Home / server / Questions / 862325
Accepted
Mohammed Noureldin
Asked: 2017-07-16 08:20:21 +0800 CST

Why do we need a LAN physical interface bridged with OpenVPN TAP interface to get functional OpenVPN in bridge mode?

  • 772

Here I have some (slightly maybe different) questions, but related to each other, therefore I prefered to ask them in one question.

I have been trying to allow my OpenVPN clients (OpenVPN is setup in bridge mode) to connect to Docker containers.
As known, Docker containers are all connected with each other via a bridge (docker0 bridge or what ever).

I always used to use my own bridge (br0) on my home server, where I setup Docker to use that bridge (br0), and I bridge OpenVPN interface (tap0) on that bridge, and my physical interface (eth0), which is connected via LAN to my home router. And that always worked for me and all OpenVPN clients were always able to access each Docker container bridged on br0 (both OpenVPN clients and Docker containers have IPs in my LAN range).

A couple of days ago I rent a VPS, where my physical interface is directly connected to internet (it has unique public IP).
I did the same as before (setting Docker up to use my br0 for all containers) and I bridged OpenVPN tap0 on br0.

The problem I faced, is that my OpenVPN client was NOT able to ping or access any of Docker's containers, (the containers were able to ping and access other Docker's containers, but NOT OpenVPN client), and the clients were NOT able to ping each other as well.

Does that have anything to that I have no physical interface bridged? If yes I was wondering why should I bridge the a interface of my server (connected to any router via LAN maybe) in addition to OpenVPN TAP interface to get a functional OpenVPN in bridge mode?

And that problem raised a another related question in my mind: as long as the clients are anyway part of tap0 interface, why cannot they simple access each other without going for some reason out of TAP interface. What is the role playing by my physical interface?

If my problem was really because of there is no physical interface bridged, how can I get OpenVPN to be fully functional in bridge mode with out that physical interface (or at least maybe any solution for that as long as my physical interface is connected directly to internet without any LAN)?

I hope that some one can help me to get that OpenVPN to work

ADDED:

After watching some videos I still have that question, if I had two TAP interfaces, every one of them is mapped to one virtualbox system. tap0 -> vb0, tap1 -> vb1, and both tap0 and tap1 are connected to a bridge br0 (which is not connected to any physical interface), only tap0 and tap1 are bridged together, will vb0 and vb1 will be able to ping each other? (I am not interested in any kind of external connections now). According to @shodanshok answer, NO they won't, right? till now I am not able to understand exactly why they can't, could you please explain that point in more details?

networking

2 Answers

  1. OpenVPN tap interface operates at the layer 2 of the ISO/OSI model and so it needs a layer 2 (read: bridge/switch) connection to the main, real interface.

    I strongly suggest you to reconfigure your OpenVPN connection to use tun interfaces which, by operating at an higher level (level 3) fo the stack, do not need a bridged connection to the main interface (rather, they route packets as specified in the routing table).

    Give a look at the "server-bridge" section on openvpn man page for more information.

    • 5
  2. Best Answer

    OK, after a lot of experiments, now I can answer my question and share my experience:

    Do I need a bridge (e.g. br0 on linux) to be able to run OpenVPN in bridge mode?

    No! I always thought the opposite, but right now I can confirm that, as soon as you configure your OpenVPN correctly, you can connect all your OpenVPN clients directly, and they will be in their own isolated network. I.e. tap0 interface is not a part of any bridge. Accordingly, no need as well for any physical interface bridged with tap0, only tap0 with correctly configured OpenVPN will do the job!

    Why it didn't work for me initially? (Now it works!)

    The problem was actually at client side! I always used, that OpenVPN clients are all in my LAN IP range, therefore no additional firewall settings were necessary, but now, the IP range is different (the network is a new isolated network), therefore windows firewall of all clients was simply dropping all ping from other clients, when I disabled it (or allowed for my OpenVPN IP pool range) to connect, everything worked perfectly!

    What about Docker? Were you able to bridge the containers with tap0 and connect to the containers from your OpenVPN clients?

    Yes! I just used a very simple configuration (netmask and IP range were the same), netmask /24, and everything was very basic, just to make sure that everything works, and everything really worked!

    • 0