Set Up a Separate Wi-Fi Network for WireGuard on OpenWrt
18.04.2025
Objective
With the WireGuard client package, an OpenWrt router can route traffic through a secure VPN tunnel. However,
it’s not always desirable to route traffic from all devices through the VPN. A more flexible approach is to
create a dedicated Wi-Fi network (SSID) that routes traffic via WireGuard, while keeping the existing SSIDs
connected directly to the ISP.
Prerequisites
- A working WireGuard VPN server
- An OpenWrt router with WireGuard client package installed
- Access to the LuCI web interface
- Assumes default interfaces are used:
lan (LAN) and wan (WAN)
Set Up the WireGuard Interface
- Go to Network → Interfaces and click Add new interface…
- Name it
wanVPN, select WireGuard VPN as protocol
-
Under General Settings, enter:
- Our WireGuard client’s public and private key
- Client IP address (e.g.
10.0.0.2)
- Check No Host Routes
- Under Firewall Settings, create a new firewall zone named
wanVPN
-
In the Peers section, click Add peer and enter:
- Description (any text we prefer)
- Server’s public key, IP / host, and port
-
0.0.0.0/0 under Allowed IPs, and check
Route Allowed IPs
Set Up the LAN Bridge
- Navigate to Network → Interfaces → Devices
-
Edit the existing bridge (
br-lan by default). Ensure not all the ports (e.g. only
lan1) are attached to it
-
Create a new bridge:
- Click Add device configuration…
- Name it
br-lanVPN
- Select Bridge device
- Attach an unattached port (e.g.
lan2)
💡 Alternatively, we can use VLANs instead of separate physical ports.
Create the VPN Wi-Fi Network
- Go to Network → Wireless
- Click Add next to our desired radio interface
-
Under Interface Configuration → General Setup, click Network →
-- custom --, and name it
lanVPN
- Configure SSID, password, encryption etc.
- Ensure this new network is the only one assigned to
lanVPN
Configure the lanVPN Interface
-
Go to Network → Interfaces, click Edit next to
lanVPN
- Change protocol to Static address
- Set the device to
br-lanVPN
- Assign IP (e.g.
192.168.2.1) and set appropriate netmask
- Under Firewall Settings, assign a new zone named
lanVPN
- Under DHCP Server, click Set up DHCP Server
Firewall Zone Configuration
- Go to Network → Firewall
- Ensure the following zone forwarding rules are set:
lan → wan
accept
accept
accept
off
lanVPN → wanVPN
accept
accept
accept
off
wan
reject
accept
reject
on
wanVPN
reject
accept
reject
on
⚠️ At this point, the setup is almost complete, we have set up an SSID, a bridge device, a LAN, a WAN
interface, and their firewall zones, respectively — but it won’t work yet. By default, traffic from all LAN
interfaces (in this tutorial, both lan and lanVPN) are still routed to
wan. We still need to configure custom routing rules so that only lanVPN traffic
is sent through the VPN.
Set Up Policy-Based Routing
- Go to Network → Routing
-
Under IPv4 Rules, click Add:
- Incoming interface:
lanVPN
- Outgoing interface: unspecified
- Table:
10 (or any unused number)
-
Then, under Static IPv4 Routes, click Add:
- Interface:
wanVPN
- Target:
0.0.0.0/0
- Gateway: WireGuard’s client IP address (e.g.
10.0.0.2)
- Table:
10 (same as the rule above)
Final step: Restart our router to apply all settings.