Ethernet Bridging
Ethernet bridging essentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.
By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet.
Bridging Setup
This example will guide you in configuring an OpenVPN server-side ethernet bridge. Multiple clients will be able to connect to the bridge, and each client's TAP interface will be assigned an IP address that is part of the server's LAN.
There are two methods for handling client IP address allocation:
- Let OpenVPN manage its own client IP address pool using the server-bridge directive, or
- configure the DHCP server on the LAN to also grant IP address leases to VPN clients.
In this example, we will use the first method where the OpenVPN server manages its own IP address pool on the LAN subnet, separate from the pool used by the DHCP server (if one exists). Both methods are described more fully in this FAQ item.
For our example, we will use these bridge settings:
Setting | bridge-start parameter | Value |
Ethernet Interface | eth | eth0 |
Local IP Address | ip | 192.168.8.4 |
Local Netmask | eth_netmask | 255.255.255.0 |
Local Broadcast Address | eth_broadcast | 192.168.8.255 |
VPN client address pool | 192.168.8.128 to 192.168.8.254 | |
Virtual Bridge Interface | br | br0 |
Virtual TAP Interface | tap | tap0 |
The first step is to follow the HOWTO up to the "Starting up the VPN and testing for initial connectivity" section. Next, proceed below according to whether you are setting up the bridge on Linux or Windows.
Bridge Server on Linux
First, make sure you have the bridge-utils package installed.
Edit the bridge-start script below. Set the br, tap, eth, eth_ip, eth_netmask, and eth_broadcast parameters according to the physical ethernet interface you would like to bridge. Make sure to use an interface which is private and which is connected to a LAN which is protected from the internet by a firewall. You can use the Linux ifconfig command to get the necessary information about your network interfaces to fill in the bridge-start parameters.
Now run the bridge-start script. It will create a persistent tap0 interface and bridge it with the active ethernet interface.
Next, we will edit the OpenVPN server configuration file to enable a bridging configuration.
Comment out the line which says dev tun and replace it instead with:
dev tap0
Comment out the line that begins with server and replace it with:
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0interfaces:
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT The OpenVPN bridge can now be started and stopped using this sequence::
At this point, the bridging-specific aspects of the configuration are complete, and you can continue where you left off in the HOWTO. Bridge Server on Windows XPThis configuration requires Windows XP or higher on the bridge side. To my knowledge, Windows 2000 does not support bridging, however a Windows 2000 machine can be a client on a bridged network, where the other end of the OpenVPN connection where the bridging is occurring is a Linux or Windows XP machine. When OpenVPN is installed on Windows, it automatically creates a single TAP-Win32 adapter which will be assigned a name like "Local Area Connection 2". Go to the Network Connections control panel and rename it to "tap-bridge". Next select tap-bridge and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel. Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0. Next, edit the OpenVPN server configuration file to enable a bridging configuration. Comment out the line which says dev tun and replace it instead with: dev tap dev-node tap-bridge Comment out the line that begins with server and replace it with: |
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
If you are running XP SP2, go to the firewall control panel, and disable firewall filtering on the bridge and TAP adapters.
At this point, the bridging-specific aspects of the configuration are complete, and you can continue where you left off in the HOWTO. Bridge Client configurationUse the sample OpenVPN client configuration as a starting point. Comment out the line which says dev tun and replace it instead with: dev tap Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files. Ethernet Bridging NotesWhen using an ethernet bridging configuration, the first step is to construct the ethernet bridge -- a kind of virtual network interface which is a container for other ethernet interfaces, either real as in physical NICs or virtual as in TAP interfaces. The ethernet bridge interface must be set up before OpenVPN is actually started.
There is no portable method for generating an ethernet bridge interface -- each OS has its own method (see below for examples). Once the bridge interface has been created, and appropriate ethernet interfaces have been added to it, OpenVPN may be started.
Notes -- Ethernet Bridging on WindowsThe Windows Notes page has additional information on ethernet bridging. |
Notes -- Ethernet Bridging on Linux, Setup Scripts
These scripts will handle bridge setup and shutdown on Linux. They are available in the sample-scripts subdirectory of the OpenVPN tarball.
sample-scripts/bridge-start |
#!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" eth_ip="192.168.8.4" eth_netmask="255.255.255.0" eth_broadcast="192.168.8.255" for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
sample-scripts/bridge-stop |
#!/bin/bash #################################### # Tear Down Ethernet bridge on Linux #################################### # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged together tap="tap0" ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done