jump to navigation

OpenVPN Bridge Public IP LAN February 23, 2010

Posted by hasnain110 in Uncategorized.


Last week I spent alot of time to implement bridge mode configuration on openvpn and my company required me to configuire the OpenVPN in TAP mode. Well I spent alot of time reading it and it took me almost a week to implement a one hour job. So I’m just sharing it here so that you guys dont need to spend the same amount of time 🙂 Hope it will be usefull.

Before I start I would like to mention the scenario to help you understand the requirements.


My office is in Cairo and the OpenVPN server is located in USA and the core objective is that some of the Cairo office PCs should be able to use USA Public IP ( Cairo office laptop should get USA Public IP and should be able to communicate with USA office other resources behind the VPN Server as local LAN) ==> I will not be explaining about the usage of VPN as im assuming that people reading this will already have the idea of it

Site A = Cairo

Local LAN =

My laptop IP =

Site B = USA

Local LAN = 196.202.104.X ( at USA we have a pool of 14 internet IPs )

VPN Server IP =

IPs to be leased from VPN to Sita A  =

Note: All the above IP’s are just example they do not belone to USA in real

Configuration on Site B VPN Server

Step 1: First Install OpenVPN server if you dont have it already installed please run this command.

yum install openvpn

Step 2: once the VPN is install you need to install the bridge utillities to enable the server work in bridge mode. To                            install please run this command.

yum install bridge-utils

Step 3:  Install the webmin for the configuration of Firewall if you are not too good in playing with ip-tables this will help

yum install webmin

Step 4: Once the all of the above required softwares are installed please create a file name bridge-openvpn

a. vi bridge-openvpn

b. please paste this script inside the file and save it and dont forget to change the parameters in RED with your configuration of course 🙂



# Set up Ethernet bridge on Linux
# Requires: bridge-utils

# Define Bridge Interface

# Define list of TAP interfaces to be bridged,
# for example tap=”tap0 tap1 tap2″.

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.


case “$1” in
for t in $tap; do
openvpn –mktun –dev $t

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
brctl addif $br $t

for t in $tap; do
ifconfig $t promisc up

ifconfig $eth promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw
ifconfig $br down
brctl delbr $br

for t in $tap; do
openvpn –rmtun –dev $t
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw
echo “usage openvpn-bridge {start|stop}”

exit 1
exit 0


Step 5: we will start the the bridge script

./bridge-openvpn start

Step 6: Once the bridge is start you should see and interface br0 by doing ifconfig command

br0       Link encap:Ethernet  HWaddr 00:40:05:39:D1:BC

inet addr:X.X.X.X  Bcast:X.X.X.255  Mask:

inet6 addr: fe80::240:5ff:fe39:d1bc/64 Scope:Link


RX packets:906246 errors:0 dropped:0 overruns:0 frame:0

TX packets:157958 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:501272593 (478.0 MiB)  TX bytes:17342157 (16.5 MiB)

Step 7: Now goto /etc/openvpn and your server.conf should look like this

port 1195

proto udp

dev tap0

ca keys/server/ca.crt

cert keys/server/server.crt

key keys/server/server.key

dh keys/server/dh1024.pem


crl-verify keys/server/crl.pem

cipher none

user nobody

group adm

status servers/changeme/logs/openvpn-status.log

log-append servers/changeme/logs/openvpn.log

verb 2

mute 20

max-clients 100

keepalive 10 120




push “dhcp-option DNS”

management 20518


this is a working file you can change the parameters as per your requirements

Step 8: Your client.ovpn should look like this


proto udp

dev tap

ca ca.crt

dh dh1024.pem

cert client.crt

key client.key

remote 1195

cipher none

verb 2

mute 20

keepalive 10 120




resolv-retry infinite




Note: You can change any parameter that you see is required or un-necessary. I made it in dirty manner

Step 9: Once the above files are saved and closed you should now start the openvpn on the server

Service openvpn start

Once started if you do the ifconfig on the machine you should see this interface

tap0      Link encap:Ethernet  HWaddr E2:85:38:12:79:BB

inet6 addr: fe80::e085:38ff:fe12:79bb/64 Scope:Link


RX packets:15211 errors:0 dropped:0 overruns:0 frame:0

TX packets:1305266 errors:0 dropped:4532 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:2142903 (2.0 MiB)  TX bytes:374471424 (357.1 MiB)

Step 10: Now as we installed above Webmin in step 3 we will actually use it here now. For those who are not familier with webmin please read it . please do the following steps

a)      Access webmin on your browser https://ip of the vpn server:10000

b)      Enter the username root and the root password

c)       Click on WEBMIN è WEBMIN CONFIGURATIon è Webmin Modules

d)      Select the option Third party module from and click SELECT

e)      From the list of software select Turtle Firewall and the click on INSTALL MODULE

f)        Once installed goto NETWORKING è TURTLEFIREWALL

Here are some screen shots of how my firewall rules look like. You can make your own


NAT, Masquerading and Redirection

Firewall Rules

I know these rules are pretty dump but this is just to give you an Idea as for my task security was not any concern. But do change the rules for your deal

Now after making all these rules please start the TURTLEFIREWALL service and your are done. Note you can start or stop the same service from console as well. Service name is turtlefirewall

Step 11:  Now here comes the Site A configuration ( Site where we will be using the Public IP’s from the USA) In my working scenario the network was very plan. There was one DSL connected to a switch and all rest of the PC and laptop connected to the same switch. My laptop having three interface

  1. Physical NIC
  2. Wireless NIC è Disabled
  3. Virtual TAP Adaptor installed by OpenVPN

In this step before I connect the VPN on my laptop I will have to perform a small exercise to prepare a BRIDGE connection between my working INTERFACE and Virtual Interface

Note: Before you make bridge make sure that your working interface is not set the Obtain IP Automatically otherwise internet will stop working

Step 12: Once Bridge is done you should see this

Step 13: Now before you connect its recommended to enable IP Forwarding on your windows do google to see howto do it and then connect your openvpn client on your laptop/pc and you should get one of the public ip defined in server’s server.conf

Step 13:  Last step is once the vpn is connected on your laptop/PC and you are able to go to internet put the other available USA public  IP on other system which need the public IP but remmebmer the GATEWAY of that machine should be the GATEWAY IP address of the SERVER located in USA

I hope this document is pretty details still if you face any problem add me over msn daredevilz1@hotmail.com

If you like this post please take a sec and do comment



1. Lora Ireland - March 6, 2010

Thanks for this post, answers a bunch of questions I was having.

2. Joshua T - May 5, 2010

When I start the Client always I get this message COuld you please provide a good configuration that avoids that kind of message????

Tue May 4 23:02:11 2010 WARNING: –remote address [] conflicts with –ifconfig subnet [,] — local and remote addresses cannot be inside of the –ifconfig subnet. (silence this warning with –ifconfig-nowarn)

3. Jani Ali - July 5, 2010


thanks for the post can you help me in the below secinario of mine little same like you ,

I have a VPS in USA installed vpn on it and then I clonected with one client in china , my client vps is using all traffic from usa IP of vps

what I want is to connect my ip phone and some other devices at client side so all of their traffic should route from USA vps .

Please help me in this

hasnain110 - July 6, 2010

Hello, Your question is still not clear to me , please explain me the exact scenario, between by VPS do you mean virtual private server or VoipSwitch ?

4. Jani Ali - July 6, 2010

I have on Virtual Private Server in USA with 2 public IP address as you know some of the countries don’t allow VOIP but if we make this VPS as VPN server and use devices like IP phone in client side
how we can do that so all the client side traffic go from USA public ip address hope you got it now

hasnain110 - July 6, 2010

I would not recommend you to put the VPN server on the same VPS server. the recommended scenario is to put the VPN server separate from the VoIP switch.

Secondly if you get another server for the VPN then you must get addional public IP’s on that server so that you can further distribute them to the originating locations.

Last but not the least I have already given the server and client side configuration on the blog to get it done. Let me know if you require further information.

Jani Ali - July 6, 2010

Dear ,

I need to configuration for client and server side both ,

as I am only able to connect with one client I want I should connect one client and then all the LAN of client side on the same subnet
please help

hasnain110 - July 8, 2010

Well …sorry but im too occupied these days..I already mentioned the complete configuration already . if you want me to deploy i can deploy the vpn for you but of-course it will charge you some money

Jani Ali - July 30, 2010

Dear Please let me know how much you will charge
I have a VPN and I can give you access to that so you can configure on that .

here is the configuration you need to do – default gateway – inside Clnt tunnel IP – netmask – additional 4 Usable IPs – broadcast IP

above are the client side requirments please let me know the amount and how should I pay ?

5. Janiali - July 24, 2010

Dear Please let me know how much you will charge
I have a VPN and I can give you access to that so you can configure on that .

here is the configuration you need to do – default gateway – inside Clnt tunnel IP – netmask – additional 4 Usable IPs – broadcast IP

above are the client side requirments please let me know the amount and how should I pay ?

hasnain110 - July 31, 2010


Please add me on msn daredevilz1@hotmail.com

I need to know exactly your requirement first before I tell you the charges

6. Adul Ghani - November 13, 2010

I want to use openvpn with public ips at client end, below is the complete details with my conf files

LAN1 AS Local are connect: PRIMARY IP (IT IS A PUBLIC IP)


port 11940
proto udp
mssfix 1400
dev tap

ca ca.crt
cert server1.crt
key server1.key
dh dh1024.pem

ifconfig-pool-persist ipp.txt
push “redirect-gateway def1”
keepalive 10 120
cipher BF-CBC
max-clients 2
status openvpn-status.log
verb 4
#+++++++++END SERVER1.OVPN

When I Starts Ovpn then below tap connection was created
Local Area Connection 1: with IP ( It is also publically accessible

Now at client end on windows xp
I was created client1.ovpn on windows xp pc

dev tap
proto udp
remote 11940
route vpn_gateway 3
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher BF-CBC
verb 4
#++++++++++End client1.ovpn

Now I starts openvpn and sucussefully connected with the windows 2003 server in USA
now on my xp pc a tap connection was created with below details

Local area connection 1: with IP ( actually it was public ip but publically it is not
accessible (The main problme for me)

now both systems are successfully conected and data can also travel via vpn

Now i can access my server remotely via two IPs

1st is:
2nd is:

but my client having openvpn ip is only accessible from server not publically, why?
I don’t know, I was trying again and again but there is not any success. Can you help me is there any other settings in

Windows server to use public ips at client end.

I was also configure it in bridge mode as below

port 11941
proto udp
dev tap
ca ca.crt
cert server1.crt
key server1.key
dh dh1024.pem
push “route”

ifconfig-pool-persist ipp.txt
keepalive 10 120
status openvpn-status.log

verb 3

But at the every thing is OK just publically access problem is still there.

Please help, I am waiting for your kind reply.

7. Prasann Acharya - December 2, 2010

nice job man..

thanks for this

8. Ahmad - June 21, 2012

this is awsome brother, if this works for me I’ll give u a prize !

9. Trisha - June 7, 2013

I think this is among the most important info for me.
And i am glad reading your article. But want to remark on few general things, The
web site style is ideal, the articles is really excellent :
D. Good job, cheers

10. how to buy youtube views - July 22, 2013

I think this is among the most important information for
me. And i am glad reading your article. But wanna remark on some general things, The site style is ideal, the articles is really nice : D.

Good job, cheers

11. Raskin - November 2, 2013

WARNING: –remote address [] conflicts with –ifconfig subnet [,] — local and remote addresses cannot be inside of the –ifconfig subnet. (silence this warning with –ifconfig-nowarn) Getting this error while connecting and also cannot ping gateway or outside though openvpn assigns ip to client laptop and default route is being configured to top to bottom as per your suggessions.
Can you please help.

12. resqme - January 30, 2014

I do agree with all the concepts you’ve offered in your
post. They are really convincing and will certainly work.
Nonetheless, the posts are very quick for novices.

Could you please prolong them a bit from subsequent time?
Thanks for the post.

13. Areeb - August 3, 2017

Do you have information on how to make this work with a Linux client as opposed to the Windows example?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: