Ethernet Bridging

Bridging Overview

See FAQ for an overview of Routing vs. Ethernet Bridging.

Ethernet bridging essentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.

By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet.

Bridging Setup

This example will guide you in configuring an OpenVPN server-side ethernet bridge. Multiple clients will be able to connect to the bridge, and each client's TAP interface will be assigned an IP address that is part of the server's LAN.

There are two methods for handling client IP address allocation:

• Let OpenVPN manage its own client IP address pool using the server-bridge directive, or
• configure the DHCP server on the LAN to also grant IP address leases to VPN clients.

In this example, we will use the first method where the OpenVPN server manages its own IP address pool on the LAN subnet, separate from the pool used by the DHCP server (if one exists). Both methods are described more fully in this FAQ item.

For our example, we will use these bridge settings:

The first step is to follow the HOWTO up to the "Starting up the VPN and testing for initial connectivity" section. Next, proceed below according to whether you are setting up the bridge on Linux or Windows.

Bridge Server on Linux

First, make sure you have the bridge-utils package installed.

Edit the bridge-start script below. Set the br, tap, eth, eth_ip, eth_netmask, and eth_broadcast parameters according to the physical ethernet interface you would like to bridge. Make sure to use an interface which is private and which is connected to a LAN which is protected from the internet by a firewall. You can use the Linux ifconfig command to get the necessary information about your network interfaces to fill in the bridge-start parameters.

Now run the bridge-start script. It will create a persistent tap0 interface and bridge it with the active ethernet interface.

Next, we will edit the OpenVPN server configuration file to enable a bridging configuration.

Comment out the line which says dev tun and replace it instead with:

dev tap0

Comment out the line that begins with server and replace it with:

Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

The OpenVPN bridge can now be started and stopped using this sequence::

• run bridge-start
• run openvpn
• stop openvpn
• run bridge-stop

At this point, the bridging-specific aspects of the configuration are complete, and you can continue where you left off in the HOWTO.

Bridge Server on Windows XP

This configuration requires Windows XP or higher on the bridge side. To my knowledge, Windows 2000 does not support bridging, however a Windows 2000 machine can be a client on a bridged network, where the other end of the OpenVPN connection where the bridging is occurring is a Linux or Windows XP machine.

When OpenVPN is installed on Windows, it automatically creates a single TAP-Win32 adapter which will be assigned a name like "Local Area Connection 2". Go to the Network Connections control panel and rename it to "tap-bridge".

Next select tap-bridge and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel.

Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0.

Next, edit the OpenVPN server configuration file to enable a bridging configuration.

Comment out the line which says dev tun and replace it instead with:

dev tap
dev-node tap-bridge

Comment out the line that begins with server and replace it with:

If you are running XP SP2, go to the firewall control panel, and disable firewall filtering on the bridge and TAP adapters.

At this point, the bridging-specific aspects of the configuration are complete, and you can continue where you left off in the HOWTO.

Bridge Client configuration

Use the sample OpenVPN client configuration as a starting point. Comment out the line which says dev tun and replace it instead with:

dev tap

Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.

Ethernet Bridging Notes

When using an ethernet bridging configuration, the first step is to construct the ethernet bridge -- a kind of virtual network interface which is a container for other ethernet interfaces, either real as in physical NICs or virtual as in TAP interfaces. The ethernet bridge interface must be set up before OpenVPN is actually started.

There is no portable method for generating an ethernet bridge interface -- each OS has its own method (see below for examples).

Once the bridge interface has been created, and appropriate ethernet interfaces have been added to it, OpenVPN may be started.

• A bridge interface is a kind of virtual network interface which is formed by combining one or more ethernet interfaces, each of which may be a physical NIC or a virtual TAP interface used for VPN tunneling.
• When you set up an ethernet bridge, you should manually set the IP address and subnet of the bridge interface and not use an ifconfig directive in the OpenVPN config. This is because unlike a TUN/TAP interface, OpenVPN cannot programmatically set the IP address and netmask of a bridge interface.
• The OpenVPN config should specify the TAP interface component of the bridge interface in its dev directive, not the name of the bridge interface itself.
• On Windows, use the dev-node directive to name the TAP-Win32 adapter which was added to the bridge (the dev-node name refers to the adapter name as shown in the Network Connections panel).
• On Linux/BSD/Unix, for the dev tap directive, use the explicit TUN/TAP unit number which you added to the bridge such as dev tap0.
• If you are running OpenVPN in point-to-point mode, omit an ifconfig directive, and if you are using client/server mode, use the server-bridge directive on the server.
• When bridging, you must manually set the TCP/IP settings on the bridge interface. For example on Linux, this can be done with an ifconfig command while on Windows XP it can be done by setting the TCP/IP properties of the bridge interface in the Network Connections panel (the Network Connections panel on Windows XP and higher allows for point-and-click bridging).
• Make sure to only bridge TAP interfaces with private ethernet interfaces which are protected behind a firewall. Never bridge a TAP interface with the same ethernet interface you use to connect to the internet, as that would create a potential security hole.
• The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop.
• An important point to understand with Ethernet bridging is that each network interface which is added to the bridge will lose its individual identity in terms of specific settings such as IP address and netmask. Only the TCP/IP settings of the bridge interface itself will be relevent.
• A common mistake that people make when manually configuring an Ethernet bridge is that they add their primary ethernet adapter to the bridge before they have set the IP and netmask of the bridge interface. The result is that the primary ethernet interface "loses" its settings, but the equivalent bridge interface settings have not yet been defined, so the net effect is a loss of connectivity on the ethernet interface.
• In most cases, it is possible to set up a usable bridge configuration with the ethernet-bridge itself only configured on the server side, not the client side. If this is done, the client machines will become multi-homed when they connect to the server, i.e. they will still have their regular ethernet interface, but upon connection to the OpenVPN server, they will now have a new TAP interface which is bridged with the server's ethernet interface (and possibly all of the TAP interfaces of other connecting clients as well if the client-to-client directive is used on the server).

Notes -- Ethernet Bridging on Windows

Check out this HOWTO by Adam Pavelec.

The Windows Notes page has additional information on ethernet bridging.

sample-scripts/bridge-start

sample-scripts/bridge-stop