Ethernet bridgingessentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.
By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet.
Bridging Setup
This example will guide you in configuring an OpenVPN server-side ethernet bridge. Multiple clients will be able to connect to the bridge, and each client's TAP interface will be assigned an IP address that is part of the server's LAN.
There are two methods for handling client IP address allocation:
- Let OpenVPN manage its own client IP address pool using theserver-bridgedirective, or
- configure the DHCP server on the LAN to also grant IP address leases to VPN clients.
In this example, we will use the first method where the OpenVPN server manages its own IP address pool on the LAN subnet, separate from the pool used by the DHCP server (if one exists). Both methods are described more fully in thisFAQ item.
For our example, we will use these bridge settings:
| Setting | bridge-startparameter | Value |
| Ethernet Interface | eth | eth0 |
| Local IP Address | ip | 192.168.8.4 |
| Local Netmask | eth_netmask | 255.255.255.0 |
| Local Broadcast Address | eth_broadcast | 192.168.8.255 |
| VPN client address pool | 192.168.8.128 to 192.168.8.254 | |
| Virtual Bridge Interface | br | br0 |
| Virtual TAP Interface | tap | tap0 |
The first step is to follow theHOWTOup to the "Starting up the VPN and testing for initial connectivity" section. Next, proceed below according to whether you are setting up the bridge on Linux or Windows.
Bridge Server on Linux
First, make sure you have thebridge-utilspackage installed.
Edit thebridge-startscript below. Set thebr,tap,eth,eth_ip,eth_netmask, andeth_broadcastparameters according to the physical ethernet interface you would like to bridge. Make sure to use an interface which is private and which is connected to a LAN which is protected from the internet by a firewall. You can use the Linuxifconfigcommand to get the necessary information about your network interfaces to fill in thebridge-startparameters.
Now run thebridge-startscript. It will create a persistenttap0interface and bridge it with the active ethernet interface.
Next, we will edit theOpenVPN server configuration fileto enable a bridging configuration.
Comment out the line which saysdev tunand replace it instead with:
dev tap0
Comment out the line that begins withserverand replace it with:
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
iptables -A INPUT -i tap0 -j ACCEPTiptables -A INPUT -i br0 -j ACCEPTiptables -A FORWARD -i br0 -j ACCEPT
The OpenVPN bridge can now be started and stopped using this sequence::
- runbridge-start
- run openvpn
- stop openvpn
- runbridge-stop
At this point, the bridging-specific aspects of the configuration are complete, and you cancontinue where you left off in the HOWTO.
Bridge Server on Windows XP
This configuration requires Windows XP or higher on the bridge side. To my knowledge, Windows 2000 does not support bridging, however a Windows 2000 machine can be a client on a bridged network, where the other end of the OpenVPN connection where the bridging is occurring is a Linux or Windows XP machine.
When OpenVPN is installed on Windows, it automatically creates a single TAP-Win32 adapter which will be assigned a name like "Local Area Connection 2". Go to the Network Connections control panel and rename it to "tap-bridge".
Next selecttap-bridgeand your ethernet adapter with the mouse, right click, and selectBridge Connections. This will create a newbridge adaptericon in the control panel.
Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0.
Next, edit theOpenVPN server configuration fileto enable a bridging configuration.
Comment out the line which saysdev tunand replace it instead with:
dev tapdev-node tap-bridge
Comment out the line that begins withserverand replace it with:
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
At this point, the bridging-specific aspects of the configuration are complete, and you cancontinue where you left off in the HOWTO.
Bridge Client configuration
Use thesample OpenVPN client configurationas a starting point. Comment out the line which saysdev tunand replace it instead with:
dev tap
Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that theproto(udp or tcp) directives are consistent. Also make sure thatcomp-lzoandfragment, if used, are present in both client and server config files.
Ethernet Bridging Notes
When using an ethernet bridging configuration, the first step is to construct the ethernet bridge -- a kind of virtual network interface which is a container for other ethernet interfaces, either real as in physical NICs or virtual as in TAP interfaces. The ethernet bridge interface must be set up before OpenVPN is actually started.
There is no portable method for generating an ethernet bridge interface -- each OS has its own method (see below for examples).
Once the bridge interface has been created, and appropriate ethernet interfaces have been added to it, OpenVPN may be started.
- A bridge interface is a kind of virtual network interface which is formed by combining one or more ethernet interfaces, each of which may be a physical NIC or a virtual TAP interface used for VPN tunneling.
- When you set up an ethernet bridge, you should manually set the IP address and subnet of the bridge interface and not use anifconfigdirective in the OpenVPN config. This is because unlike a TUN/TAP interface, OpenVPN cannot programmatically set the IP address and netmask of a bridge interface.
- The OpenVPN config should specify the TAP interface component of the bridge interface in itsdevdirective, not the name of the bridge interface itself.
- On Windows, use thedev-nodedirective to name the TAP-Win32 adapter which was added to the bridge (thedev-nodename refers to the adapter name as shown in the Network Connections panel).
- On Linux/BSD/Unix, for thedev tapdirective, use the explicit TUN/TAP unit number which you added to the bridge such asdev tap0.
- If you are running OpenVPN in point-to-point mode, omit anifconfigdirective, and if you are using client/server mode, use theserver-bridgedirective on the server.
- When bridging, you must manually set the TCP/IP settings on the bridge interface. For example on Linux, this can be done with anifconfigcommand while on Windows XP it can be done by setting the TCP/IP properties of the bridge interface in the Network Connections panel (the Network Connections panel on Windows XP and higher allows for point-and-click bridging).
- Make sure to only bridge TAP interfaces with private ethernet interfaces which are protected behind a firewall. Never bridge a TAP interface with the same ethernet interface you use to connect to the internet, as that would create a potential security hole.
- The addresses used forlocalandremoteshould not be part of the bridged subnet -- otherwise you will end up with a routing loop.
- An important point to understand with Ethernet bridging is that each network interface which is added to the bridge will lose its individual identity in terms of specific settings such as IP address and netmask. Only the TCP/IP settings of the bridge interface itself will be relevent.
- A common mistake that people make when manually configuring an Ethernet bridge is that they add their primary ethernet adapter to the bridge before they have set the IP and netmask of the bridge interface. The result is that the primary ethernet interface "loses" its settings, but the equivalent bridge interface settings have not yet been defined, so the net effect is a loss of connectivity on the ethernet interface.
- In most cases, it is possible to set up a usable bridge configuration with the ethernet-bridge itself only configured on the server side, not the client side. If this is done, the client machines will becomemulti-homedwhen they connect to the server, i.e. they will still have their regular ethernet interface, but upon connection to the OpenVPN server, they will now have a new TAP interface which is bridged with the server's ethernet interface (and possibly all of the TAP interfaces of other connecting clients as well if theclient-to-clientdirective is used on the server).
Notes -- Ethernet Bridging on Windows
TheWindows Notespage has additional information on ethernet bridging.
Notes -- Ethernet Bridging on Linux, Setup Scripts
These scripts will handle bridge setup and shutdown on Linux. They are available in thesample-scriptssubdirectory of the OpenVPN tarball.
sample-scripts/bridge-start
#!/bin/bash################################## Set up Ethernet bridge on Linux# Requires: bridge-utils################################## Define Bridge Interfacebr="br0"# Define list of TAP interfaces to be bridged,# for example tap="tap0 tap1 tap2".tap="tap0"# Define physical ethernet interface to be bridged# with TAP interface(s) above.eth="eth0"eth_ip="192.168.8.4"eth_netmask="255.255.255.0"eth_broadcast="192.168.8.255"for t in $tap; do openvpn --mktun --dev $tdonebrctl addbr $brbrctl addif $br $ethfor t in $tap; do brctl addif $br $tdonefor t in $tap; do ifconfig $t 0.0.0.0 promisc updoneifconfig $eth 0.0.0.0 promisc upifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
sample-scripts/bridge-stop
#!/bin/bash##################################### Tear Down Ethernet bridge on Linux##################################### Define Bridge Interfacebr="br0"# Define list of TAP interfaces to be bridged togethertap="tap0"ifconfig $br downbrctl delbr $brfor t in $tap; do openvpn --rmtun --dev $tdone
