The goal: I want to be able to stream to my Chromecast when I’m outside from my home network via VPN.

The problem: the Chromecast use the multicast protocol SSDP (Simple Service Discovery Protocol) to work and this protocol is not routed (usually) by a VPN connection.

The solution: to reach my goal, the only “easy” solution is to use OpenVPN with a TAP interface and assign a segment of the network to the VPN users.
I have a spare Raspberry Pi so I have installed PiVPN on it.
PiVPN is a very cool script to easily setup a working OpenVPN server on Raspberry Pi with the TUN interface.

So, at first I’ll follow the PiVPN wizard to setup a working OpenVPN server with TUN interface.

To setup the TAP interface on the OpenVPN server I had to modify the default PiVPN configuration.

Here my network settings (you have to adapt all the configurations based on your network setup):

IP address of Raspberry Pi: 192.168.33.36
Netmask: 255.255.255.0
Broadcast address: 192.168.33.255
Router's IP address: 192.168.33.1

First create a file /etc/openvpn/openvpn-bridge like this:

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.33.36"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.33.255"
eth_gateway="192.168.33.1"

case "$1" in
start)
for t in $tap; do
openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
brctl addif $br $t
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done

sleep 10

ifconfig $eth 0.0.0.0 promisc up

sleep 5

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

sleep 2

route add default gw $eth_gateway
;;
stop)
ifconfig $br down
brctl delbr $br

for t in $tap; do
openvpn --rmtun --dev $t
done

ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

route add default gw $eth_gateway
;;
*)
echo "Usage: openvpn-bridge {start|stop}"
exit 1
;;
esac
exit 0

Then make it executable

chmod 744 /etc/openvpn/openvpn-bridge

Then edit this following file, to add the script just created.

vim /lib/systemd/system/openvpn@.service

Insert the following two lines after the line “WorkingDirectory=/etc/openvpn”

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

This is the file after the modifications

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

[Install]
WantedBy=multi-user.target

Be also sure to have installed the package bridge-utils

apt install bridge-utils

Finally modify the file /etc/openvpn/server.conf with TAP instead TUN

...
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
...

Now, reboot your Raspberry Pi, make sure also to modify your client configuration for a TAP device…

...
client
dev tap
proto udp
...

Now you should have a working OpenVPN server with TAN interface.

Before trying to get a working setup with TAP interface, start with a working TUN setup (PiVPN is a great tool to reach this point).

To get my configuration working I found some help from this thread.


9 Comments

toni · April 19, 2018 at 10:01

Hi huntz! Great article – It helped me a lot because I’m trying to do the exact same thing. There’s one thing I’m curious about. Here on the Openvpn’s page: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript ,they say that you have to comment out the line that begins with ‘server’ and replace it with: ‘server-bridge…’. In your posted scripts you are not changing that. My point is that when I connect to the server following your article, I’m not able to ping my bridged network (which in my case is different one – and by different I mean if having the rpi in 192.168.33.1, I’m bridging 10.212.168.1 network with tap0 ). Do you think that this might be the problem.

    Bernd · May 17, 2021 at 19:19

    Thanks for noticing that missing piece! That’s a basic puzzle part missing in the still not corrected article. For future people finding this article during the search for a VPN bridging solution, **do not forget the “server-bridge …” directive in the server config file**, as stated in https://github.com/pivpn/pivpn/issues/45#issuecomment-301655724

James · May 14, 2018 at 20:30

THANKS for this. Is there a way to set the bridge as Static IP? I get the following over and over on my router:
May 10 05:47:45 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:47:45 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:48:50 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:48:50 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:49:55 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:49:55 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:50:59 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:50:59 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC
May 10 05:52:03 dnsmasq-dhcp[704]: DHCPDISCOVER(br0) Pi MAC
May 10 05:52:03 dnsmasq-dhcp[704]: DHCPOFFER(br0) 10.10.10.71 Pi MAC

doman18 · October 26, 2018 at 13:08

I didnt use PiVPN. For TUN i always did it manually (on debian). Also i did bridge setup succesfully. So i tried to do it the same way on raspbian. My problem is that i can connect from LAN, but i cant from WAN. Redirections on my router seem to be ok, On Debian (server and gateway) all works fine, but in raspbian something must be wrong. I tried to setup 2 times, i changed router to different one, checked if port is open by some online tools.Ive seen that ppl with similar problems switched from UDP to TCP and it helped. Maybe i should give a try with PiVPN.

Jefferson Huang · April 20, 2019 at 08:12

I just want to thank you for this guide. I followed it and got tap working after I figured out the step your guide was missing. The step is:

In server.config, comment out the server line and type in:
server-bridge ip_of)device subnet_of_device start_of_ip_pool end_of_ip_pool

lodal · May 14, 2020 at 19:10

i tried it down not work.
i can connect to vpn but ip always starts with 10.8.0.*
my rpi ip 192.168.1.23 (reserved by router)
subnet 255.255.255.0
router 192.168.1.1
broadcast 255.255.255.0
tested for months and default pivpn tun works fine
i added the server-bridge with 192.168.1.23 255.255.255.0 192.168.1.200 192.168.1.210

Onur Bilginer · August 25, 2020 at 10:56

Hi Guys, I am trying to establish bridge with pi but it doesn’t work unfortunately. Anyone can help?
Regards

Scott · January 25, 2022 at 19:29

There are a few more steps required to make this work in 2022! Here’s a post that covers the specifics: https://technologydragonslayer.com/2022/01/16/installing-an-openvpn-tap-server-on-a-raspberry-pi-using-pivpn/

T · July 5, 2022 at 21:32

Indeed Scott! Thank you very much for the link!

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *