[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients

  • Subject: Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients
  • From: Pasada Khumprakob <khumprp@xxxxxxxxxxx>
  • Date: Thu, 30 Aug 2007 17:28:58 -0400
  • Importance: Normal

Well, lets see.... Here's the setup (Note the IPs are changed for security). These 201 range IP's are accual real routable internet IP addresses, not a LAN subnet. The server is connected to the LAN with IP assigned to it, and that is accessible from the internet, and that is the machines normal address as well. The gateway is The firewall on the LAN is allowing in/out access to this server, so when the client connects it will connect to on port 9999.
I have - 245 allocated for everything VPN. The client IP will be, the TAP0 on the server will be If the clients are connecting to TAP0, should I bridge TAP0 with the ETH0 OpenVPN connection IP?

> Date: Thu, 30 Aug 2007 13:56:00 -0700
> From: dmiller@xxxxxxxxx
> To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] Bridging Setup on Linux w/ Windows Clients
> Pasada Khumprakob wrote:
> > Hi Daniel -
> >
> > Thank you very much for helping me. I am accually using CentOS, but
> > should be able to figure out the bridging information from what you
> > gave me. Let me run this by you so I'm sure I got this right.... My
> > server should have 1 ETH0 physical NIC that has my
> > 'public' IP address, and two virtual TAP addresses?
> Nope. The number of "physical" NIC's is irrelevant. It's quite
> possible to have a server with a single physical NIC, but have multiple
> logical NIC's with different addresses on it.
> I'm going to assume you have a LAN, that this server is connected to.
> That LAN should be using a private address space, such as 192.168.x.x.
> If you DON'T have a LAN, and just have the one server connected directly
> to the Internet, you need to create one.
> If you have one NIC, configure it as:
> auto eth0
> iface eth0 inet static
> address
> netmask
> broadcast
> network
> auto eth0:0
> iface eth0:0 inet static
> address
> netmask
> broadcast
> network
> gateway <whatever your gateway IP is, is it>
> After you've done that, your system should still have full internet
> function (no VPN yet). Have to get this far before you continue. Then
> re-do it for a bridging config:
> auto br0
> iface br0 inet static
> address
> etc. etc. - with all the pre-up/post-down stuff
> auto br0:0
> iface eth0:0 inet static
> address
> etc. etc. - no pre-up/post-down stuff needed here.
> Then in the openvpn server config, specify in the local
> directive.
> >
> > So, an please bear with me, I am new to this.... Can you please
> > explain further how the TAP devices are used? Specifically, when they
> > should be created, what connects to them, and what they are bridged
> > with? I think I'm over-complicating this...
> This is the critical concept in bridging VPN's. You create a (virtual)
> point of connection for the external clients - a TAP device. Then you
> join that connection to your INTERNAL connection - so it appears to the
> external clients that they are on the same physical network as your
> LAN. That's the bridge. The openvpn client speaks with the openvpn
> server, and each openvpn instance passes along information to/from the
> TAP or TUN devices. From a networking config point of view, the TAP
> device on the client speaks with the TAP device on the server. Behind
> the scenes, openvpn talks across the Internet (typically) using the
> external NIC's of the client and server - then magically translates that
> info to the TAP's.
> BTW - unless asked to communicate off-list, try to keep your question
> on-list. That way everyone can listen/learn - and archive search -
> these golden nuggets of misinformation <g>.
> --
> Daniel
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users