Wireguard gateway inside a vlan

Hi everyone !

I'm trying to build a wireguard gateway inside a vlan (no wireguard on the openwrt), the idea is that all clients in vlan id 125 ( use my wireguard node ( to reach internet.


  • The wireguard is in the same vlan (not sure it's a good idea ?). The wireguard node is not directly connected to the router, but through a switch (layer 3 capable). So in case its not possible, or not a good practice, I can set-up another network/ip for the wireguard node and deal with a new route on the router I guess ?
  • The wireguard has only one ethernet port eth0

Here are some samples from the configurations and cli:

router - /etc/config/network

# vpn
config bridge-vlan
        option device 'br-lan'
        option vlan '125'
        list ports 'eth2:t' # mesh network
        list ports 'eth3:t' # main switch

config interface 'vpn'
        option device 'br-lan.125'
        option proto 'static'
        option netmask ''
        option ipaddr ''
        option gateway '' # is this a good idea/practice ?
        option delegate '0'
        option ipv6 '0'

router - /etc/config/dhcp:

# vpn
config host
        option ip ''
        option mac 'xxxx'
        option name 'vpn-board'

config dhcp 'vpn'
        option interface 'vpn'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
root@edgerouterx:/etc/config# ip route
default via dev br-lan.125 proto static 
default via dev eth0 proto static src metric 10 dev eth0 proto static scope link metric 10 dev br-lan.100 proto kernel scope link src dev br-lan.125 proto kernel scope link src 

Some debug would be welcome :slight_smile:

EDIT: in case someone have been through a simlilar set-up, I struggle with wireguard keeping ssh access accessible from my 'management' vlan (id 100 under I did something like this:


PrivateKey = xxx
Address = yyy.yyy.yyy.yyy/32
DNS = zzz.zzz.zzz.zzz

PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = ip rule add not from table main 
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
PostDown = ip rule del not from table main
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward

PublicKey = ppp
AllowedIPs =
Endpoint = ii.ii.ii.ii:ll

Note: vlan 100 ( can forward on (permits my "management" vlan to keep an ssh access to the vpn gateway)

@trendy could you guide me ? I've seen a lot of your post helping people with routing.