The goal: I want to be able to stream to my Chromecast when I’m outside from my home network via VPN.

The problem: the Chromecast use the multicast protocol SSDP (Simple Service Discovery Protocol) to work and this protocol is not routed (usually) by a VPN connection.

The solution: to reach my goal, the only “easy” solution is to use OpenVPN with a TAP interface and assign a segment of the network to the VPN users.
I have a spare Raspberry Pi so I have installed PiVPN on it.
PiVPN is a very cool script to easily setup a working OpenVPN server on Raspberry Pi with the TUN interface.

So, at first I’ll follow the PiVPN wizard to setup a working OpenVPN server with TUN interface.

To setup the TAP interface on the OpenVPN server I had to modify the default PiVPN configuration.

Here my network settings (you have to adapt all the configurations based on your network setup):

IP address of Raspberry Pi: 192.168.33.36
Netmask: 255.255.255.0
Broadcast address: 192.168.33.255
Router's IP address: 192.168.33.1

First create a file /etc/openvpn/openvpn-bridge like this:

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.33.36"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.33.255"
eth_gateway="192.168.33.1"

case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
brctl addif $br $t
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done

sleep 10

ifconfig $eth 0.0.0.0 promisc up

sleep 5

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

sleep 2

route add default gw $eth_gateway
;;
stop)
ifconfig $br down
brctl delbr $br

for t in $tap; do
openvpn --rmtun --dev $t
done

ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

route add default gw $eth_gateway
;;
*)
echo "Usage: openvpn-bridge {start|stop}"
exit 1
;;
esac
exit 0

Then make it executable

chmod 744 /etc/openvpn/openvpn-bridge

Then edit this following file, to add the script just created.

vim /lib/systemd/system/openvpn@.service

Insert the following two lines after the line “WorkingDirectory=/etc/openvpn”

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

This is the file after the modifications

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

[Install]
WantedBy=multi-user.target

Be also sure to have installed the package bridge-utils

apt install bridge-utils

Finally modify the file /etc/openvpn/server.conf with TAP instead TUN

...
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
...

Now, reboot your Raspberry Pi, make sure also to modify your client configuration for a TAP device…

...
client
dev tap
proto udp
...

Now you should have a working OpenVPN server with TAN interface.

Before trying to get a working setup with TAP interface, start with a working TUN setup (PiVPN is a great tool to reach this point).

To get my configuration working I found some help from this thread.


Leave a Reply

Your email address will not be published. Required fields are marked *