer]
PublicKey =
Endpoint = tuo-ddns.example.org:51820
AllowedIPs = 192.168.1.0/24
PersistentKeepalive = 25
“`
– `AllowedIPs = 0.0.0.0/0, ::/0` se vuoi tutto il traffico nella VPN.
—
## 5) Site-to-site (due reti collegate)
**Scenario:**
– **Sede A (server)**: LAN `192.168.1.0/24`, `wg0=10.9.0.1/24`
– **Sede B (client)**: LAN `192.168.2.0/24`, `wg0=10.9.0.2/24`
### 5.1 Sede A
“`sh
uci set network.wg0=”interface”
uci set network.wg0.proto=”wireguard”
uci set network.wg0.private_key=””
uci set network.wg0.listen_port=”51820″
uci add_list network.wg0.addresses=”10.9.0.1/24″
uci add network wg0
uci set network.@wireguard_wg0[-1].public_key=”CHiavePubblicaSedeB==”
uci add_list network.@wireguard_wg0[-1].allowed_ips=”10.9.0.2/32″
uci add_list network.@wireguard_wg0[-1].allowed_ips=”192.168.2.0/24″
uci commit network && /etc/init.d/network restart
# firewall come sopra
“`
### 5.2 Sede B
“`sh
uci set network.wg0=”interface”
uci set network.wg0.proto=”wireguard”
uci set network.wg0.private_key=””
uci add_list network.wg0.addresses=”10.9.0.2/24″
uci add network wg0
uci set network.@wireguard_wg0[-1].public_key=”CHiavePubblicaSedeA==”
uci set network.@wireguard_wg0[-1].endpoint_host=”sedeA-ddns.example.org”
uci set network.@wireguard_wg0[-1].endpoint_port=”51820″
uci add_list network.@wireguard_wg0[-1].allowed_ips=”10.9.0.1/32″
uci add_list network.@wireguard_wg0[-1].allowed_ips=”192.168.1.0/24″
uci set network.@wireguard_wg0[-1].persistent_keepalive=”25″
uci commit network && /etc/init.d/network restart
“`
**Se non pinghi:** verifica `AllowedIPs`, port-forward UDP 51820, o abilita masquerade sulla zona wg.
—
## 6) Test rapidi
“`sh
wg show
ping -c 3 10.8.0.2
ping -c 3 192.168.2.1
logread -e wireguard
“`
## 7) Performance & consigli
– Router vecchi = velocità VPN bassa: scegli CPU un po’ più robusta.
– UDP 51820 di default.
– Router **GL.iNet** sono comodi per iniziare:
🛒 [Cerca “GL.iNet WireGuard”](https://www.amazon.it/s?k=gl.inet+wireguard&tag=accperlatuaal-21)