Secondary (virtual) ip address as a vpn gateway


My actual gateway ip address is I added a new ip address to br-lan interface as secondary ip address as you can see below.

Also I created a WireGuard VPN interface, I associated two interfaces in a new routing table, I created firewall rules.

As you can see main routing table below.

VPN's routing table below.

ip rule list below.

It doesn't prefer VPN's routing table when I set my computer's gateway IP address to But It works well when I add my computer's ip address to rule list like ip rule add from lookup cfwg.

How can I use this setup fluently (without adding client's ip address to the rule list). I was considering to add fwmark to secondary ip address then use it in ip rule list but I could not find any source for this.


  • Because the SRC IP of any traffic is the originator transmitting host...not its gateway. Just fix your rules accordingly.
  • Use the subnet then.

Both gateway ip addresses ( and use same interface br-lan as you can see on top of the image. I tried to create another bridge interface br-lan2 and I assigned secondary ip address but it is not getting up. It is failing.

There are some options in MAC VLAN device type but I don't have an idea how they are works.

Install the kmod-macvlan kernel module and create an interface.

config device
        option name 'veth'
        option type 'macvlan'
        option ifname 'br-lan'

config interface 'virt'
        option ifname 'veth'
        option proto 'static'
        option netmask ''
        option ipaddr ''

Attach the virt interface to the lan zone.

Here is an example of the ip rule/route configuration.

config rule
        option in 'virt'
        option lookup '100'

config route
        option target ''
        option interface 'wg0'
        option table '100'
root@OpenWrt:~# ip ru li ta 100
1:      from all iif veth lookup 100

root@OpenWrt:~# ip ro li ta 100
default dev wg0 proto static scope link
1 Like

@pavelgl thank you so much! It works like a charm.

I just added ip rule manually to test because I'm not sure where I should write rule configuration

config rule
        option in 'virt'
        option lookup '100'

(/etc/config/firewall or /etc/config/network) because the doc page ( [OpenWrt Wiki] Routing rules) doesn't have any information.

I did not add default routing rule because wireguard interface adds it automatically when it is up.

1 Like

In /etc/config/network

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.