Running OpenWrt with multiple USB Ethernet adapters to host subdomains on one VLAN (all using a single static IP) and a WireGuard VPN on another VLAN

Question

I have a Raspberry Pi 4 model B running Openwrt with two additional USB Ethernet adapters . I have the onboard Ethernet port currently connected to the WAN. Wireguard is installed but not properly configured. I also have an HP Procurve 2824 switch and would like to create two VLANs on it.

What I was to achieve:

(1) I want the first USB Ethernet adapter to support a VLAN (VLAN1) on the switch than is only accessible via the WireGuard VPN server running on the Raspberry Pi. I would like to run my own DNS server on this VLAN and would also like it to be able to pull code from github.

(2) Secondly, I have a second USB adapter for my Pi for which I would like to establish a second VLAN on my switch.

I would like this VLAN (VLAN2) to make use of my static WAN IP address. My cheap ISP router current accepts traffic to the sole IP address I have for several subdomains. One meant for my Nextcloud server and another to my test machine. (e.g: nextcloud.mydomain.com and test.mydomain.com). I would like to configure the Pi to route traffic for Nextcloud to one port on my VLAN2 and traffic for test to another port on VLAN2). These will not sit behind the VPN but should be publicly accessible. Is a VLAN indeed needed for this part ? or can I simply give the machines static IP address and plug them into the Switch (I am not sure how this will work, will the Switch simply act as a hub if I do not create a VLAN ?)

Updated with the following on 27/1/23:

I have eth0 (the br-lan) as a dedicated connection to my cheap ISP provided Huawei router as I am not sure how you expect me to get internet traffic into the picture.

Are you proposing that I plug the ISP provided Huawei router directly into a switch port and to somehow tag it to provide internet access across both VLANs. If so how does my router control this ?

I currently have this in /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd56:08f3:f438::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option gateway '192.168.100.1'
        list dns '1.1.1.1'
        list ipaddr '192.168.100.253/24'

config device
        option name 'eth0'

config device
        option name 'phy0-sta0'

config device
        option name 'eth1'
        option acceptlocal '1'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '10'
        option name 'eth1.10'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'eth1.20'
        option ipv6 '0'

config interface 'laan'
        option proto 'static'
        option device 'eth1.10'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1.20'

I believe the VLANs on the switch are working as openwrt shows traffic for eth1.10 and eth1.20 when a device is plugged into the switch for either of those VLANs and stops when removed.

I am just not sure exactly what I have and whether I'm going in the right direction.

Answer 1

The whole point of VLANs is to not bother to install additional adapters. Don't do it and throw away that USB NICs. Configure a single trunk link which has all the vlans tagged. The switch essentially will work as the "port multiplier" for your router. This widely used topology is sometimes called router on a stick.

On the switch side, when you configure it, you dedicate a port where Raspberry Pi will be connected, create VLANs and assign all of them as tagged on that port, while assign as required (untagged or no access) to other ports. (Only one VLAN can be untagged on the port, which become a "default VLAN" for that port.) For instance, you'll likely need to dedicate one port for the WAN, where the WAN VLAN will be set to untagged, and that VLAN will be set to tagged on RPi port and to no access on all other ports of the switch.

On the Raspberry Pi side this is achieved by creating VLAN subinterfaces, and then Linux kernel will do necessary tagging for you. Then, you configure all IP addresses and the like on those VLAN subinterfaces.

In OpenWRT, this is pretty straightforward (the following could be the part of /etc/config/network):

config interface 'lan'
        option ifname 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option ifname 'eth0.20'
        option proto 'dhcp'
        option delegate '0'

In this example, eth0 is the physical interface name as seen in the ip link command; LAN uses a 802.1q VLAN ID 10 and the eth0.10 is the name of subinterface where untagged traffic for that VLAN will appear; WAN uses a 802.1q VLAN ID 20 and the eth0.20 is the name of subinterface through which the access to that VLAN will be performed. It is eth0.10 and eth0.20 who will have IP addresses, as shown in this example.

Then you may proceed with WireGuard (in the same file):

config interface 'wg0'
        option proto 'wireguard'
        option private_key '...'
        option listen_port '51820'
        list addresses '192.168.9.7/24'

config wireguard_wg0
        option public_key '...'
        option endpoint_host '...'
        option endpoint_port '51820'
        list allowed_ips '192.168.9.1/32'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

config wireguard_wg0
        option public_key '...'
        list allowed_ips '192.168.9.9/32'
        option persistent_keepalive '25'

config wireguard_wg0
        option public_key '...'
        list allowed_ips '192.168.9.3/32'
        option persistent_keepalive '25'

Notice you don't specify interface names other than WireGuard interface to which this configuration belongs, because you don't need. It doesn't bind to an interface, it binds to IP addresses and uses interfaces as directed by the system routing tables.

---

By the way, if you install OpenWRT on "conventional" router (like TP-Link as I have), it will configure this exactly in the way I just described; internally it has a CPU with the single Ethernet interface (as Raspberry Pi has) which in this case has the name eth0 and which is internally connected to a switch chip port 0. My switch chip sets port 1 to be WAN (so VLAN 20 is tagged on 0 and untagged on 1, and no access on others), and ports 2, 3, 4, 5 as LAN (so VLAN 10 is tagged on 0 and untagged on 2, 3, 4, 5 and no access on 1). You essentially replicate this setup with the small difference: your computer-to-switch connection will be explicit (a cable) and the switch is managed not from the computer, but as individual independent device.