WireGuard with VLAN Bridge

WireGuard with VLAN Bridge

WireGuard in RouterOS is a Layer-3 (IP) tunnel only — it carries IP packets, not raw Ethernet frames. This means a WireGuard interface cannot be added directly as a bridge VLAN port to extend a VLAN at Layer 2.

There are two correct approaches depending on what you need:

Goal	Approach
VPN clients access resources in a specific VLAN subnet	Routed L3 access — route WireGuard subnet into VLAN SVI
Extend a VLAN across two sites so devices appear on the same L2 segment	EoIP over WireGuard — WireGuard provides encryption, EoIP provides L2

---

Prerequisites

• RouterOS 7.x on all routers (WireGuard requires RouterOS 7.0+)
• A VLAN-aware bridge already configured on the router, or willingness to create one
• For L2 extension: EoIP support (available in all RouterOS 7.x builds)

---

Use Case A — Routed L3 Access to a VLAN over WireGuard

This is the standard pattern for giving WireGuard road warrior clients or remote sites access to a specific VLAN. The WireGuard subnet is routed into the VLAN through the router’s bridge SVI (Switch Virtual Interface).

Network Layout

Component	Value
VLAN ID	10
VLAN subnet	192.168.10.0/24
Router VLAN SVI	192.168.10.1/24
WireGuard interface	wg0
WireGuard tunnel subnet	10.10.10.0/24
WireGuard listen port	51820

Step 1 — Create the VLAN-aware bridge

If you do not already have a VLAN-aware bridge, create one:

/interface/bridge
add name=br1 vlan-filtering=yes

Add your LAN port(s) to the bridge:

/interface/bridge/port
add bridge=br1 interface=ether2

Add the VLAN to the bridge and tag it on the uplink port. The bridge CPU port (br1) must be tagged so the router can participate in the VLAN:

/interface/bridge/vlan
add bridge=br1 vlan-ids=10 tagged=br1,ether2

Step 2 — Create the VLAN SVI and assign an IP

/interface/vlan
add name=vlan10 interface=br1 vlan-id=10

/ip/address
add address=192.168.10.1/24 interface=vlan10

Step 3 — Create the WireGuard interface

/interface/wireguard
add name=wg0 listen-port=51820 mtu=1420

Print the generated public key — you will need it for the remote peer:

/interface/wireguard/print

Step 4 — Add WireGuard peer(s)

For each client or remote router, add a peer entry. The allowed-address declares which source IPs are permitted through this peer:

/interface/wireguard/peers
add interface=wg0 \
    public-key="<CLIENT_PUBLIC_KEY>" \
    allowed-address=10.10.10.2/32 \
    comment="Road warrior client"

Assign the WireGuard tunnel interface an IP address:

/ip/address
add address=10.10.10.1/24 interface=wg0

Step 5 — Open the firewall for WireGuard

Allow inbound WireGuard handshakes on the WAN interface:

/ip/firewall/filter
add chain=input action=accept protocol=udp dst-port=51820 \
    in-interface-list=WAN comment="Allow WireGuard"

Step 6 — Allow forwarding between WireGuard and the VLAN

Permit traffic to pass between the WireGuard subnet and the VLAN subnet in the forward chain:

/ip/firewall/filter
add chain=forward action=accept \
    src-address=10.10.10.0/24 dst-address=192.168.10.0/24 \
    comment="WireGuard to VLAN 10"
add chain=forward action=accept \
    src-address=192.168.10.0/24 dst-address=10.10.10.0/24 \
    comment="VLAN 10 to WireGuard"

Place these rules before any drop rules in the forward chain.

Step 7 — Configure the client

On the client (Linux, Windows, iOS, Android, or another RouterOS device), the peer config points at this router and includes an AllowedIPs entry for the VLAN subnet:

WireGuard client config (standard format):

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.10.10.2/32

[Peer]
PublicKey = <ROUTER_PUBLIC_KEY>
Endpoint = <ROUTER_WAN_IP>:51820
AllowedIPs = 10.10.10.0/24, 192.168.10.0/24
PersistentKeepalive = 25

The AllowedIPs = 192.168.10.0/24 entry tells the client to route VLAN 10 traffic through the tunnel. No additional route is needed on the router — routing follows from the allowed-address on the peer entry.

---

Use Case B — L2 VLAN Extension over WireGuard (EoIP)

To make devices on two separate sites appear on the same Layer-2 VLAN (same broadcast domain, same subnet), you need an L2 tunnel on top of WireGuard. The supported approach is:

1. WireGuard — provides the encrypted IP underlay between sites
2. EoIP — provides an Ethernet-over-IP tunnel running through WireGuard
3. Bridge — bridges the EoIP tunnel with the local VLAN

When to use this: Two office sites that need to share a server subnet at L2, or a VLAN that must span a WAN link without splitting the subnet.

Network Layout

	Site A	Site B
WireGuard tunnel IP	10.0.0.1/30	10.0.0.2/30
VLAN ID to extend	20	20
VLAN subnet	192.168.20.0/24 (shared)	192.168.20.0/24 (shared)
EoIP tunnel ID	1	1

Step 1 — Build the WireGuard underlay

Follow Use Case A Steps 1–5 on both routers, using the site IPs from the table above. Assign:

Site A:

/interface/wireguard
add name=wg-siteb listen-port=51820 mtu=1420

/ip/address
add address=10.0.0.1/30 interface=wg-siteb

/interface/wireguard/peers
add interface=wg-siteb \
    public-key="<SITE_B_PUBLIC_KEY>" \
    endpoint-address=<SITE_B_WAN_IP> \
    endpoint-port=51820 \
    allowed-address=10.0.0.2/32 \
    persistent-keepalive=25s

Site B:

/interface/wireguard
add name=wg-sitea listen-port=51820 mtu=1420

/ip/address
add address=10.0.0.2/30 interface=wg-sitea

/interface/wireguard/peers
add interface=wg-sitea \
    public-key="<SITE_A_PUBLIC_KEY>" \
    endpoint-address=<SITE_A_WAN_IP> \
    endpoint-port=51820 \
    allowed-address=10.0.0.1/32 \
    persistent-keepalive=25s

Verify the WireGuard tunnel is up before proceeding:

/ping 10.0.0.2   # from Site A
/ping 10.0.0.1   # from Site B

Step 2 — Create the EoIP tunnel over WireGuard

The EoIP tunnel runs through the WireGuard tunnel — use the WireGuard tunnel IPs as the EoIP endpoints.

Site A:

/interface/eoip
add name=eoip-vlan20 tunnel-id=1 \
    remote-address=10.0.0.2 \
    mtu=1480

Site B:

/interface/eoip
add name=eoip-vlan20 tunnel-id=1 \
    remote-address=10.0.0.1 \
    mtu=1480

MTU note: WireGuard overhead is ~60 bytes. With a typical 1500-byte outer path, set WireGuard MTU to 1420 and EoIP MTU to 1480 (EoIP adds ~8 bytes of header, riding inside WireGuard).

Step 3 — Add the EoIP tunnel to the VLAN bridge

On each site, add eoip-vlan20 to the bridge as an untagged member of VLAN 20. This makes the tunnel act as a bridge port carrying VLAN 20 traffic.

Both sites:

/interface/bridge/port
add bridge=br1 interface=eoip-vlan20 pvid=20

/interface/bridge/vlan
set [find vlan-ids=20] untagged=eoip-vlan20

If VLAN 20 does not yet exist on the bridge, create it first:

/interface/bridge/vlan
add bridge=br1 vlan-ids=20 tagged=br1 untagged=ether3,eoip-vlan20

Devices on VLAN 20 at Site A and Site B are now on the same L2 segment, connected over encrypted WireGuard.

---

Verification

Use Case A — Routed access

Check WireGuard peer handshake:

/interface/wireguard/peers/print detail

A working tunnel shows a recent last-handshake and non-zero rx/tx counters.

Check the VLAN SVI is up and has an IP:

/interface/vlan/print
/ip/address/print where interface=vlan10

Ping a VLAN device from the router:

/ping 192.168.10.50

Confirm a WireGuard client can reach the VLAN:

# From WireGuard client
ping 192.168.10.1

Use Case B — L2 extension

Check the EoIP tunnel state:

/interface/eoip/print detail

The interface should show running. If not running, check that the WireGuard underlay is up first.

Check bridge VLAN membership:

/interface/bridge/vlan/print

Verify eoip-vlan20 appears as an untagged port on VLAN 20.

Ping across the tunnel from the router:

/ping 192.168.20.x   # a device on the remote site's VLAN 20

---

Troubleshooting

WireGuard tunnel does not establish

• Wrong public key: Print keys with /interface/wireguard/print on both routers and verify character-for-character.
• Firewall blocking: Check /ip/firewall/filter/print — the UDP accept rule must appear before any drop rule.
• Both sites behind CGNAT: Direct WireGuard is not possible if neither has a public IP. Use a VPS as a relay.

VLAN clients cannot reach WireGuard clients (Use Case A)

• Check /ip/firewall/filter/print where chain=forward — ensure forward rules exist and are ordered before any drop.
• Check that the VLAN SVI is in an R (running) state: /interface/vlan/print.
• Verify allowed-address on the peer matches the client’s tunnel IP.

EoIP tunnel shows not running (Use Case B)

• The EoIP remote-address must be reachable — confirm WireGuard underlay is up with /ping 10.0.0.2 before creating EoIP.
• The tunnel-id must match on both sides. Check with /interface/eoip/print.

Traffic loops or excessive broadcast on the extended VLAN

Adding a bridge over a WAN link joins two separate L2 domains. Spanning Tree Protocol (STP) is strongly recommended to prevent loops:

/interface/bridge
set br1 protocol-mode=rstp

Also ensure the EoIP port does not create a loop with any other inter-site links.

MTU / fragmentation issues

If large packets fail but small packets succeed, check the MTU chain:

/interface/wireguard/print detail  # should show mtu=1420
/interface/eoip/print detail       # should show mtu=1480

Also confirm the bridge MTU is large enough:

/interface/bridge/print detail

---

See Also

• WireGuard — full WireGuard reference for RouterOS
• EoIP — EoIP tunnel reference and configuration
• VXLAN — alternative L2 overlay with multicast and EVPN support
• Site-to-Site WireGuard VPN: Home to Cottage — site-to-site WireGuard without VLAN bridging