Setup VLAN between 1 VPN router and 1 Wifi router

Hi everybody,

I’m new to OpenWrt and need help to setup VLAN tagging between 2 OpenWrt devices. I know there are several posts already. I watched and read many tutorials about it, but I still don’t understand how to do it. I would like to route the VPN trafic from the Raspberry Pi 4 to my Wifi router. Currently I use a Raspberry Pi 4 as Wifi hotspot to connect directly to my VPN provider. But the Wifi coverage is not good. So my plan is to still use the RPi4 for the VPN because it’s a more powerful device, but redirect the VPN trafic to my Wifi router. Regarding there is only 1 ethernet port on the RPi4, I need to use VLAN tagging. I have a ETH-USB dongle, but the RPi4 build I use is closed, and I can’t install any package. I just have a 100 Mbits internet connexion, so no problem to have only 1 ethernet cable and VLAN tagging.

Here the setup:
Raspberry Pi 4: OpenWrt SNAPSHOT r3250-77e153ac6 It’s a custom build special for VPN (Shadowsocks). The build seems closed to modification and the setup is only through Luci.
Wifi Router D-Link DIR-882 A1: OpenWrt 21.02-SNAPSHOT r16172-2aba3e9784
ISP modem < — > Wifi Router < — > Raspberry Pi 4
So the Wifi Router got internet from the ISP modem, and the RPi4 is connected to 1 of the ethernet port of the Wifi router.

Current Wifi router etc/config/network file (it was the default, I touched nothing):

config device                                  
        option name 'br-lan'                   
        option type 'bridge'                   
        list ports 'lan1'                      
        list ports 'lan2'                      
        list ports 'lan3'                      
        list ports 'lan4'                      
config interface 'lan'                         
        option device 'br-lan'                 
        option proto 'static'
        option netmask ''
        option ip6assign '60' 
        option ipaddr ''   
config interface 'wan'                
        option device 'wan'           
        option proto 'dhcp'           
config interface 'wan6'               
        option device 'wan'           
        option proto 'dhcpv6'

Current RPi4 setup:

Could you tell me what do I need to modify in the interfaces to make my setup working please? I tried to make some VLAN tag on both devices, but I finished to restore my setup because it was a mess.

Thanks in advance for your help,

First thing to do is create an "admin" network on the Pi and connect the built-in wifi to it as an AP. Now you can always log into the Pi with Wifi even if Ethernet connectivity is broken. This network would have a different IP range than any other networks and a DHCP server. It is used only for local administration, so it doesn't even need a firewall zone as long as the default default firewall policy is to accept input.

Once that is working you want two VLANs in and out of the Pi, one is your LAN which offers a direct link to the Internet for the VPN client to reach the VPN server, and the other is a VPN user network. You can probably bridge the VPN users to tun0 with no protocol on the Pi, and let the other router NAT them from wifi into the tunnel. Or (and this probably makes more sense in the long run) create a vpnuser network on the Pi which NATs into tun0, and the export that on a VLAN to the other router, which will be a "dumb AP" to take connections from wireless users and dumbly bridge them to the VPN via the Pi.

Using LuCI to create a new VLAN on the Pi Ethernet port is done by pulling down the list in physical settings and typing eth0.X at the bottom, where X is the number of the VLAN tag. There should be no networks connected to plain eth0 after you start using VLANs.

If you're connecting the Pi to LAN port 4 (for example) on the other router, which uses DSA switching, VLANs will be designated as lan4.X, and again you don't want a plain lan4 anywhere.

Thanks for your reply.
I tried to follow your recommendations, but I didn't succeed. I think I'm too beginner for this and I don't know which options to choose.
I tried to create:
RPi4: LAN_VLAN interface, eth0.4. WAN_VLAN interface eth0.3
Wifi Router: LAN_VLAN interface, lan1.3. WAN_VLAN interface lan1.4, and choose WAN_VLAN in wireless connection. I think the names of the physical ethernet are lanX, so I use that name.

But I had many problems:

  • Seems there was no connection on the RPi4 on the 2 VLAN
  • I feel I miss 1 vlan?
  • I had no idea if I had to choose static IP or DHCP, same for the firewall-zone, if need to use "bridge", etc
  • For the VPN I have no idea how to do this. Currently I know that my wifi hotspot on the RPi4 has the VPN, but I don't think I have created any VPN interface.. The build is custom for VPN so maybe it's automatic?

I checked many websites to understand more the interfaces and vlan setup on OpenWRT, but for beginners like me it's not very understandable.

If you have more insight for me it would be very nice!

Hi again,
I continue to work on this and to do more research. I think for the RPi4, I almost finish the setup:
Interface WAN_LAN, ETH0.10, DHCP, Firewall like WAN rules
Interface LAN_VLAN, ETH0.20, static IP, bridge interfaces ETH0.10 + ETH0.20, firewall like LAN rules.

I have 2 questions:

  • On the RPi4, for the Interface LAN_VLAN, do I need to bridge interfaces ETH0.10 + ETH0.20? It's only like this like I see some packets transmission, and it's only TX, there is no RX.
  • I don't understand how to do the link between the RPi4 and the dump AP. On the dump AP (wifi router):
    --Do I have to modify the br-lan and replace the lan4 by lan4.10 + lan4.20?
    --Do I create a new LAN_VLAN with bridge interface lan4.10 + lan4.20, static IP?
    --Do I need to create a WAN_VLAN interface?
    --Go to Wireless, edit wlan0 + wlan1 and replace the network by LAN_VLAN? I'm afraid to try and to lose the access to the router by wifi, so maybe I can start only with wlan0?

Thanks in advance.

On the Pi, one of the Ethernet port's VLANs will be attached to your existing lan network and one will be a new network for VPN users. This network should be a bridge though with only one eth interface in it, it could potentially work as not a bridge.

Note that you are not going to bridge eth0.10 and eth0.20 together as that would defeat the whole point of having them separate VLANs.

The same thing applies on the other router at the other end of the cable. In the lan bridge, change lan4 to lan4.10 so that the LAN (direct to Internet) packets go tagged to the Pi. Make a new bridge that links lan4.20 to a new wifi AP for the VPN users.

It's conventional to use lowercase for interface names. The kernel is case-sensitive.

Sorry for late reply, after I did the setup, I lost the accesses of the Wifi Router and the RPi4… And then the SD card of the RPi didn’t work. Now it’s ok, I reinstalled OpenWRT on both. Let’s try again to setup the VLAN tagging!

I don’t understand why I lost the access of the RPi4, the hotspot was working before and I let it. But I guess I did something wrong.

I didn’t setup any VPN interface because right now there is nothing, but the hotspot has the VPN.

For the Wifi router, I guess on of the problems was the switch port number. According to the documentation on OpenWRT website for my router:

Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet (WAN) on the unit. Don't be fooled: Port 1 on the unit is number 3 when configuring VLANs. vlan0 = eth0.0, vlan1 = eth0.1 and so on.

Port Switch port
Internet (WAN) 4
LAN 1 3
LAN 2 2
LAN 3 1
LAN 4 0

I will try the setup below, is there any problem?

Raspberry Pi:

  • Admin wifi access --> just setup a wireless access in wlan0, access point mode, network lan (it’s my current setup to have access to the RPi as hotspot with VPN)
  • lan interface: static ip,, bridge interfaces checked, interface Wireless Network on lan, firewall lan rules
  • No more wan interface
  • wan_vlan interface: eth0.10, DHCP, Firewall like wan rules
  • lan_vlan interface: eth0.20, static IP,, firewall like lan rules.

Wifi router:

  • Modifying br-lan device, to change lan4 by lan4.10 (it’s what I did before)
  • (Question: do I have to create a device lan4.10 first in device section, or I can just edit the lan4 by lan4.10?)
  • Current lan interface: I don’t touch, I let like default: static ip, device br-lan, firewall lan rules
  • There are 2 wan interfaces, wan and wan6, I don’t touch and let like this
  • Create a lan_vlan interface: static ip, lan4.20 device, firewall lan rules, BUT I don’t see any option to bridge it?
  • (Question: I saw one bridge option, but it’s in device section, there, I can create a new device, for example lan4.20, and choose the type device for “bridge device”. Do I have to do this?)
  • In Wireless section, I modify wlan0 and wlan1 by switching the network “lan” by “lan_vlan”.

Sorry if I’m not clear, I’m still learning. I spent a lot of time to check the options of the router. There are so many that I feel lost.

I put some screenshots of the “device” section because I didn’t see it last time, and I wonder if I should created the vlan interfaces here first.

Thanks in advance!