How to redirect all switch clients to WireGuard?

Hello everyone.
My OpenWrt router is configured as a switch.

Screens with setting:

The router is configured as a WireGuard client.
At the moment, the router has access to the Internet with or without WireGuard. OpenWrt clients, like OpenWrt itself, get an IP address from the main router, which is fine for me. I would like that when the WireGuard interface is turned on, all Wi-Fi OpenWrt clients work through WireGuard, and the clients connected via the wire remain as they are. Please help me achieve this, I myself am not strong in networks and to be honest, there is simply no time :sweat:

P.S. The WireGuard server uses Unbound (DNS server).

Despite this probably beeing highly complicated to implement, I see a problem with the OpenWrt only beeing the access point and a switch. Also you want to just route the WiFi clients and the clients get their IP via DHCP which isn't your OpenWrt device.

On top of that the wireguard tunnel isn't enabled all the time?

1 Like

It is necessary to have the OpenWrt as gateway for the clients. Then you can control if they will use the WG or the ISP. This means you'll turn of dhcp server on ISP router and enable it on OpenWrt.

1 Like

WireGuard tunnel can be enabled permanently.
I have attached a diagram, it illustrates what I need.

The main thing for me is that from any device on my local network, I can access any other device on the same network.
It is not necessary for the main router to provide addresses, but it is desirable. If this makes the task easier, then all the devices of the router can have addresses like 192.168.2. *.

I do not understand how the distribution of IP addresses will work if DHCP is enabled on both routers.

I tried what you wrote. On the devices where I registered the route, the VPN really worked.

But I still don't understand how to automate this, how to make it work only on Wi-Fi, and why DHCP should be enabled on both routers.

EDIT: I can get the same result even if DHCP is disabled on the router OpenWrt. Maybe I misunderstood you?

Most likely. I told you to disable the DHCP server on the main router. Only OpenWrt will run dhcp server.


I disabled DHCP on the main router and enabled DHCP on the OpenWrt router. Now correct me if I'm wrong:

  1. Regardless of the router or connection method, the IP address is issued by OpenWrt.
  2. Regardless of the router or connection method, the gateway will be, and client devices look into the WireGuard tunnel.

This is not the effect I want. Above, I answered the ASFP user, and attached a picture with what I need.


I'm looking into it

1 Like

Do the WiFi devices have to be able to access devices on the wired lan?

1 Like

It's not different from what I told you already. Everything is bridged so lan and wifi are in the same broadcast domain and every device will get settings from OpenWrt DHCP server.


If you want to route the wifi clients separately from the wired ones, you'll need to unbridge the wifi from the ethernet. They are currently bridged together as br_lan, the default OpenWrt config.

Once you have these separated, you'll be able to create a new firewall zone and place the wifi in it. Then you can set up zone forwardings to route this through the wireguard tunnel.

I don't see how this can work with everything getting ip addresses from the main router. That requires everything to be on the same broadcast domain, which runs counter to having separate routing. I would set up a dhcp server on the wifi interface to look after the wifi clients.


I would also say this is the only possible solution. If the WiFi clients don't need access on LAN devices you can just route the whole traffic through the wireguard tunnel.