Option to setup in Bridge Mode

[bitcoinissue]

Hello,

First, this script is incredible. So simple, straight forward, and works right out of the box. Thank you so much!

I had a question though, I've been attempting to get OpenVPN running in bridge mode, so when I connect to the VPN I can see the bonjour information of all the machines on my LAN. I have a bunch of network shares, a SAN, and a bunch of machines, all Mac based, that would be nice to see populated on a finder level when other people VPN into our network.

I've been kind of following these guides, attempting to make them work. I've gotten pretty far, able to get the bridge up and running, but sometimes the Raspberry Pi locks up completely when I start the OpenVPN service, or I get Handshake errors and no internet connectivity. I can't seem to get through the last few feet of actually making it work

https://www.aaflalo.me/2015/01/openvpn-with-tls-in-bridged-mode/
http://www.wedebugyou.com/2013/01/how-to-use-bonjour-over-vpn/
http://www.server-world.info/en/note?os=CentOS_6&p=openvpn

Would it be possible to add this functionality into your script? It seems relatively straight forward, but I just can't seem to make it work with any of the other guides out there.

Thanks again, this project is amazing. So simple and works so well!

[bitcoinissue]

Just wanted to leave a reply with how I finally got the bridged OpenVPN server to work on the RPI

I followed this guide almost exactly : http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

Only additional things I did was enable IPV4 Packet Fowarding in /etc/sysctl.conf
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

And added the following lines to my OpenVPN server conf
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

And it works!!

[chrisjenx]

A tap version would be awesome! Thanks for the great work!

[3cHeLoN]

@bitcoinissue could you post your server.conf file and systemctl scripts? I have a hard time figuring out which settings I should use from the link you provided and which settings in the old server.conf are essential for the way pivpn sets up openvpn.

[JurassicTommy]

I would love to see this implemented in the installer! Sure you can do it manually, but it feels so hacky and dirty.

[fyellin]

I'm going to echo @3cHeLoN's request. @bitcoinissue, please post your config files and scripts. I'd dearly love tap mode.

[fyellin]

I'm able to run OpenVPN on my tomato router, and it automatically creates the configuration files.

For the server's configuration file, the difference is:

tun:
server 255.255.255.0
dev tun21
push "route 255.255.255.0"
tap:
server-bridge 255.255.255.0
dev tap22

If for example, your device was 192.168.100.100, then
tun-address = 192.170.0.0
network-address = 192.168.100.0
this-ip-address = 192.168.100.100
dhcp-start, dhcp-end = 192.168.100.240 192.168.100.250 (or some range in your net)

The only difference between the client ovpn is "dev tap" vs "dev tun".

I'm not sure what network configuration need to be done, though.

[glonch]

Greetings all...

I really would like to set this up, but having a hard time following along (understand the high level concepts of VPN but bridging settings are throwing me for a loop). Is there a step by step rundown for PiVPN out there?

(Casting my vote for this to be added as a setup script feature too)

[0-kaladin]

It shouldn't be too difficult to add this to the install script. Just need time more than anything else. I'd guess a month or two. Depending on if I prioritize over the unattended install feature.

[glonch]

Totally understand! Excellent job!

[Sungray]

@bitcoinissue I've been trying to make this work all day, and I have, kinda.

The only issue is that when the pi starts, the eth0 interface gets the server IP, and the br0 gets another IP address apparently from dhcp, and nothing works. I also noticed br0 gets a different mac address than eth0.

Then if I stop and start the openvpn service, everything is suddenly looking good and everything works. br0 gets the IP address, eth0 doesn't have one, I can access the internet from the pi and open the vpn connexion. I guess this is an issue with the script not being able to remove the ip address from eth and attribute it to br at startup, but no idea why, especially since it works afterwards...

Any idea ?

[0-kaladin]

I have a need for this now. So in my free time (if such a thing truly exists) expect this done in short order.

[mjnks]

Will bridged mode as part of the install script be available soon? I have limited networking experience and would like to setup my VPN to allow access to my entire home network remotely. I attempted to get it working myself, but no luck.

[nemxwasp]

Agreed! Another vote for bridged mode! The pivpn installer is awesome and incredibly simple but I need to be able to operate in bridged mode. I tried a few of the guides I found to operate in bridged mode but am having no luck. I tried the emaculation guide provided by bitcoinissue but installed pivpn first then jumped to the section in the guide where it sets up bridged mode (not the whole guide). I trashed all network connectivity and had to reinstall my pi os lol! I am debating trying the entire emaculation guide but I love the simplicity of pivpn like being able to add and revoke clients but mostly how easy it is to install (In my quest for bridged mode I have reset my pi and reinstalled pivpn at least 12 times this week lol) Like others I need to be on my home subnet to access shares, printers, etc.. as well as use wake on lan broadcast to turn on my machines since I don't leave them on all the time. Thanks in advance!

[d0nlab]

+1 for bridged mode
Having access to all services on my network through VPN would be helpful

[scottd83]

Edited/removed my original comment: I misread that you guys were talking about using the tap rather then tun making my comment irrelevant!

[f-ben]

Ist there any news on this one?

[matej86]

I need the TAP mode too. Also a web based GUI would be a very nice feature so the server could be configurable from every device on the network

[mmarbut]

ok I got it up and running

I started by running pivpn setup then I ran through the tutorial here and made some changes to the script and the conf files.
http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

This guide will use the following example private IP address numbering (adjust this to your numbering):

IP address for RP : 192.168.1. 3
Netmask: 255.255.255.0
Broadcast address: 192.168.1.255
Router's IP address: 192.168.1.1

We'll use the text editor “nano” to create a script called “openvpn-bridge” that performs the Ethernet bridging. Enter

nano /etc/openvpn/openvpn-bridge
Copy and paste the following script into that (empty) file.

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.3"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
eth_gateway="192.168.1.1"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done

    sleep 10

    ifconfig $eth 0.0.0.0 promisc up

    sleep 5

    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    sleep 2

    route add default gw $eth_gateway
    ;;
stop)
    ifconfig $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    route add default gw $eth_gateway
    ;;
*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;
esac
exit 0

I made the script executable by entering

chmod 744 /etc/openvpn/openvpn-bridge

then I edited the server configuration file.

port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
duplicate-cn
remote-cert-tls client
server-bridge 192.168.1.3 255.255.255.0 192.168.1.51 192.168.1.61
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

then i edited the openpn service

nano /lib/systemd/system/openvpn@.service

Copy these two lines:

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

Paste the two lines at the bottom of the [Service] section so that its last three lines look like

WorkingDirectory=/etc/openvpn
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

I confirmed that /etc/sysctl.conf had net.ipv4.ip_forward = 1

and then rebooted

I edited the OVPN file I created following your tutorial so that dev was set to tap

dev tap

and tested everything

[afcdmc]

I also need to have the bridge option to have the option to use all my Bonjour services remotely!! I tried for a whole day to makes this work!! but couldn't connect at all!!! It Would be GREAT to have this option incorporated in the install script!! This is a Great Script but whit the option to be on the same network range remotely as my local network it would be a Lifesaver for me!!!
Keep up the great Work!! Hope to se an update or a tutorial on how to do it manually step by step using pipvpn as the starting point!!

[shusain93]

I'd actually recommend anyone who does this makes a tun-tap server. Duplicate your PIVPN config and rename your original to something like tun-server.conf and your new one to tap-server.conf. Set your tap server to a different port and configure it that way. Mobile devices don't support TAP so you need TUN.

[911pcdoc]

I also would like to see the tap / bridge option in the installer

[redfast00]

@0-kaladin: how about two OpenVPN config files that will each start a server on a different port, one with tun, one with tap? Or alternatively, prompt the user at the end of the script if they want to setup another server config?

[tim-west]

@0-kaladin: Great work on the script. It makes the whole process so easy! I'm excited to see you are working on this feature and I was just wondering how it was coming along and whether you had an idea of when it would be complete?

[tuf07378]

@mmarbut I followed your steps to do the same and got local access working but it appears that internet traffic is not being passed through as I can't access anything external when connected to the VPN. Did you have to configure anything else to establish internet access?

[mmarbut]

is your Pi able to get out to the internet? it sounds like ether an issue with DNS or firewall. did you do this push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
is your gateway correct?

if you are using windows try this in command prompt: ipconfig /all | findstr /R "DNS\ Servers"
also you can NSLOOKUP and type in the web address it might show you were you are getting hung up.
finally you are connecting from outside the network where the RP resides right?

[ayr-ton]

There's someone already working on a fork with this feature?

[redfast00]

There's nobody working on this, do you want to take a stab at it?

[ayr-ton]

@redfast00 Yep, I would like. I will see what I can do given my free time (:

[lars-sorensen]

I would really like this!

[amandamana]

I'm also looking forward to trying this when it supports tap.

[AlbioB]

Thanks @mmarbut I confirm it's working following your steps.

[911pcdoc]

any updates on tap / bridge mode?

[pokono]

+1

[tmladek]

+1

[JamesTX10]

Would love to see this built into the installer. Need a bridged TAP and a TUN server so I can get bridged support from my PC and TUN access from Android.

[ayr-ton]

So do you folks think is a good idea to spin up two different daemons? One for TAP and one for TUN? And ask about the ports and the possibility of running one or another or both during the installation?

[rgulden]

Hello! Just wondering, is creating a script to allow this still something in the works? Or does anyone have a good tutorial on how to enter bridge mode? Thanks!

[AlbioB]

@rgulden you can follow @mmarbut tutorial which works flawlessy!

[rgulden]

@AlbioB I tried to follow it with no success. Does it work with the newest versions of PIVPN, also, if you have successfully accomplished yourself, would you mind sharing your step by step? Thanks!

[tmladek]

@rgulden I can also attest to @mmarbut's tutorial, worked with the latest version of pivpn. My step by step would be identical to @mmarbut's.

Maybe try troubleshooting the issues you're having?

[rgulden]

@tmladek Hey thanks for the response! Maybe my issue is im using it on a Ubuntu VM instead of a PI. The interface is ens160 instead of eth0, but i did edit that in the script. Also, did you completely copy and paste his sample server.conf or did you just add the things he added? Thanks!

[ayr-ton]

Just for giving visibility, I have stopped working on the tap/tun feature. If someone wants to adopt this, feel free. o/

[larrybahr]

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"

Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

[rzolau]

Just curious if any progress has been made on this issue. Pivpn definitely deserves support for bridged mode. Awesome software btw!

[JamesTX10]

This broke for me yesterday after having been working for months. I was running two servers TUN and TAP. I wiped and started over. TUN working. Made the listed changes and added the TAP server config. Rebooted and could not connect to either server. Disabled the TUN server, rebooted and then I could connect to the TAP server fine but had no internet. Rebooted the Pi again and then could not connect to the TAP server at all.

[AlbioB]

@JamesTX10 Did you update something?

[JamesTX10]

Unattended updates were enabled during the initial setup so it is possible that something was updated. I rebuilt it again and it seems to be working fine now. Would really love to have the TAP Bridge option in the installer.

[xbxolivesupport]

How do I put my router in bridge mode? If you have an idea please share with me.

If you are using Belkin router and you face a problem with your router visit here

belkin router setup
I also solved my router issue with this site.

[AngiesBloke]

I've used PiVPN for a couple of years with mobile devices, I'm delighted with it. In the last few weeks I have tried a dozen times to build the bridge (TAP) configuration, on 'Raspbian Stretch Lite (2018-06-27)' starting from a working PiVPN (TUN). I have used Rasp Pi Model B, Rasp Pi 2 Model B and Rasp Pi 3 Model B. Poor results with all. In case there might be a significant difference between Raspbian releases I have also tried Raspbian Jessie Lite (2017-04-10) and had the same results.

After completing the TAP build (as per examples here and elsewhere) I manage to connect from a Windows 10 machine but not to be able to see any other LAN devices, nor with any access the Internet. Then after restarting the OpenVPN service or rebooting the Rasp Pi I am no longer able to reconnect at all, no longer able to reach the Rasp Pi with SSH. That leads to a whole new rebuild each time, then the same sort of outcome again.

There are many guides out there, I have tried plenty, but always with the same (or very similar) results. Sometimes I have been able to connect a few times, but generally the whole TAP configuration is pretty unstable for me.

There just doesn't seem to be a build that works easily or consistently. Is that the general opinion?

A scripted installer for TAP would be fantastic. The TUN script is very straightforward and works first time, every time.

[larrybahr]

@AngiesBloke I have had the same experience. I'm able to connect but no Internet or LAN access. Having this automated would be awesome

[ddorato]

@mmarbut How do I set up the config to only route traffic to the specific host rather then all the traffic (aka Split Tunnel)

[FelixSeidel]

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"

Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

Unfortunately I get exactly the same error ... has anyone already found a solution for this?