Can a wireguard VPN be mounted to a VLAN port?

I have a TP-LINK archer a7 running v21. It is also running as a wireguard VPN server. I have another openwrt router running v23 and wireguard server at another location. I can use wireguard and my cell phone to connect to either of these routers from any arbitrary location.

I would like to know if there is an easy way to set up the Archer OpenWrt router so that a specific external RJ-45 port is mapped to the VPN connected to my other location. That is, so that anything plugged into that port will think and act like its physically connected to my router at the other location?

The router would need to do what it can to keep the VPN connection active, but if it fails, the VLAN connector must be dead and not roll over to the local LAN.

Yes, this can be done. You're already on the right track with a VLAN. Setup an new subnet and attach the port to this new network. Then use Policy Based Routing to direct all traffic to/from that port to use the VPN, and disallow use of the regular upstream network.

But please upgrade to a supported- and non-EOL version of OpenWrt first, the archer a7 has no problems running 23.05.2 (or newer).

1 Like

Because this router actually runs with a critical system, I can't afford the risk of down time because of a transition from 21 to 23 right now. However I have ordered and identical router which should be here in a few days that I will be installing v23 on. For now I'm going to use the system backup and hope that restore works if I get into trouble.

Although wire guard server is running on this router, wire guard Peer is not. I'm thinking I need to get that working first.

While this particular router may be running v21, I was told that the VLAN system was not upgraded to the new system like other routers were. Supposedly there was a hardware issue that does not support the new vLAN system.

Here are the specs on the router. How would I find out if v23 supports the new VLAN system?

Model TP-Link Archer A7 v5
Architecture Qualcomm Atheros QCA956X ver 1 rev 0
Target Platform ath79/generic
Firmware Version OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.347.45520-d30ab74
Kernel Version 5.4.188

The A7 and the rest of ath79 are still swconfig. VLANs can be set up using the swconfig interface the same as with previous versions.

What you describe is a bridge. Wireguard is a routed VPN it does not bridge. Layer 2 operations such as IPv4 DHCP cannot be routed, so creating a transparent "like physically connected" won't work directly through Wireguard.

There are options:

  • use GRE inside Wireguard.
  • Use a different VPN connection that has a layer 2 mode, such as OpenVPN or Zerotier.

I don't know what GRE is inside wireguard.

I don't know anything about zerotier, but I tried OpenVPN and I wasn't happy with its security. I went with Wireguard and all my security issues went away. I like Wireguard even though its not super easy to set up.

We tried installing Wireguard Peer on Win10 and I was never able to get it to work properly. It connects to the remote internet, but denies access to the remote LAN. Searching online and its obvious that this bug in wireguard is well known with no solution. Meanwhile, wireguard android works fine.

Anyhow, that's what I was trying to do here so I could get the Wireguard in the router to do all the heavy lifting and let windows just plug into the right port.

Sounds like you don't really need layer 2 then. The remote Windows machine can be on a different LAN that routes through wireguard to the home LAN. Start by setting up a second LAN using the guest network instructions. The IP range of this LAN must be different from the home LAN.

I made a system backup and then created an empty interface with the subnet 192.168.7.x. The new interface is called VpnLan.

Also, is there an easy way to get the RJ-45 jack number without digging through wires? The only wired machine into the router is the one I am typing on right now. So I have the MAC and IP but not the jack #. If its a pain, I can dig through all that stuff if necessary.

When I try to set up the router as a wireguard peer, it says to use the vpn interface but there is already a vpn server interface. I tried adding a VpnPeer address, but it looks like its trying to set up another server.