WireGuard via a second device?

I have an ASUS RT-ACRH17 that I'm working on setting up with OpenWrt for a friend's house. It's plenty capable for what they need in terms of WiFi, and according to this earlier topic, it should suffice for their current internet speed, but it's probably not capable of handling WireGuard for a privacy VPN at that speed.

I've already abandoned the idea of doing SQM (that can wait until my friend decides to splurge on a newer router) but I'd like to make use of a GL.iNet MT2500 that I have sitting here unused to deal with the VPN problem. It would also be running OpenWrt.

My question is this: Is it possible to do this with the MT2500 "to the side" rather than as a second router that would need to be "in between" the main router and the device(s) using the VPN/WG? So the MT2500 could be connected to one LAN port of the main router, and then traffic to VPN for another device connected to the main router could be routed through the MT2500?

I would swear that I've seen this mentioned as a way to use a dedicated VPN device, but when I Google it, all I seem to find are results using the two devices in series.

If the answer is "no", thank you, that saves me a lot of time and frustration.

If the answer is "yes", could you give me the very broad strokes of how I would need to set up the MT2500 (the VPN/WG device)? I think I could figure out the main router side, or at least get close enough to ask specific questions later.

Yes. Main router will need to forward the UDP port you plan to run on to the MT2500 which you will configure to use WG if the expectation is for devices on the WAN to come into the VPN. In the past, I had a RPi running WG in just such a setup.

1 Like

Thank you!

That's what I assumed on the main router side. I'll also need to set up routing for local devices to point at the MT2500 for WG.

The setup of the MT2500 itself seems less straightforward to me...

Is the wg tunnel going to be used as an incoming vpn (i.e. remote access to the user’s network/road warrior), or is it to connect outbound to a remote endpoint like a commercial vpn service?

1 Like

The latter, commercial VPN.

Off to the side is harder in this case.

Does the user want all traffic through the tunnel, or just the traffic from certain devices? If the latter, it can be setup as a different network/ssid and it is easy.

1 Like

Just certain devices.

What I'm unsure of (to start) is if there's anything "unusual" required for the setup of the MT2500. For example, now all of the ingress and egress traffic (both tunneled and not) is over one physical port (presumably). I don't know how that should look in terms of interfaces on the MT2500.

Ah, I assumed you wanted access to the LAN from remote locations. I have not used my RPi as you are describing (commercial VPN).

Ah, fair enough. Seems like it should still work, though.

As long as the devices that need the VPN can exist on an entirely separate network from the rest of the (non-VPN'd) hosts, it's really quite simple.

  • Start with the MT2500 in a default state.
  • Connect the wan of the MT2500 to the lan of the main network
    • if the main network uses the subnet, you'll need to change the lan address of the MT2500 -- maybe to
  • Configure your WG connection to the commercial VPN, including sending all traffic through the tunnel (allowed IPs =
  • Setup a unique SSID for this network on the MT2500.
  • Devices that connect to the MT2500's wifi and/or lan ports will be tunneled via the VPN.
  • Devices on the VPN'd network will not be able to talk to devices on the main network and vice versa.

Maybe I'm misunderstanding, but isn't that more of a "in between" configuration? As in, clients to be VPN'd are connected directly to the MT2500 rather than connected to the main router and routed "through" the MT2500?

That is correct....

Connecting through the main router and routing through to the MT2500 and out via the VPN is more complicated. It can be done, but it's not trivial.

That is what I would prefer to do. The MT2500 doesn't have WiFi and only has two ethernet ports, so trying to configure it "in between" really limits my options based on the physical layout of the space.

I don't mind non-trivial as long as I can learn from it. If someone can start me out with an overview of what needs to happen, I'll puzzle away at it.

Are both routers running openwrt? Is it official openwrt or the vendor supplied firmware?

Both will be proper OpenWrt. 23.05.2 is installed on the main router already but I might start fresh; I haven't started on the MT2500 yet. It's fully supported and easy to install though (sysupgrade from factory web UI). The plan is to end up with both on 23.05.3 when that is released (hopefully not too far away).

Maybe a different strategy would be easier and more sensible…

What about configuring the mt2500 as your primary (wired-only) router and the RT-ACRH17 as dumb-AP and -in a second step- using its ports as managed switch? Once you've achieved that state, configure the VPN on the mt2500 and pass that through over a VLAN (trunk-) to some ports of the RT-ACRH17.


Hmm... that might just work.

I'd still love to know how to go about the other way, if anyone feels like sketching out the broad strokes at some point, but I'll move forward with your idea and see how I make out.

With this new approach, I should be able to consider using SQM again, right? The MT2500 uses the same CPU as the MT3000 with double the RAM, minus WiFi, so it should easily handle cake at 300 Mbps...


There's only one way to find out :wink:

MT3000 handles cake at 300 Mbps one way just fine. So should MT2500. If you throw Wireguard at it as well, max throughput will be definitely lower. Max real world Wireguard performance is somewhere above 300 Mbps: A Wireguard comparison DB. I’m guessing maybe 150-200 Mbps cake + Wireguard could be possible. fq_codel is less demanding, so could be considered instead of cake.

1 Like