Netgate is offering COVID-19 aid for pfSense software users, learn more.
Bridged OpenVPN Connections¶
The OpenVPN configurations discussed to this point have all been routed, using tun interfaces. This is the preferable method, but OpenVPN also offers the option of using tap interfaces and bridging clients directly onto the LAN or other internal network. This can make the remote clients appear to be on the local LAN.
OpenVPN Server Settings¶
Most of the settings for a bridged remote access VPN are the same as above for a traditional remote access VPN. Only the differences will be noted here.
- Device Mode
To create a bridged connection, this must be set to tap.
- Tunnel Network
Remove values from the IPv4 Tunnel Network and IPv6 Tunnel Network boxes so they are empty. The way a tap bridge OpenVPN functions it does not need a tunnel network as OpenVPN doesn’t use the same address assignment that it does for tun mode.
- Bridge DHCP
When selected, DHCP will be passed through to the bridged interface configured later. In the most common scenario, this is LAN. Using this method connecting clients would receive IP addresses from the same DHCP pool used by directly wired LAN clients.
- Bridge Interface
This setting does not create the bridge, it only indicates to OpenVPN which interface will be used for the bridge. In most cases, this is LAN. This controls which existing IP address and subnet mask are used by OpenVPN for the bridge. Setting this to none will cause the Server Bridge DHCP settings below to be ignored.
- Server Bridge DHCP Start/End
When using tap mode as a multi-point server, a DHCP range may be configured to use on the interface to which this tap instance is bridged. If these settings are left blank, DHCP will be passed through to the bridge interface, and the interface setting above will be ignored. This allows a range of IP addresses to be set aside for use only by OpenVPN clients so they may be contained within a portion of the internal network rather than consuming IP addresses from the existing DHCP pool. Enter the Server Bridge DHCP Start and Server Bridge DHCP End IP address values as needed.
Creating the Bridge¶
Once the OpenVPN tap server has been created, the OpenVPN interface must be assigned and bridged to the internal interface.
Assign OpenVPN interface¶
In order to include the VPN interface in a bridge, it must be assigned. The procedure for assigning an interface is covered earlier in this chapter, in Assigning OpenVPN Interfaces.
Once the VPN interface has been assigned, create the bridge as follows:
Navigate to Interfaces > (assign), Bridges tab
Click Add to create a bridge
Ctrl-click both the VPN interface and the interface to which it will be bridged (e.g. LAN )
More information on bridging can be found in Bridging.
Connect with Clients¶
Clients connecting to the VPN must also be set to use tap mode. Once that has been set, connect with a client such as one exported using the OpenVPN Client Export package. The clients will receive an IP address inside the internal subnet as if they were on the LAN. They will also receive broadcast and multicast traffic.