I have a setup where all configured Wireguard clients end up with an IP in an specific subnet.
I have multible subnets running and for each subnet I use a specific VLAN ID.
Subnet 1: VLAN 1
Subnet 2: VLAN 2
Subnet 3: VLAN 3 <- IP Range for Wireguard clients
The Wireguard-interface does not give me any option to choose a VLAN ID.
I cannot even choose a device (which would be the normal way after creating an VLAN (802.1q) device).
How can I setup openwrt so that that all Wireguard clients end up with a VLAN ID?
As a workaround I use the ACK function of my managed switch to set the VLAN ID.
The thing is, the wireguard only exists on the CPU and hence just get "routed". The routing will add the VLAN. So make another interface with the required VLAN. E.g. put both of them in the same firewall zone then it will get tagged.
Not quite true. If you set up a interface using a VLAN device you will end up with communication using the desired VLAN.
It is the same concept I use for all my other subnets where I route over bridged-lan.10 , briged-lan.20, and so on.
I want to achive that the networks are truly separated. With the Wireguard subnet running untagged and the main subnet running untagged. Or maybe 2 wireguard subnets running untagged it is possible for clients to connect to clients in the other subnet directly and circumvent the firewall as a whole. With VLANs in place and active this is impossible.
A Wireguard interface is not tagged nor untagged because it does not handle Ethernet frames, it just handles IP/UDP packets. An vlan id is inserted into an Ethernet frame.
I suppose you now have this sorted out, but my earlier statements are correct in that wireguard, as a non-ethernet based interface (it is a tunnel) does not have the concept of 802.1q tagging for VLANs.
What you may be looking to do is to route between the WG interface and one or more other networks. Routing is the method here, not bridging or tagging.