Configuring OpenVPN Access Server for a Privately Bridged Network


Although OpenVPN Access Server is mainly geared towards individuals looking to link their corporate networks and clients together, OpenVPN Access Server can also be configured to connect your clients to a private ("silent") network. This setup is useful when your clients have specific application broadcast/discovery requirements (e.g. multiplayer LAN games and/or cluster based applications/systems) and/or if you want an easy way to allow full bidirectional connectivity between all of these clients. As this private network is created internally inside the Access Server instance itself, this setup will still work under environments where broadcast/discovery services are usually prohibited (e.g. Amazon AWS, VPS providers (excluding OpenVZ providers), colocation and/or other datacenter locations).


In order for you to configure OpenVPN Access Server to use private bridging, all of these requirements must be met:

  • Your Access Server software is running on a platform that supports Ethernet Bridging. (As such, Access Server hosted on platforms such as OpenVZ will not work.)
  • Your OpenVPN client supports the TAP Ethernet Bridging functionality.
  • Your server must be in Layer 2 Ethernet Bridging Mode (under VPN Mode -> Layer 2 (ethernet bridging))
  • Your server must not be running Multi-Daemon mode. (under Server Network Settings -> Protocol) The UDP protocol is strongly preferred over the TCP protocol in VPN setups.
  • The Internet tunneling option in VPN settings should be turned off. (under VPN Settings -> Should client Internet traffic be routed through the VPN?)
  • The bridge-utils package is installed on OpenVPN Access Server instance and an empty bridge is created upon system startup (e.g. brctl addbr br0) - not required if you are using the latest version of our ESXi/AMI appliances.
  • Sufficient concurrent licenses for your client connections. Each clients connected in this manner will require 1 (one) license unit per concurrent connection.


In order to connect your VPN clients to the private network, your server must be configured in the Layer 2 (ethernet bridging) mode and be placed in the "silent" bridge that you have created previously. If you are using our ESXi/AMI appliances, a "pr0" interface should already been created for you to use in this setup.

To join the private bridge, login to the Web Admin UI, click VPN Mode on the left navigation panel and then specify the bridge name you have created earlier. For our appliance users, enter pr0 for Bridge Name under the "Join pre-existing bridge (optional)" section. Save the settings on this page.

Afterwards, go to the Advanced VPN section of the Web Admin UI.

Under Additional OpenVPN Config Directives (Advanced) and inside the Server Config Directives box, enter the follow line using the syntax below:

ifconfig-pool <start IP address> <end IP address> <subnet mask>

Where start IP address is the first IP address you would like to assign to your connected clients, end IP address is the last available IP address available in the pool for your connected clients, and the subnet mask is the mask you are assigning for this network.

For example, if you want a private network with the following characteristics:

Reserved VPN IP Range: - Subnet Mask:
You would enter the following in the aforementioned text box:


Note: If you plan to have Windows clients on your VPN network, the first usable IP address of the subnet is reserved for the virtual DHCP server for your VPN client. In these cases, it is strongly advised that you refrain from using the first usable IP address of the subnet in question, and start with the second IP address (e.g. On the other hand, if you plan to assign your VPN server an IP address on this network, you may do so on the active bridge interface, but please make sure that this IP does not fall into the range you are assigning to your clients. For example, if you are assigning to bridge pr0, make sure your ifconfig-pool starts on the third IP address (e.g. ifconfig-pool

Afterwards, click Save Settings and Update Running Server to apply your changes.
On the client end download the connect client, the Tap interface will be configured on the client machine and an ip address from the pool will be given to the client.