Hello,
To make this work I'd recommend installing OpenWRT package called "vpn-policy-routing". With this package you can easily create rules and assign specific interfaces as the default gateway for desired LAN subnets (VLANS) while keeping your primary WAN connection as the default gateway for other subnets, not within the range of VPN policy routing rules.
Note: I'd highly recommend having local access to the router before perming any further configuration
To start things off, please login to the router via CLI (SSH) [wiki article covering this procedure] and issue the following commands:
opkg update
opkg install vpn-policy-routing
Note: the "opkg update" may throw some errors at the end of its output, it's completely fine to ignore them.
Once VPN policy routing is installed, proceed with creating VLANs, then create VPN tunnels and assign their peers. When creating VPN tunnels and peers, make sure to set specific fields to the following values:
In the "General Setup"
Listen port: any value between 1024–65535, must be unique for each individual tunnel configuration
IP addresses: IPv4 address of the tunnel on Teltonika router side. Each tunnel must be under its own subnet to make no conflicts occur
In the "Advanced Setup"
Metric: must be higher than the default gateway (WAN) interface. For example, 50.
MTU: default is 1420, adjust if necessary depending on the other end of the tunnel to match this value on both ends (peers)
Proceed to the peer configuration, in the "General Setup"
Public key: peer (other end) public key
Allowed IPs: 0.0.0.0/0
Peer configuration, "Advanced Setup"
Description: custom description about this peer
Preshared key: configure only if required/setup on the other end, otherwise leave empty
Endpoint host: public IPv4 address of the peer
Endpoint port: port which the peer is listening on
Persistent keep alive: recommended to set to 30 to make sure tunnel stays online even when no client is using tunnel
Configure the second WG tunnel identically, except with different IPs, listening port and public key.
Once done, proceed back to the CLI (SSH) and run the following commands:
Note: make sure to replace WG interface names and subnet IPs in case they differ on your end.
Note: you can check how WG interfaces are named by issuing command "wg" (without quotation marks) in the CLI (SSH).
uci set vpn-policy-routing.config.enabled='1'
while uci -q delete vpn-policy-routing.@policy[0]; do :; done
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].dest_addr="10.20.30.0/24 172.20.30.0/24"
uci set vpn-policy-routing.@policy[-1].interface="ignore"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].src_addr="10.20.30.0/24"
uci set vpn-policy-routing.@policy[-1].interface="WireGuard interface name #1"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].src_addr="172.20.30.0/24"
uci set vpn-policy-routing.@policy[-1].interface="WireGuard interface name #2"
uci commit
/etc/init.d/vpn-policy-routing restart
Once done, the default gateway for other LAN subnets will still be the default WAN connection, however, for subnet 10.20.30.0/24 the default gateway will be WireGuard interface #1 and for subnet 172.20.30.0/24 the default gateway will be WireGuard interface #2. I've tested this on my end and everything seemed to be in order. Let me know if this works for you.
Best regards,
Tomas.