AmneziaWG tunnel manager for OpenWrt routers. Runs over SSH as an interactive TUI.
Sets up encrypted VPN tunnels so your devices (phone, laptop, etc.) can route traffic through your home router — accessing your LAN and going out to the internet through your home IP (or any other proxy such as sing-box/podkop/etc).
Creates AmneziaWG interfaces and peers on OpenWrt, handling all the UCI/firewall/DNS plumbing.
- Create with guided wizard — subnet auto-picked from free
10.x.0.1/24range, firewall zone/rules/forwarding generated automatically - LAN IP, LAN/WAN zones detected from UCI — manual input only when auto-detect fails
- Rename — propagates to peers, firewall zone, rules, forwardings, DNS records, Podkop
- Configure submenu: DNS, MTU, listen port, endpoint override, fwmark, routing table, tunlink, nohostroute, AmneziaWG obfuscation
- Toggle LAN/WAN forwarding, link/unlink Podkop per interface
- Live firewall check — warns when the listen port isn't allowed in the WAN zone
- Zero-downtime restart via
awg syncconfwhen possible (no dropped sessions) - Disable, enable, restart, delete with full cleanup
- Supports non-Liminal AWG interfaces (created outside the script) in read-only mode
- Add with IP assignment mode of choice: first available / random / custom
- AllowedIPs set automatically based on firewall forwarding state (WAN present →
0.0.0.0/0, LAN only → LAN CIDR, nothing → VPN subnet only) - PreSharedKey generated for every peer
- Endpoint selection — interface override, WAN IP auto-detect, or manual
- Config export: WireGuard
.conf, QR code, download link,vpn://key for AmneziaVPN — profile label in AmneziaVPN carries the peer name so multiple profiles are distinguishable - Optional DNS hostrecord (
peer.interface.lan) via dnsmasq — auto-name or custom - Configure submenu: AllowedIPs, keepalive, endpoint override, hostname, rotate keys/PSK
- Every emitted config is pre-validated (keys, CIDR, endpoint, MTU, AWG obfuscation param ranges) — refuses to hand out a broken file
- Rename, regenerate secrets, disable/enable, delete
- Online/offline status via handshake age, per-peer traffic stats
- AmneziaWG parameter setup with presets:
random(balanced),mobile(narrow junk sized for carrier DPI),strict(maximum junk),none(plain WireGuard) - All generated values stay within official spec (Jc 0-10, Jmin/Jmax 64-1024, S1-S3 0-64, S4 0-32, H1-H4 distinct)
- Warns when existing params drift out of spec with a one-click regenerate
- Live dashboard — all interfaces and peers on one screen, auto-refresh every 3s
- Live throughput monitor per interface — current rate, peak, running average
- Connectivity check — device status, port listening, firewall zone, forwarding, ping to online peers
- Packet counters and RX/TX errors surfaced in the interface box when non-zero
- Inline diagnostics on interface and peer screens — warns about down device, closed port, missing forwarding, DNS chain issues
- Detect Sing-Box DNS (127.0.0.42:53) and dnsmasq forwarding chain
- Link/unlink interfaces to Podkop source list
- DNS chain status shown on interface and peer screens
- Auto-backup before create/delete/rename (toggleable)
- Manual backup, restore from any point, delete individual or all
- Export full config to JSON (interfaces + peers + keys), import on another router
- Self-update from GitHub with version check
- Install missing packages from the menu (AmneziaWG, Podkop, qrencode, jq, base64)
wget -O /usr/bin/liminal https://raw.githubusercontent.com/tickcount/openwrt-liminal/main/liminal.sh
chmod +x /usr/bin/liminal
liminalOr run once without installing:
sh <(wget -O - https://raw.githubusercontent.com/tickcount/openwrt-liminal/main/liminal.sh)- OpenWrt 24.10+ (BusyBox ash)
- AmneziaWG (installable from the menu)
Optional: qrencode, jq, coreutils-base64, podkop — all installable from the menu.
- Run
liminal, press+to create an interface - Enter a name and port — subnet, firewall zone, LAN/WAN detected automatically
- Add a peer — get QR / vpn:// key / config
- Connect with AmneziaVPN or any WireGuard-compatible client
Static public IP (or DDNS) and NAT port forwarding (UDP) on the upstream router are required for external access.
All objects created by Liminal (firewall zones, rules, forwardings, DNS records) are tagged with _liminal_iface in UCI. This lets the script track what belongs to which interface and clean up safely on delete/rename without touching anything else.
- @immalware — config download service (Telegram)
MIT
