Can a Wireguard interface be bridged with a physical one?

Can a Wireguard interface be bridged with a physical one? Luci doesn't have an option for this, and the online documentation doesn't discuss this possibility.

Wireguard is Layer 3, an Ethernet Bridge is Layer 2.

Perhaps, you can describe what result you're seeking; and the community can assist with your use case?


What you need is a ramp not a bridge!

I think @atrocia means to create a bridge between the ethernet (or wireless) interface and the wireguard interface, in order to have a broadcast domain over the tunnel. Is that correct?

If so, one cannot bridge a Layer 2 and Layer 3 interface together.

You can run vxlan or gretap over wireguard and add that tunnel to a bridge if you want.


Yes, I did mean to ask about the possibility of bridging an ethernet interface and a wireguard interface, and I had started to realize that this probably wasn't possible, due to the layer difference. Thanks for confirming it.

What I'm trying to accomplish - and I realize that I probably should have provided more context, since I'm no networking expert, and there may be better ways of doing what I want - is to enable hosts on my LAN to seamlessly access a laptop that is sometimes connected directly to the LAN and sometimes over the wireguard interface. I currently use on the LAN, and on the wireguard link, and I was wondering whether there was some convenient way of using the same address scheme for both. I'm certainly open to a better way of accomplishing my broader goal.

Thanks all.

There is no convenient way to use the same address scheme for both. You can establish a Wireguard link; and then use a Layer 2 Protocol across that - as @mikma described above.

Then you could do so.

I'm asking because I haven't deployed Wireguard -- It surprises me that the canonical "road warrior" use case isn't supported, if that is what @atrocia is asking about -- a single laptop "dialing in" and being able to operate as if it were on the local network. Is this really a limitation of Wireguard?

Road warriors using IP addresses from the LAN can be implemented with proxy ARP (and proxy NDP?) without a bridge I think. I guess it's useful if you aren't running wireguard on the main router and can't add a static route to the VPN network on it.

1 Like

it's not really a limitation of wireguard as much as a limitation of layer 3 tunnels. the same thing fails to work for OpenVPN in layer 3 mode, though Ovpn has a layer 2 mode as well.

the gretap idea is interesting, as is proxy arp and proxy ndp.

as long as you don't rely on getting the same IP and being able to do things like send multicast packets to discover printers, the wg tunnel can easily route between VPN and LAN...

Thanks - using gretap / vxlan seems a bit too complex for me, at least without clear documentation explaining it.

Hence my original question, since someone on another forum had suggested that I use a bridged VPN, and pointed me toward OpenVPN's documentation of that approach.

I actually tried proxy arp, but I can't quite figure out how to use it the way I want. Without bridging, what addresses do I use for the OpenWrt wireguard interface and the laptop? Do I just pick arbitrary addresses from the LAN's space?

Currently, I have the lan and wireguard interfaces in separate firewall zones, and have appropriate forward rules set up between them. Will this continue to work if everything has addresses in the same broadcast domain, or would I need to modify this?

I'm happy to read, but I've really been stymied in finding good documentation of all this.

You do not really need bridging, unless you prove otherwise.
Just configure the firewall appropriately and use routing.

It won't be seamless if you use proxy ARP since you will need to disable it when the laptop is connected to the LAN otherwise both the wireguard server and the laptop will respond to ARP requests.

BTW if you use proxy ARP make sure not to use the same subnet (/24) on the LAN as on the wireguard interface. I guess you could choose an unused /30 from the LAN subnet if you only need two IPv4 addresses, enable proxy ARP for the /30 and use in on the wireguard interface.