Configuring a static IP with Hide.me's WireGuard on Asuswrt-Merlin provides consistent connectivity and avoids IP changes. This setup requires manual configuration, but offers greater control.
An active Hide.me subscription that supports WireGuard.
Asuswrt-Merlin firmware installed on your router.
WireGuard client enabled in Hide.me's member area.
SSH access to your Asuswrt-Merlin router.
Retrieve WireGuard Configuration:
Log in to Hide.me's member area.
Generate a WireGuard configuration file for your desired server location.
Download the .conf file.
Extract Configuration Parameters:
Open the downloaded .conf file using a text editor.
Note the following values:
PrivateKey: Your WireGuard private key.
Address: Your assigned static IP address.
DNS: DNS server address.
Endpoint: WireGuard server address and port (e.g., wg.hide.me:51820).
AllowedIPs: Typically 0.0.0.0/0 (all IPv4 traffic).
PersistentKeepalive: Keepalive interval (e.g., 25).
PublicKey: Server public key.
Configure WireGuard Interface:
Connect to your router via SSH.
Create the WireGuard interface configuration file:
nvram set wg0_ifname=wg0
nvram set wg0_private_key="YOUR_PRIVATE_KEY"
nvram set wg0_address="YOUR_STATIC_IP/32"
nvram set wg0_listen_port=51820 #Or other port if specified
nvram set wg0_mtu=1420
nvram set wg0_allowed_ips="0.0.0.0/0"
nvram set wg0_persistent_keepalive=25
nvram set wg0_public_key="SERVER_PUBLIC_KEY"
nvram set wg0_endpoint="WG_SERVER_IP:PORT"
nvram set wg0_dns="HIDE.ME_DNS_SERVER"
nvram set wg0_enable=1
nvram commit
Replace placeholders with the values extracted from the .conf file.
The /32 suffix specifies a single IP address.
Firewall Rules (nftables):
Create or edit /jffs/scripts/firewall-start (make it executable with chmod +x /jffs/scripts/firewall-start).
#!/bin/sh
nft add table inet filter
nft add chain inet filter wan_out { type filter hook output priority 0; policy accept; }
nft add rule inet filter wan_out oifname "wg0" counter accept
nft add chain inet filter wan_in { type filter hook input priority 0; policy accept; }
nft add rule inet filter wan_in iifname "wg0" counter accept
nft add chain inet filter wan_forward { type filter hook forward priority 0; policy drop; }
nft add rule inet filter wan_forward iifname "br0" oifname "wg0" counter accept
nft add rule inet filter wan_forward iifname "wg0" oifname "br0" counter accept
nft add rule inet filter wan_forward counter reject
DNS Configuration:
Navigate to LAN -> DHCP Server in the Asuswrt-Merlin web interface.
Set "DNS Server 1" to the Hide.me DNS server address.
Restart the Router:
Reboot your Asuswrt-Merlin router for the changes to take effect.
Verify the WireGuard interface is active: ifconfig wg0 (check for assigned IP).
Confirm traffic is routed through the VPN: traceroute 8.8.8.8 (the first hop should be Hide.me's server).
Check your public IP address to ensure it matches the static IP.
Incorrect private/public keys.
Firewall rules blocking WireGuard traffic.
Incorrect DNS configuration.
Missing /jffs/scripts/firewall-start execute permissions.
Hide.me WireGuard configuration downloaded.
WireGuard interface configured in NVRAM.
Firewall rules configured in /jffs/scripts/firewall-start.
DNS server set to Hide.me's address.
Router rebooted.
WireGuard interface verified as active.
Traffic routed through VPN confirmed.