The goal: I want to be able to stream to my Chromecast when I’m outside from my home network via VPN.
The problem: the Chromecast use the multicast protocol SSDP (Simple Service Discovery Protocol) to work and this protocol is not routed (usually) by a VPN connection.
The solution: to reach my goal, the only “easy” solution is to use OpenVPN with a TAP interface and assign a segment of the network to the VPN users.
I have a spare Raspberry Pi so I have installed PiVPN on it.
PiVPN is a very cool script to easily setup a working OpenVPN server on Raspberry Pi with the TUN interface.
So, at first I’ll follow the PiVPN wizard to setup a working OpenVPN server with TUN interface.
To setup the TAP interface on the OpenVPN server I had to modify the default PiVPN configuration.
Here my network settings (you have to adapt all the configurations based on your network setup):
IP address of Raspberry Pi: 192.168.33.36 Netmask: 255.255.255.0 Broadcast address: 192.168.33.255 Router's IP address: 192.168.33.1
First create a file /etc/openvpn/openvpn-bridge like this:
#!/bin/sh
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.33.36"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.33.255"
eth_gateway="192.168.33.1"
case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
sleep 10
ifconfig $eth 0.0.0.0 promisc up
sleep 5
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
sleep 2
route add default gw $eth_gateway
;;
stop)
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway
;;
*)
echo "Usage: openvpn-bridge {start|stop}"
exit 1
;;
esac
exit 0
Then make it executable
chmod 744 /etc/openvpn/openvpn-bridge
Then edit this following file, to add the script just created.
vim /lib/systemd/system/openvpn@.service
Insert the following two lines after the line “WorkingDirectory=/etc/openvpn”
ExecStartPre=/etc/openvpn/openvpn-bridge start ExecStopPost=/etc/openvpn/openvpn-bridge stop
This is the file after the modifications
[Unit] Description=OpenVPN connection to %i PartOf=openvpn.service ReloadPropagatedFrom=openvpn.service [Service] Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ExecStartPre=/etc/openvpn/openvpn-bridge start ExecStopPost=/etc/openvpn/openvpn-bridge stop [Install] WantedBy=multi-user.target
Be also sure to have installed the package bridge-utils
apt install bridge-utils
Finally modify the file /etc/openvpn/server.conf with TAP instead TUN
... port 1194 proto udp dev tap0 ca /etc/openvpn/easy-rsa/pki/ca.crt ...
Now, reboot your Raspberry Pi, make sure also to modify your client configuration for a TAP device…
... client dev tap proto udp ...
Now you should have a working OpenVPN server with TAN interface.
Before trying to get a working setup with TAP interface, start with a working TUN setup (PiVPN is a great tool to reach this point).
To get my configuration working I found some help from this thread.
9 Comments
toni · April 19, 2018 at 10:01
Hi huntz! Great article – It helped me a lot because I’m trying to do the exact same thing. There’s one thing I’m curious about. Here on the Openvpn’s page: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript ,they say that you have to comment out the line that begins with ‘server’ and replace it with: ‘server-bridge…’. In your posted scripts you are not changing that. My point is that when I connect to the server following your article, I’m not able to ping my bridged network (which in my case is different one – and by different I mean if having the rpi in 192.168.33.1, I’m bridging 10.212.168.1 network with tap0 ). Do you think that this might be the problem.
Bernd · May 17, 2021 at 19:19
Thanks for noticing that missing piece! That’s a basic puzzle part missing in the still not corrected article. For future people finding this article during the search for a VPN bridging solution, **do not forget the “server-bridge …” directive in the server config file**, as stated in https://github.com/pivpn/pivpn/issues/45#issuecomment-301655724
James · May 14, 2018 at 20:30
THANKS for this. Is there a way to set the bridge as Static IP? I get the following over and over on my router:
May 10 05:47:45 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:47:45 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:48:50 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:48:50 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:49:55 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:49:55 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:50:59 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:50:59 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:52:03 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:52:03 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
doman18 · October 26, 2018 at 13:08
I didnt use PiVPN. For TUN i always did it manually (on debian). Also i did bridge setup succesfully. So i tried to do it the same way on raspbian. My problem is that i can connect from LAN, but i cant from WAN. Redirections on my router seem to be ok, On Debian (server and gateway) all works fine, but in raspbian something must be wrong. I tried to setup 2 times, i changed router to different one, checked if port is open by some online tools.Ive seen that ppl with similar problems switched from UDP to TCP and it helped. Maybe i should give a try with PiVPN.
Jefferson Huang · April 20, 2019 at 08:12
I just want to thank you for this guide. I followed it and got tap working after I figured out the step your guide was missing. The step is:
In server.config, comment out the server line and type in:
server-bridge ip_of)device subnet_of_device start_of_ip_pool end_of_ip_pool
lodal · May 14, 2020 at 19:10
i tried it down not work.
i can connect to vpn but ip always starts with 10.8.0.*
my rpi ip 192.168.1.23 (reserved by router)
subnet 255.255.255.0
router 192.168.1.1
broadcast 255.255.255.0
tested for months and default pivpn tun works fine
i added the server-bridge with 192.168.1.23 255.255.255.0 192.168.1.200 192.168.1.210
Onur Bilginer · August 25, 2020 at 10:56
Hi Guys, I am trying to establish bridge with pi but it doesn’t work unfortunately. Anyone can help?
Regards
Scott · January 25, 2022 at 19:29
There are a few more steps required to make this work in 2022! Here’s a post that covers the specifics: https://technologydragonslayer.com/2022/01/16/installing-an-openvpn-tap-server-on-a-raspberry-pi-using-pivpn/
T · July 5, 2022 at 21:32
Indeed Scott! Thank you very much for the link!