diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 8dacfebc0..4679ff3ee 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>
+# Copyright (C) 2016-2017 Jason A. Donenfeld <Jason@zx2c4.com>
 # Copyright (C) 2016 Baptiste Jonglez <openwrt@bitsofnetworks.org>
 # Copyright (C) 2016-2017 Dan Luedtke <mail@danrl.com>
 #
@@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=wireguard
 
-PKG_VERSION:=0.0.20170115
+PKG_VERSION:=0.0.20171005
 PKG_RELEASE:=1
 
 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/
-PKG_MD5SUM:=7e5f9f4699a2d4ace90d0df5d81bf0f67205ee08c45b95e0acc379bedef5ffe8
+PKG_HASH:=832a3b7cbb510f6986fd0c3a6b2d86bc75fc9f23b6754d8f46bc58ea8e02d608
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -33,9 +33,12 @@ include $(INCLUDE_DIR)/package.mk
 define Package/wireguard/Default
   SECTION:=net
   CATEGORY:=Network
-  URL:=https://www.wireguard.io
+  SUBMENU:=VPN
+  URL:=https://www.wireguard.com
   MAINTAINER:=Baptiste Jonglez <openwrt@bitsofnetworks.org>, \
-              Dan Luedtke <mail@danrl.com>
+              Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>, \
+              Dan Luedtke <mail@danrl.com>, \
+              Jason A. Donenfeld <Jason@zx2c4.com>
 endef
 
 define Package/wireguard/Default/description
@@ -44,8 +47,7 @@ define Package/wireguard/Default/description
   more useful than IPSec, while avoiding the massive headache. It intends to
   be considerably more performant than OpenVPN.  WireGuard is designed as a
   general purpose VPN for running on embedded interfaces and super computers
-  alike, fit for many different circumstances.
-  It runs over UDP.
+  alike, fit for many different circumstances. It uses UDP.
 endef
 
 define Package/wireguard
@@ -65,6 +67,10 @@ define Build/Compile
 	$(call Build/Compile/Default)
 endef
 
+define Package/wireguard/install
+  true
+endef
+
 define Package/wireguard/description
   $(call Package/wireguard/Default/description)
 endef
@@ -94,7 +100,7 @@ define KernelPackage/wireguard
   CATEGORY:=Kernel modules
   SUBMENU:=Network Support
   TITLE:=Wireguard kernel module
-  DEPENDS:=+IPV6:kmod-udptunnel6 +kmod-udptunnel4 +kmod-ipt-hashlimit
+  DEPENDS:=+IPV6:kmod-udptunnel6 +kmod-udptunnel4
   FILES:= $(PKG_BUILD_DIR)/src/wireguard.$(LINUX_KMOD_SUFFIX)
   AUTOLOAD:=$(call AutoProbe,wireguard)
 endef
diff --git a/net/wireguard/files/wireguard.sh b/net/wireguard/files/wireguard.sh
index 2eb30242a..7b18a2e0e 100644
--- a/net/wireguard/files/wireguard.sh
+++ b/net/wireguard/files/wireguard.sh
@@ -21,7 +21,7 @@ proto_wireguard_init_config() {
   proto_config_add_string "private_key"
   proto_config_add_int    "listen_port"
   proto_config_add_int    "mtu"
-  proto_config_add_string "preshared_key"
+  proto_config_add_string "fwmark"
   available=1
   no_proto_task=1
 }
@@ -31,6 +31,7 @@ proto_wireguard_setup_peer() {
   local peer_config="$1"
 
   local public_key
+  local preshared_key
   local allowed_ips
   local route_allowed_ips
   local endpoint_host
@@ -38,6 +39,7 @@ proto_wireguard_setup_peer() {
   local persistent_keepalive
 
   config_get      public_key           "${peer_config}" "public_key"
+  config_get      preshared_key        "${peer_config}" "preshared_key"
   config_get      allowed_ips          "${peer_config}" "allowed_ips"
   config_get_bool route_allowed_ips    "${peer_config}" "route_allowed_ips" 0
   config_get      endpoint_host        "${peer_config}" "endpoint_host"
@@ -47,6 +49,9 @@ proto_wireguard_setup_peer() {
   # peer configuration
   echo "[Peer]"                                         >> "${wg_cfg}"
   echo "PublicKey=${public_key}"                        >> "${wg_cfg}"
+  if [ "${preshared_key}" ]; then
+    echo "PresharedKey=${preshared_key}"                >> "${wg_cfg}"
+  fi
   for allowed_ip in $allowed_ips; do
     echo "AllowedIPs=${allowed_ip}"                     >> "${wg_cfg}"
   done
@@ -77,9 +82,15 @@ proto_wireguard_setup_peer() {
         *:*/*)
           proto_add_ipv6_route "${allowed_ip%%/*}" "${allowed_ip##*/}"
         ;;
-        */*)
+        *.*/*)
           proto_add_ipv4_route "${allowed_ip%%/*}" "${allowed_ip##*/}"
         ;;
+        *:*)
+          proto_add_ipv6_route "${allowed_ip%%/*}" "128"
+        ;;
+        *.*)
+          proto_add_ipv4_route "${allowed_ip%%/*}" "32"
+        ;;
       esac
     done
   fi
@@ -94,7 +105,6 @@ proto_wireguard_setup() {
   local private_key
   local listen_port
   local mtu
-  local preshared_key
 
   # load configuration
   config_load network
@@ -102,7 +112,7 @@ proto_wireguard_setup() {
   config_get listen_port   "${config}" "listen_port"
   config_get addresses     "${config}" "addresses"
   config_get mtu           "${config}" "mtu"
-  config_get preshared_key "${config}" "preshared_key"
+  config_get fwmark        "${config}" "fwmark"
 
   # create interface
   ip link del dev "${config}" 2>/dev/null
@@ -122,8 +132,8 @@ proto_wireguard_setup() {
   if [ "${listen_port}" ]; then
     echo "ListenPort=${listen_port}"     >> "${wg_cfg}"
   fi
-  if [ "${preshared_key}" ]; then
-    echo "PresharedKey=${preshared_key}" >> "${wg_cfg}"
+  if [ "${fwmark}" ]; then
+    echo "FwMark=${fwmark}" >> "${wg_cfg}"
   fi
   config_foreach proto_wireguard_setup_peer "wireguard_${config}"
 
@@ -164,7 +174,6 @@ proto_wireguard_setup() {
     sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
     while IFS=$'\t ' read -r key address port; do
     [ -n "${port}" ] || continue
-    echo "adding host depedency for ${address} at ${config}"
     proto_add_host_dependency "${config}" "${address}"
   done