Annotated configuration sample for a multi-VLAN OpenWrt setup with dual WireGuard instances and Policy Based Routing. Adapt subnet ranges, interface names, and VPN credentials to your environment.
Defines VLAN interfaces on your physical switch port. Adjust VLAN IDs and subnets to match your plan.
# /etc/config/network — VLAN interfaces config interface 'vlan10' option ifname 'eth0.10' option proto 'static' option ipaddr '[192.168.10.1]' option netmask '255.255.255.0' config interface 'vlan40' option ifname 'eth0.40' option proto 'static' option ipaddr '[192.168.40.1]' option netmask '255.255.255.0'
Tunnel for routing internet-bound traffic through your VPN provider.
config interface 'wg0' option proto 'wireguard' option private_key '[YOUR_PRIVATE_KEY]' option listen_port '51820' list addresses '[10.x.x.x/32]' config wireguard_wg0 option public_key '[VPN_SERVER_PUBLIC_KEY]' option endpoint_host '[vpn.server.host]' option endpoint_port '51820' list allowed_ips '0.0.0.0/0' option persistent_keepalive '25'
Tunnel for remote devices connecting back to your home network.
config interface 'wg_home' option proto 'wireguard' option private_key '[HOME_PRIVATE_KEY]' option listen_port '51821' list addresses '[10.66.67.1/24]' # Add one peer block per remote device config wireguard_wg_home option public_key '[PEER_PUBLIC_KEY]' list allowed_ips '[10.66.67.x/32]' option description '[device-name]'
Ensure each VLAN's traffic uses the correct interface. Without this, VLANs may leak to the wrong route.
# Add via UCI — one policy per VLAN that should route via VPN uci add pbr policy uci set pbr.@policy[-1].name='vlan10_via_vpn' uci set pbr.@policy[-1].src_addr='[192.168.10.0/24]' uci set pbr.@policy[-1].interface='wg0' uci add pbr policy uci set pbr.@policy[-1].name='vlan40_via_vpn' uci set pbr.@policy[-1].src_addr='[192.168.40.0/24]' uci set pbr.@policy[-1].interface='wg0' uci commit pbr service pbr restart← Back to portfolio