Wireguard Free VPN (CloudFlare WARP+ free and premium) on old BL401 wifi router installed with OpenWRT v17

7 min readMar 4, 2024

There is quite scattered information on internet in how to configure OpenWRT based router to use wireguard, especially for free/premium WARP service from CloudFlare. I will summarize them all in this single article!

First step, acquire an OpenWRT wifi router

If you want to install OpenWRT firmware by yourself, you can start by visiting this link https://openwrt.org/toh/start. It lists all devices that have possibility to be overwritten with OpenWRT. I happen to found on marketplace, a very cheap 2nd hand wifi router Bolt BL401, for USD 7. And it has been pre-equipped with OpenWRT 17, and the previous owner already installed Wireguard package as well.

Please note that unlike officially supported routers, installation of OpenWRT on BL401 is not officially supported, complex and it requires to reprogram EEPROM chip, and not part of this article.

Even if you have vanilla OpenWRT, it is quite trivia to install wireguard via opkg command, so this won’t be covered here.

Second step, ensuring it works as normal router without VPN

After purchasing it online, the very next day it arrived at front of my door, delivered by courier. The previous owner told me all about the credentials to login, so I couldn’t wait to try it. I immediately plugged in a LAN cable that comes out from my existing broadband wifi router, into BL401 WAN port. I was expecting I would be surfing the internet with wireless AP coming from BL401. It didn’t go that far. Once I plug-in the cable, BL401 went into boot-loop. 🤯

I thought the router was fried and the seller was not being honest about its condition. After discussing with him, I found out that this “old” router can only accept 100mbps LAN, and it may not have PoE (power over ethernet). Means, the cable must be 4 pins. OK, I was not familiar with that. Then I tried to dig on internet a bit about that. My current cable is 8 pins, and the output from my current broadband router is gigabit LAN. There are people selling 4 pins cable though on marketplace. Though it is cheap, but it will take a while before it arrives, and it sucks to wait. I couldn’t even verify if this router is legit or not, moreover to test the wireguard. 🤷‍♂️

Tried to check nearby stores. They actually sell LAN cable, but all of them are 8 pins. Suddenly I got an idea — is it possible to turn my existing 8 pin to 4 pin? I have 3 unused LAN cables though, I don’t mind sacrificing one for the sake of “research”.

So talking about RJ45 pins, here we go: https://www.advantech.com/en/resources/white-papers/b50a4401-6634-498a-82fa-076f63093b97

Since this is router to device, let’s focus on ethernet patch cable (not crossover). As we can see from the image above, the pin 4,5,7,8 are actually used for either PoE, or for gigabit ethernet. So what should I do? I only need to “remove” them. 😆

Yup it is quite barbaric 😅 but it works. In parallel I will order 4 pins “proper” cable —
or not…

With this “new” cable, the router booted up properly and thankfully it works as expected.

About CloudFlare WARP

Before we continue, let’s talk about WARP. It is a free VPN service that you can use on your desktop or mobile phone. Let me repeat it again. IT IS FREEEEEE for you cheapskate guys 😆

I use it on my android phone. If you haven’t tried it, please download it from google playstore. WARP is based on Wireguard. When it is installed, it will generate public and private key that represent your device.

Why Wireguard though, why not IPSEC or OpenVPN?

There are few benefits from wireguard:

WireGuard is lightweight and efficient, it is faster and has lower latency compared to protocols like OpenVPN or L2TP/IPsec.
Wireguard is relatively easier to set up than OpenVPN.
Compared to L2TP, Wireguard has more modern cryptography techniques.

There are more like, better security and community active development, but let’s stop here. For me personally no 1) is the most important. As comparison, wireguard can be three times faster than OpenVPN. And more and more VPN companies are now offering wireguard as part of their services.

OK, so how to configure WARP wireguard?

First, we need to download binary from here https://github.com/ViRb3/wgcf/releases

Because I use linux, after downloading it, I rename the file to wgcf and make it executable. Execute the register command:

haries@thinkpad-x1:~$ wgcf register

It will register your current device (laptop/pc) as new WARP user. Next we will generate the configuration files:

haries@thinkpad-x1:~$ wgcf generate

It will produce two files, the first is wgcf-profile.conf

[Interface]
PrivateKey = IHe....REDACTED...8UI=
Address = 172.16.0.2/32
Address = 2606:4700:110:897f:1b09:58d6:a47:43ad/128
DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
MTU = 1280
[Peer]
PublicKey = bmXOC...REDACTED...gyo=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408

The 2nd is the wgcf-account.toml :

access_token = 'd4484b65-REDACTED'
device_id = '6ddf5ff3-REDACTED'
private_key = 'IHeXKbD...REDACTED...or8UI='
license_key = 'ABC-REDACTED'

If you subscribed to premium WARP+ account, do this, otherwise skip

Get the license key from 1.1.1.1 app from your phone: go to menu, account. There you will see your license key.

Edit the toml file and replace the license key with the one you got from phone:

...
private_key = 'IHeXKbD...REDACTED...or8UI='
license_key = '7O2cm-REDCATED'

Then run

haries@thinkpad-x1:~$ wgcf update
...

haries@thinkpad-x1:~$ wgcf generate
...

Now if you run wgcf status you will see the following output, which confirms that this device follows premium account on phone (child). You can have maximum additional 4 devices besides the main phone.

haries@thinkpad-x1:~$ wgcf status
2024/03/04 19:49:01 Using config file: wgcf-account.toml
2024/03/04 19:49:02 =======================================
2024/03/04 19:49:02 Device name   : A6REDACTED
2024/03/04 19:49:02 Device model  : PC
2024/03/04 19:49:02 Device active : true
2024/03/04 19:49:02 Account type  : unlimited
2024/03/04 19:49:02 Role          : child
2024/03/04 19:49:02 Premium data  : 0.00 B
2024/03/04 19:49:02 Quota         : 0.00 B
2024/03/04 19:49:02 =======================================

Continuing the tutorial past the premium configuration

If you have other routers, like Gl.Inet, or higher end TP-Link for example, which support Wireguard out of the box, you can directly import the wgcf-profile.conf file from the router Web UI menu and it will work instantly. But for OpenWRT, it would be easier if we just edit the config file directly. Let’s SSH to our router:

haries@thinkpad-x1:~$ ssh root@192.168.18.1

on /etc/config/network you should already have section of wireguard, it is just not yet properly configured. Let’s append it. Note: if you don’t have it, most likely you dont install wireguard properly on OpenWRT.

config interface 'wireguard'
 option proto 'wireguard'
 option private_key 'REDCATED'
 option peerdns '0'
 list dns '1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001'
 list addresses '2606:4700:110:897f:1b09:58d6:a47:43ad/128'
 list addresses '172.16.0.2/32'
 list mtu '1280'


config wireguard_wireguard
 option description 'wgcf-profile.conf' 
 option public_key 'REDACTED'
 option endpoint_host 'engage.cloudflareclient.com'
 option endpoint_port '2408'
 option route_allowed_ips '1'
 option persistent_keepalive '25'   #If you're behind double-nat or else set to 0
 list allowed_ips '::/0'
 list allowed_ips '0.0.0.0/0'

Please verify the private/public keys, dns, addresses, mtu, endpoints based on the configuration generated by wgcf.

That’s all that we need to edit. Now we can either do service restart network and firewall, or you can simply just reboot the BL401 again and it will automatically connect. Verify the VPN afterwards: