diff --git a/nova/cloudpipe/bootscript.template b/nova/cloudpipe/bootscript.template
index 94dea3f8721..0fe38b79b82 100755
--- a/nova/cloudpipe/bootscript.template
+++ b/nova/cloudpipe/bootscript.template
@@ -24,6 +24,10 @@ export VPN_IP=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2
 export BROADCAST=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f3 | awk '{print $$1}'`
 export DHCP_MASK=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f4 | awk '{print $$1}'`
 export GATEWAY=`netstat -r | grep default | cut -d' ' -f10`
+# Need a higher valued MAC address than eth0, to prevent the TAP MAC address
+# from becoming the bridge MAC address. Since Essex eth0 MAC starts with
+# FA:16:3E, we'll thus generate a MAC starting with FA:17:3E to be higher than eth0.
+export RANDOM_TAP_MAC=`openssl rand -hex 8 | sed 's/\(..\)/\1:/g' | cut -b-8 | awk '{print "FA:17:3E:"$$1}'`
 
 DHCP_LOWER=`echo $$BROADCAST | awk -F. '{print $$1"."$$2"."$$3"." $$4 - ${num_vpn} }'`
 DHCP_UPPER=`echo $$BROADCAST | awk -F. '{print $$1"."$$2"."$$3"." $$4 - 1 }'`
@@ -47,5 +51,6 @@ sed -i -e s/max-clients\ 1/max-clients\ 10/g server.conf
 echo "push \"route ${dmz_net} ${dmz_mask} $$GATEWAY\"" >> server.conf
 echo "duplicate-cn" >> server.conf
 echo "crl-verify /etc/openvpn/crl.pem" >> server.conf
+echo "lladdr $$RANDOM_TAP_MAC" >> server.conf
 
 /etc/init.d/openvpn start