Bridging OpenVPN Connections to Local Networks

The examples in most other OpenVPN recipes are routed using tun interfaces which operate at layer 3 and are generally the best practice. OpenVPN also offers the option of using tap interfaces, which operate at layer 2 and support bridging clients directly onto the LAN or other internal network. This can make the remote clients appear to be on the local LAN.

See also

See Device Mode for information on differences between tun and tap interfaces.

OpenVPN Server Settings

Most of the settings for a bridged remote access VPN are the same as for a traditional remote access VPN (OpenVPN Remote Access Configuration Example). The differences are noted here.

Device Mode

tap

A bridged connection requires a Device Mode of tap.

Tunnel Network

Empty

Remove values from the IPv4 Tunnel Network and IPv6 Tunnel Network boxes so they are empty. The way a tap bridge OpenVPN functions it does not need a tunnel network as OpenVPN does not use the same address assignment techniques that it does for tun mode.

Bridge DHCP

When selected, OpenVPN passes DHCP through to the bridged interface configured later. In the most common scenario, this is LAN. Using this method connecting clients would receive IP addresses from the same DHCP pool used by directly wired LAN clients.

Bridge Interface

LAN

Warning

This setting does not create the bridge, it only indicates to OpenVPN which interface will be a member of the bridge.

This controls which existing IP address and subnet mask OpenVPN will use for the bridge. Setting this to none will cause the Server Bridge DHCP settings below to be ignored.

Server Bridge DHCP Start/End

When using tap mode as a multi-point server, a DHCP range may optionally be configured to use on the interface to which this tap instance is bridged.

If these settings are left blank, OpenVPN will pass DHCP through to the bridge interface and it will ignore the interface setting above. This allows administrators to set aside a range of IP addresses for use only by OpenVPN clients so they may be contained within a portion of the internal network rather than consuming IP addresses from the existing DHCP pool. Enter the Server Bridge DHCP Start and Server Bridge DHCP End IP address values as needed.

Creating the Bridge

Once the OpenVPN tap server has been created, the OpenVPN interface must be assigned and bridged to the internal interface.

Assign OpenVPN interface

The VPN interface must be assigned before it can become a bridge member. The procedure for assigning an OpenVPN interface is covered in Assigning OpenVPN Interfaces.

Create Bridge

Once the VPN interface has been assigned, create the bridge as follows:

  • Navigate to Interfaces > Assignments, Bridges tab

  • Click fa-plus Add to create a bridge

  • Ctrl-click both the VPN interface and the interface to which it will be bridged (e.g. LAN )

  • Click Save

See also

More information on bridging can be found in Bridging.

Connect with Clients

Clients connecting to the VPN must also be set to use tap mode. Once that has been set, connect with a client such as one exported using the OpenVPN Client Export package. The clients will receive an IP address inside the internal subnet as if they were on the LAN.

Note

Bridged OpenVPN clients also receive broadcast and multicast traffic which can greatly increase the amount of traffic passing over the VPN.