This tutorial will cover how to configure an OpenWRT router to have 2 separate networks, one that uses your ISP gateway (for example, "MyWIFI"), and another one that has its traffic routed through a wireguard VPN (like, "MyWIFI_VPN").
I'll be using Mullvad VPN for this example, they're not sponsoring me in any way or kind, you can use any wireguard VPN provider or your own WG server.
Mullvad has a nice tutorial on how to route all your traffic through a VPN on a wireless router, still, that guide teaches you how to route ALL of your LAN traffic through it. This may be undesirable because, for example, some streaming services blacklist VPN provider's IP addresses, making your family members unable to enjoy their favourite TV shows in Netf***.
2 Wireless networks
This guide assumes that you already have:
Install WireGuard in your router
Open your OpenWRT router's terminal, update your package list and install the necessary packages with the following commands
# Update your package list
opkg update
# We'll be configuring many options from the LuCI interface
opkg install wireguard luci-proto-wireguard
Generate your public/private WireGuard keys
Run the following command, this will generate two files, "privatekey" and "publickey"
wg genkey | tee privatekey | wg pubkey > publickey
# tip: you can use the commands "cat privatekey"
# and "cat publickey" to output the private and public keys on the terminal
Get the Wireguard interface IP address to use. (MULLVAD ONLY)
This step is for mullvad only, and it will change depending on your VPN provider, if you're using your own wireguard VPN server, you'll use the peer IP that you've configured for the OpenWRT client in the WG server config file.
Run this command in any terminal.
# This is your mullvad account number, generated randomly
account_num=YOUR_MULLVAD_ACCOUNT_NUM
# This is the key you have generated in the previous step
pubkey=YOUR_PUBLIC_WIREGUARD_KEY
curl https://api.mullvad.net/wg/ -d account=$account_num --data-urlencode pubkey=$pubkey
Copy and save the generated internal IP to use when connecting to the mullvad servers.
This lan interface is going to have all its traffic routed via wireguard, in this example this secondary LAN interface is going to be composed of only a secondary wifi network in the 2.4GHz radio, but feel free to experiment with other wifi frequencies and ethernet ports.
Click on the "Edit" button of the lan_vpn interface
General settings:
DHCP Server -> Advanced Settings:
Now we're going to create the secondary WiFi network
This interface is going to connect to your WG server as a client, allowing you in the next steps to route the desired vpn-protected traffic into it.
Edit the WireGuard interface with the following settings
General Settings Tab:
Peers Tab:
"WGZONE" Firewall zone
"lan_vpn" Firewall zone
We're almost done! We have successfully set up
So you might think that we're ready, but there still is a problem. If you connect now to your wifi_vpn wireless network, you probably won't have internet access. Why? Because packets are going to try to exit from your WAN interface (and your firewall is probably going to block them). This is because we have unchecked the option in the wireguard interface to create default routes.
To fix this, we are going to create a new route, that only affects the lan_vpn interface. This route is going to send all traffic (0.0.0.0/0) through the interface WGINTERFACE
Enter your router's ssh console as root
Open the file /etc/config/network with nano or vim
nano /etc/config/network
Add the following lines at the end of the file
The first rule, tells the router to look for the table '1742' when a packet comes from the 'lan_vpn'
The second rule, creates a route, with table number of '1742' and tells the router to send the traffic through the WGINTERFACE
Restart the network service
service network restart
And voila! You should now have two wireless networks. One that uses the VPN, and one that does not!
If using Mullvad you should check here
You can also use traceroute (or tracert on windows)
Route test:
Traffic goes from the router directly into the wireguard gateway, then it exits from the remote vpn server wan gateway.