Back to Home

VLESS on OpenWRT: Passwall installation

Guide to deploying VLESS VPN via Passwall on OpenWRT. Covers reset, installation, node import, ACL for exceptions. Suitable for ensuring LAN privacy and bypassing blocks.

Deploying VLESS VPN on OpenWRT router
Advertisement 728x90

Setting Up VLESS VPN on OpenWRT with Passwall: Step-by-Step Guide

Passwall on OpenWRT lets you deploy a VLESS VPN for your entire LAN. This ensures traffic privacy, bypasses blocks, and enables double VPN chaining. Requirements: an OpenWRT router (minimum 256 MB RAM for full version) and a valid VLESS server subscription.

First, reset your device to factory settings to remove conflicting software—other VPN clients, DoH/DoT, or traffic analyzers.

Router Preparation

  • Connect via LAN to your router (IP 192.168.0.1 or 192.168.1.1).
  • In the web interface, go to System → Backup/Flash Firmware and click Perform reset.
  • After reboot, configure WAN: enter IP, gateway, and DNS from your ISP. If MAC filtering is active, change the WAN interface MAC in Network → Interfaces → Devices → WAN.

Verify internet access on client devices.

Google AdInline article slot

Installing Passwall

Connect via SSH:

Run this one-liner command:

rm -f passwallx.sh && wget https://raw.githubusercontent.com/amirhosseinchoghaei/Passwall/main/passwallx.sh && chmod 777 passwallx.sh && sh passwallx.sh
  • Choose option 1 (RAM <256 MB) or 2 (>256 MB).
  • Wait for completion, then reboot with reboot.

Optionally restore the hostname:

Google AdInline article slot
uci set system.@system[0].hostname='OpenWRT'
uci commit system
echo $(uci get system.@system[0].hostname) > /proc/sys/kernel/hostname
reboot

Check that the Services → Passwall menu appears.

Importing and Activating VLESS Nodes

  • Go to Services → Passwall → Node Subscribe → Add, enter a name and the subscription URL from your provider.
  • Click Manual Subscription. Nodes will update in the Node List with ping results.
  • In Basic Settings → Main, select your node and enable the Main switch. Core status should show RUNNING.

Verify the client’s IP using curl ip.me or whatismyipaddress.com — it should now display the VPN’s IP address.

Logs: Access via Services → Passwall → Watch Logs.

Google AdInline article slot

Configuring Device Exclusions

To bypass the VPN on specific devices:

  • Disable MAC randomization in the Wi-Fi client settings (on Android, use a stable MAC per network).
  • In Services → Passwall → ACL → Add:

- Source: Enter the device’s MAC address.

- TCP/UDP No Redir Ports: Set to All.

- Click Save & Apply.

  • Enable the rule and the Main switch.

The excluded device will retain its original ISP-assigned IP.

Use Cases:

  • Full LAN privacy protection.
  • Selective bypass of regional blocks.
  • Double VPN setup: the router hides resources from the first provider, while the client masks its IP from the second.

Key Points to Remember

  • Compatibility: Only routers listed at toh.openwrt.org are supported.
  • Resources: Use Passwall variant 1 if RAM is under 256 MB to avoid OOM errors.
  • Security: Factory reset clears temporary files and conflicts; always use a personal VLESS subscription.
  • Verification: Check Node List ping, public IP, and logs.
  • Exclusions: A fixed MAC address is mandatory—dynamic MACs break rules.

Troubleshooting Common Issues

| Issue | Solution |

|-------|----------|

| No internet after reset | Reconfigure WAN with ISP details and enable MAC cloning |

| Passwall fails to install | Verify RAM; use variant 1 if memory is limited |

| Nodes not updating | Use manual subscription and check logs for errors |

| VPN won’t connect | Pick a node with low ping and ensure Core status is RUNNING |

| Exclusions not working | Ensure MAC is fixed and ports are set to All |

— Editorial Team

Advertisement 728x90

Read Next