OpenVPN bridging

So I have found several posts for this but none actually have an answer. I have an OpenVPN server setup at a remote location that issues DHCP. I want to make it so when I connect my GL device to the VPN server all the devices will be issued IPs from the VPN server… Not from the GL device. Essentially I just want the GL to bridge the OpenVPN tunnel not route/NAT it.

Someone out there must know something of use?

Server side:

  • Step 1: Add the following lines to /etc/openvpn/ovpn/server.ovpn.
dev tap
server-bridge 192.168.13.1 255.255.255.0 192.168.13.2 192.168.13.100

Note that 192.168.13.1 is the gateway of br-lan, 192.168.13.2 is IP address pool start, 192.168.13.100 is IP address pool end, it has to non-conflict with LAN’s DHCP IP address pool(it is start with 100 by default).

  • Step 2: Edit network uci configuration file /etc/config/network.
config interface 'lan'
	option type 'bridge'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750-446'
	option ipaddr '192.168.13.1'
	option ifname 'eth1.1 tap0'
	option proto 'static'
  • Step 3: Start OpenVPN Server on admin web page.

Client side:

  • Step 1: Change client.ovpn.
dev tap
  • Step 2: Edit network configuration file /etc/config/network.
config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 tap0'
	option proto 'dhcp'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750S-f5a'
	# option ipaddr '192.168.8.1'
  • Step 3: Edit dhcp configuration file /etc/config/dhcp .
config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'
	option ignore '1'

config interface 'ovpn'
	option ifname 'none'
	option proto 'none'
  • Step 4: Restart dnsmasq.
/etc/init.d/dnsmasq restart
  • Step 5: Upload client.ovpn, and start it.

Ohh wow… Lil more than I expected… First I assume that I can SSH into these? Second the br-lan ip of x.x.13.2 is where that device is actually getting its net from not the device itself. Eg the server side devices actual gateway.

Yup, you have to ssh to the router, I will make it simple if I have spare time.

br-lan and tap are bridge, all device is assigned IP address from server’s LAN.

Ok, I will try to figure out how to edit these files now!!!

Thank you very much!!!

So I have been playing with it but it keeps giving me an unknown error. if I edit the GUI version it resets all the stuff. The config files look like they need other settings too.

This is what my default settings look like:

/etc/openvpn/ovpn/server.ovpn

client-to-client
persist-key
persist-tun
auth SHA1
cipher BF-CBC
comp-lzo adaptive
dev tun-SERVER
dev-type tun
group nogroup
keepalive 10 120
mode server
mute 5
port 250
proto udp
push “persist-key”
push “persist-tun”
push “redirect-gateway def1”
route-gateway dhcp
server 10.1.10.0 255.255.255.0
topology subnet
duplicate-cn
user nobody
verb 3

/etc/config/network

config interface ‘loopback’
option ifname ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’

config globals ‘globals’
option ula_prefix ‘fdb7:c716:10cd::/48’

config interface ‘lan’
option type ‘bridge’
option ifname ‘eth0.1’
option proto ‘static’
option netmask ‘255.255.255.0’
option ip6assign ‘60’
option hostname ‘GL-MT300N-V2-0cf’
option ipaddr ‘192.168.8.1’

config interface ‘wan’
option ifname ‘eth0.2’
option proto ‘dhcp’
option hostname ‘GL-MT300N-V2-0cf’
option metric ‘10’

config device ‘wan_dev’
option name ‘eth0.2’
option macaddr ‘e4:95:6e:46:30:cf’

config interface ‘wan6’
option ifname ‘eth0.2’
option proto ‘dhcpv6’

config switch
option name ‘switch0’
option reset ‘1’
option enable_vlan ‘1’

config switch_vlan
option device ‘switch0’
option vlan ‘1’
option ports ‘1 6t’

config switch_vlan
option device ‘switch0’
option vlan ‘2’
option ports ‘0 6t’

config interface ‘tap0’
option type ‘bridge’
option proto ‘static’
option ifname ‘eth0.1’

/etc/config/dhcp

config dnsmasq
option domainneeded ‘1’
option boguspriv ‘1’
option filterwin2k ‘0’
option localise_queries ‘1’
option rebind_protection ‘1’
option rebind_localhost ‘1’
option local ‘/lan/’
option domain ‘lan’
option expandhosts ‘1’
option nonegcache ‘0’
option authoritative ‘1’
option readethers ‘1’
option leasefile ‘/tmp/dhcp.leases’
option resolvfile ‘/tmp/resolv.conf.auto’
option nonwildcard ‘1’
option localservice ‘1’

config dhcp ‘lan’
option interface ‘lan’
option start ‘100’
option limit ‘150’
option leasetime ‘12h’
option force ‘1’
option dhcpv6 ‘server’
option ra ‘server’

config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’

config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’
option loglevel ‘4’

config domain ‘localhost’
option name ‘console.gl-inet.com
option ip ‘192.168.8.1’

You might not read my guide with careful.

It doesn’t need this one.

OpenVPN Server configuration file:

client-to-client
persist-key
persist-tun
auth SHA1 
cipher BF-CBC
comp-lzo adaptive
; dev tun-SERVER
; dev-type tap
dev tap
server-bridge 192.168.13.1 255.255.255.0 192.168.13.2 192.168.13.100
group nogroup
keepalive 10 120
mode server
mute 5
port 1194
proto udp
push "persist-key"
push "persist-tun"
; push "redirect-gateway def1"
; push "route 0.0.0.0 0.0.0.0"
route-gateway dhcp
; server 10.8.0.0 255.255.255.0
topology subnet
duplicate-cn
user nobody
verb 3
status /var/log/openvpn-status.log

OpenVPN Server network configuration file:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd22:3a5a:e558::/48'

config interface 'lan'
	option type 'bridge'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750-446'
	option ipaddr '192.168.13.1'
	option ifname 'eth1.1 tap0'
	option proto 'static'

config interface 'wan'
	option hostname 'GL-AR750-446'
	option metric '10'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

OpenVPN Client configuration file:

client
dev tap
proto udp
remote 192.168.17.22 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA1 
cipher BF-CBC
comp-lzo adaptive
nice 0
mute 5
verb 3

OpenVPN Client network configuration file:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6a:afef:bb70::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 tap0'
	option proto 'dhcp'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750S-f5a'
	# option ipaddr '192.168.8.1'

config interface 'guest'
	option type 'bridge'
	option ifname 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750S-f5a'
	option ipaddr '192.168.10.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option hostname 'GL-AR750S-f5a'
	option metric '10'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'ovpn'
	option ifname 'none'
	option proto 'none'

GL-INET staff, it would be fantastic if you could add this kind of support to the GUI, it would make your product so powerful!

2 Likes

OK. I will put in the dev schedule. Actually not too many request of this feature.

I am also very interested in this feature.

sounds great as a feature
Qustions:

  1. does this also transfer broadcast packets through vpn by default. if so how does one disable or enable that functionality.

  2. is ar750 server physically connected to lan on one of the two lan ports and not on the physical wan port?

also incase anybody is trying to follow setup please note the server is an ar750 which has eth0.1 for lan and eth1 for wan
and client machine is ar750s with eth0.1 for lan and eth0.2 for wan

hi @alzhao
this would actually be a brilliant feature because it would mean that when i am away and traveling with my various “gadgets” (phone, watch, laptop, streamer etc) they will all get the same IP addresses as if i was home and all security policies i set at home would be effective.
this would also mean almost zero configuration on my travel router.

quite honestly - it might even make sense to sell a specially priced bundle of 2 devices (like 750 or 750s) for people that want to be away while working “at home” in a cheap and simple way.

another idea is possible make this configuration available to be done from goodcloud or the app…

1 Like

If you check our site2site solution it is for this purpose exactly.

https://www.gl-inet.com/solutions/site-to-site/

But it is not using bridge. It is using routing. When using bridging, it may bring other issues as well. I do not want to go through the details but it is very complicated.

Does site to site work if carrier grade NAT is in place at at least one end ?

As long as you have one public IP which can work as main node, S2S works.

Just to check, on my working node that i have remote access to that currently runs openvpn and therefore i use the openvpn android client to gain access and then run tools that work via the vpn connection.

If I was to setup S2S with 2 brume devices can you just clarify how this would work in terms of replacing my current working setup? Ie I’d remove my current openvpn box and add the new brume. Then if I wanted to access that working node via an android phone how would I do that?

What protocol is this / what client is needed ?

I am attempting to get a setup like this working to my home Mikrotik. I can get the VPN connected but can’t route any traffic through the tunnel. What information can I provide to asssist in troubleshooting this, as I’d like to get it working? The tunnel does connect and I’m able to pull a DHCP address to the VPN from the DHCP server on the MKT. However I can’t pass any traffic when I setup the config like kyson-lok suggested in Jan of 2012. If I do NOT add the tap0 interface to the LAN bridge I am able to ping the Slate and the local IP on the MKT without issue, but the clients connected to wifi don’t get a DHCP addreses. I know traffic is working as I’m able to reach the web admin interface of the slate on the private IP address assigned. I’m able to provide any diagnostic information that is required to asssist in troublehsooting this.

our Site2Site is running on Wireguard.

We are making Openvpn bridge to work in the stock firmware now. It is really difficult to set up manually.

2 Likes