Bridging in OpenVPN

OpenVPN allows two different modes of operation: routed mode and bridged mode. This article is about the latter.

Bridged mode means that the VPN tunnel encapsulates full ethernet frames (up to 1514 bytes long), rather than IP packets (up to 1500 bytes). In itself, this would just add some overhead to the VPN traffic; but in practice, together with some special configuration in the OS (described later), this allows to connect the VPN and its users to a real, physical ethernet network at the data-link level, effectively turning the whole system (ethernet network + VPN) into a single broadcast domain.

Do you need bridging?

This question comes up regularly when somebody asks for advice in configuring a bridged VPN. Bridged mode has a higher traffic overhead, since it works at layer 2 and as such broadcasts are sent into the VPN, and also, as already mentioned, data packets can be up to 1514 bytes. Normally bridged mode is needed only in two cases:

• You really need to create a layer 2 domain. This may be because you need to use protocols that rely on broadcasts or multicasts (eg netBIOS, LAN games)
• You need to transport non-IP traffic (eg IPX, AppleTalk?)

If you don't have any of those requirements, you can almost certainly use routed mode. Otherwise, read on.

Bridge setup

For this example, we will assume the following scenario:

(add image here)

We want VPN clients to connect and be as if they were physically on the ethernet network, including using IP addresses in the 192.168.111.0/24 range, just like the stations in the LAN.

The first step to achive this goal is to create a special interface on the VPN gateway. This interface (also known as a bridge) is what connects, or bridges, together the "real" layer 2 domain (ie the LAN) and the layer 2 VPN. Basically a bridge like this can be thought as a mini-ethernet switch internal to the OS,