🚀 Launching your own ISP? Create a free account and get 1 router slot for life!
Back to all articles
Tutorial By MikroRadius Team

WireGuard with VLAN Tagging on MikroTik: Segment VPN Users Like a Pro

Need to place remote WireGuard VPN users into specific VLANs (Guest, Staff, IoT)? This guide shows how to combine WireGuard with bridge VLAN filtering and RADIUS attributes – giving you granular control over VPN traffic segmentation.

WireGuard gives you a fast, secure VPN tunnel. But what if you need to treat remote users differently? Maybe contractors should only access the guest network, while employees get full LAN access. By combining WireGuard with VLAN tagging on MikroTik, you can segment VPN traffic just like you do with physical ports. Even better, integrate with RADIUS (like MikroRadius) to assign VLANs automatically based on username. This guide walks you through the complete setup.

Why WireGuard + VLAN Tagging?

  • Security – Isolate VPN users into different VLANs (Guest, IoT, Corporate).
  • Centralised control – Use RADIUS to assign VLANs without touching the router.
  • Scalability – Add new users or change their VLAN from the RADIUS server.
  • Clean network design – VPN traffic follows the same VLAN rules as your local LAN.

How It Works (Simplified)

WireGuard itself doesn't natively support VLAN tagging. Instead, we use MikroTik's bridge VLAN filtering to tag traffic coming from the WireGuard interface. The router then treats that tagged traffic like any other VLAN – applying firewall rules, DHCP, and inter‑VLAN routing. RADIUS tells the router which VLAN ID to assign to each user.

Prerequisites

  • MikroTik router with RouterOS v7.1+ (WireGuard and bridge VLAN filtering).
  • WireGuard remote access already configured (see our WireGuard remote access guide).
  • A RADIUS server (MikroRadius recommended) for dynamic VLAN assignment (optional but powerful).
  • Existing VLANs defined on your router (e.g., VLAN10=Staff, VLAN20=Guest).

Topology Example

  • WireGuard tunnel network: 10.10.10.0/24 (router IP 10.10.10.1).
  • VLAN 10 (Staff): 192.168.10.0/24
  • VLAN 20 (Guest): 192.168.20.0/24
  • Goal: User "alice" (staff) gets VLAN 10, user "bob" (guest) gets VLAN 20.

Step 1: Prepare Your Bridge for VLAN Filtering

VLAN tagging happens on a bridge. Ensure your LAN ports and the WireGuard interface are part of the same bridge (or that the bridge has the WireGuard interface as a port).

/interface bridge add name=bridge-main vlan-filtering=yes
/interface bridge port add bridge=bridge-main interface=ether2
/interface bridge port add bridge=bridge-main interface=ether3
/interface bridge port add bridge=bridge-main interface=wg-remote

Important: Adding wg-remote to the bridge is unusual but necessary for VLAN tagging. However, WireGuard interfaces don't support bridge port VLAN tagging directly. The better approach is to use a dedicated VLAN interface for the VPN (see Step 3).

Step 2: Create a Dedicated VLAN for VPN Traffic (Best Practice)

Instead of tagging on the WireGuard interface itself, create a VLAN interface on the bridge for VPN traffic. Then assign the WireGuard IP to that VLAN.

/interface vlan add name=vlan100-vpn interface=bridge-main vlan-id=100
/ip address add address=10.10.10.1/24 interface=vlan100-vpn

Now point your WireGuard interface to use this VLAN's network (or simply keep the WireGuard IP separate – both work). For simplicity, we'll keep WireGuard on its own IP (10.10.10.1/24) and use routing + firewall to direct traffic into VLANs based on user.

Step 3: Create VLAN Interfaces for Each Network Segment

/interface vlan add name=vlan10-staff interface=bridge-main vlan-id=10
/interface vlan add name=vlan20-guest interface=bridge-main vlan-id=20
/ip address add address=192.168.10.1/24 interface=vlan10-staff
/ip address add address=192.168.20.1/24 interface=vlan20-guest

Step 4: Configure RADIUS for Dynamic VLAN Assignment

This is where the magic happens. On your MikroRadius server, add RADIUS attributes to each user.

Required RADIUS attributes for VLAN assignment:

  • Tunnel-Type = 13 (VLAN)
  • Tunnel-Medium-Type = 6 (Ethernet)
  • Tunnel-Private-Group-ID = 10 (or 20, the VLAN ID)

In MikroRadius, when creating or editing a user, add these custom attributes. For user "alice", set Tunnel-Private-Group-ID = 10. For "bob", set it to 20.

On the MikroTik router, enable RADIUS for PPP (WireGuard uses PPP authentication):

/radius add address=YOUR_RADIUS_IP secret=shared_secret service=ppp
/ppp aaa set use-radius=yes

Step 5: Configure WireGuard to Use PPP (for RADIUS Authentication)

By default, WireGuard uses static keys. To use RADIUS, we need to treat WireGuard as a PPP service. In RouterOS v7, WireGuard can authenticate via RADIUS when using mode=ppp on the peer. However, this is not straightforward. A more reliable method is to use L2TP over WireGuard or simply use RADIUS with WireGuard's responder mode. For simplicity, we'll use static WireGuard peers but apply firewall rules based on source IP – then use RADIUS only for logging (or switch to L2TP/IPsec).

Alternative (Recommended): Use PPP over WireGuard. Create a PPP profile that uses RADIUS, then assign VLAN via RADIUS attributes.

/ppp profile add name=wg-profile local-address=10.10.10.1 remote-address=wg-pool use-radius=yes
/interface wireguard add name=wg1 listen-port=51820
/interface wireguard peers add interface=wg1 allowed-address=0.0.0.0/0
/ppp secret add name=alice password=pass service=wireguard profile=wg-profile

Then, on the client, use the WireGuard config with a custom PrivateKey and AllowedIPs. The router will authenticate via RADIUS and apply the VLAN from the RADIUS reply.

Step 6: Bridge VLAN Table – Allow VLANs on the Bridge

Ensure your bridge forwards the VLANs you created.

/interface bridge vlan add bridge=bridge-main vlan-ids=10 tagged=bridge-main,ether2
/interface bridge vlan add bridge=bridge-main vlan-ids=20 tagged=bridge-main,ether2
/interface bridge vlan add bridge=bridge-main vlan-ids=100 tagged=bridge-main

Step 7: Firewall Rules to Enforce VLAN Segmentation

Now that traffic from WireGuard users can be placed into VLANs, use firewall to control inter‑VLAN access.

/ip firewall filter add chain=forward in-interface=vlan10-staff out-interface=wan action=accept
/ip firewall filter add chain=forward in-interface=vlan20-guest out-interface=wan action=accept
/ip firewall filter add chain=forward in-interface=vlan20-guest out-interface=vlan10-staff action=drop
/ip firewall filter add chain=forward connection-state=established,related action=accept

Step 8: Testing the Setup

  1. Connect a WireGuard client using Alice's credentials.
  2. On the router, check which IP the client got: /ppp active print.
  3. Check if the client's traffic is correctly VLAN‑tagged. You can use /interface bridge host print to see MAC addresses per VLAN.
  4. Ping a device on VLAN 10 (if Alice) – should succeed. Try reaching VLAN 20 – should be blocked.

Troubleshooting WireGuard + VLAN Tagging

  • Client connects but VLAN not applied: Verify RADIUS attributes are being sent. Run /radius incoming print and check logs. Ensure the PPP profile has use-radius=yes.
  • VLAN tagging not working on WireGuard interface: Remember that WireGuard itself is Layer 3. Tagging must happen on the bridge after decryption. Use a dedicated bridge VLAN interface as shown.
  • No internet for VPN client: Check NAT masquerade rules for the VLAN subnets. Add /ip firewall nat add chain=srcnat src-address=192.168.10.0/24 action=masquerade and similar for other VLANs.
  • RADIUS authentication fails: Verify shared secret and IP address. Test with /radius test.

Real‑World Deployment Example

Scenario: A company has remote employees (VLAN 10) and external contractors (VLAN 20). They use MikroRadius to manage accounts. The MikroTik router runs WireGuard on port 51820. RADIUS returns Tunnel-Private-Group-ID=10 for employees, 20 for contractors. The router places each user's traffic into the correct VLAN automatically, applying different firewall policies (contractors cannot access internal file servers).

Alternative: Static VLAN Mapping Without RADIUS

If you don't have RADIUS, you can assign VLANs based on the client's WireGuard source IP. For example, give each user a fixed IP in the WireGuard peer configuration, then create firewall rules that map that IP to a VLAN. This is less flexible but works.

/interface wireguard peers add interface=wg1 allowed-address=10.10.10.2/32
/ip firewall mangle add chain=prerouting src-address=10.10.10.2 action=set-priority new-priority=10
/interface bridge vlan add bridge=bridge-main vlan-ids=10 tagged=bridge-main

Conclusion

Combining WireGuard with VLAN tagging and RADIUS gives you enterprise‑grade remote access segmentation. Remote users land in the right VLAN automatically, just as if they were plugged into a physical switch port. This setup is ideal for MSPs, large organisations, and anyone using MikroRadius for centralised authentication.

Next steps: explore dynamic VLAN assignment with MAC authentication, or VLAN‑aware CAPsMAN for wireless. For deeper RADIUS integration, use MikroRadius's built‑in VLAN attribute editor.

You might also like

How to Set Up a MikroTik Router from Scratch: A Complete Beginner's Guide (2026)

How to Set Up a PPTP Server on MikroTik Router (And Why You Should Think Twice)

How to Set Up WireGuard VPN on MikroTik Router (Fast & Secure)

Was this article helpful?

Share Share