9.9. Setting Up the OpenVPN Server in Bridge Mode

Problem

You want to run your OpenVPN server in bridged mode because you aren't supporting a lot of users. You're trading the slower performance of an Ethernet bridge for its ease of administration. You've made sure your VPN clients do not have conflicting addresses with your LAN.

Solution

First, make sure you have the bridge-utils package installed. Then, fetch the example bridge-start script. If your distribution does not include it, you'll find it in the OpenVPN source tarball, or online at OpenVPN.net (http://openvpn.net/bridge.html#linuxscript). Edit the first section to include your own bridge address, tap address, and your own IP address:

	# Define Bridge Interface
	br="br0"

	# Define list of TAP interfaces to be bridged,
	# for example tap="tap0 tap1 tap2".
	tap="tap0"

	# Define physical ethernet interface to be bridged
	# with TAP interface(s) above.
	eth="eth0"
	eth_ip="192.168.1.10"
	eth_netmask="255.255.255.0"
	eth_broadcast="192.168.1.255"

Next, copy it to /usr/sbin/openvpn, along with bridge-stop, which needs no changes.

Now, change two lines in your server configuration, which we'll call /etc/openvpn/server-bridge.conf. Change dev tun to dev tap0, then comment out your server and push lines, and replace them with this:

	server-bridge 192.168.1.10 255.255.255.0 192.168.1.128 192.168.1.254

This configures server-bridge with your own gateway, netmask, client IP-range-start, and client IP-range-end.

VPN clients also need devtun changed to dev tap0.

To test it manually, run these commands:

	# bridge-start
	# openvpn /etc/openvpn/server-bridge.conf

Test your connectivity. You should see Samba shares and everything. When you're finished testing, hit Ctrl-C to stop OpenVPN, then run the bridge-stop script to tear down the bridge.

To make everything start and stop automatically, add these lines to server-bridge.conf:

	up /usr/sbin/openvpn/bridge-start
	down /usr/sbin/openvpn/bridge-stop

Discussion

If you have an iptables firewall, use these rules to move VPN traffic across the bridge:

	$ipt -A INPUT -i tap0 -j ACCEPT
	$ipt -A INPUT -i br0 -j ACCEPT
	$ipt -A FORWARD -i br0 -j ACCEPT

Ethernet bridging is simpler than routing in some ways, but you pay a performance penalty because you have broadcast traffic crossing your bridge from both sides. It works fine for smaller networks, and saves a bit of routing hassles.

See Also