WireGuard

The official docs work well and are summarized below.

Installation

In the GUI, go to System -> Software, click the Update Lists button and search for “luci-proto-wireguard”. Installing that will pull in the needed dependency. Restart the network services via System → Startup → Initscripts -> network → Restart.

Configuration

Add a WireGuard interface

Select “Network → Interfaces → Add new interface” Input the name wg0 and select WireGuard VPN.

In the subsequent screen, find and click the “Generate new key pair” button and enter 51820 for the listen port.

For IP addresses enter an address and network that will encompass your VPN, such as 10.0.0.1/24

You can add peers in this interface as well.

Add Traffic Rules

You’ll need to create a new zone that allows forwarding to the LAN, and a rule to allow the WireGuard traffic in. Refer to section 6 in the docs for that.

If you want to do it at the command line, edit your /etc/config/firewall file and add

config zone             
        option name 'WireGuardVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'       
        option mtu_fix '1'
        list network 'wg0'

config rule
        option src 'wan'
        option name 'Wireguard-incoming'
        list proto 'udp'
        option dest_port '51820'
        option target 'ACCEPT'

And for the Interface, to the /etc/config/interfaces add:

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxx'
        option listen_port '51820'
        list addresses '10.0.0.1/24'