Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to setup in Bridge Mode #45

Open
bitcoinissue opened this issue Jun 8, 2016 · 70 comments
Open

Option to setup in Bridge Mode #45

bitcoinissue opened this issue Jun 8, 2016 · 70 comments

Comments

@bitcoinissue
Copy link

@bitcoinissue bitcoinissue commented Jun 8, 2016

Hello,

First, this script is incredible. So simple, straight forward, and works right out of the box. Thank you so much!

I had a question though, I've been attempting to get OpenVPN running in bridge mode, so when I connect to the VPN I can see the bonjour information of all the machines on my LAN. I have a bunch of network shares, a SAN, and a bunch of machines, all Mac based, that would be nice to see populated on a finder level when other people VPN into our network.

I've been kind of following these guides, attempting to make them work. I've gotten pretty far, able to get the bridge up and running, but sometimes the Raspberry Pi locks up completely when I start the OpenVPN service, or I get Handshake errors and no internet connectivity. I can't seem to get through the last few feet of actually making it work

https://www.aaflalo.me/2015/01/openvpn-with-tls-in-bridged-mode/
http://www.wedebugyou.com/2013/01/how-to-use-bonjour-over-vpn/
http://www.server-world.info/en/note?os=CentOS_6&p=openvpn

Would it be possible to add this functionality into your script? It seems relatively straight forward, but I just can't seem to make it work with any of the other guides out there.

Thanks again, this project is amazing. So simple and works so well!

@bitcoinissue
Copy link
Author

@bitcoinissue bitcoinissue commented Jul 27, 2016

Just wanted to leave a reply with how I finally got the bridged OpenVPN server to work on the RPI

I followed this guide almost exactly : http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

Only additional things I did was enable IPV4 Packet Fowarding in /etc/sysctl.conf
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

And added the following lines to my OpenVPN server conf
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

And it works!!

@chrisjenx
Copy link

@chrisjenx chrisjenx commented Aug 2, 2016

A tap version would be awesome! Thanks for the great work!

@3cHeLoN
Copy link

@3cHeLoN 3cHeLoN commented Sep 25, 2016

@bitcoinissue could you post your server.conf file and systemctl scripts? I have a hard time figuring out which settings I should use from the link you provided and which settings in the old server.conf are essential for the way pivpn sets up openvpn.

@redfast00 redfast00 mentioned this issue Oct 9, 2016
@PylsaPylsa
Copy link

@PylsaPylsa PylsaPylsa commented Oct 23, 2016

I would love to see this implemented in the installer! Sure you can do it manually, but it feels so hacky and dirty.

@fyellin
Copy link

@fyellin fyellin commented Dec 14, 2016

I'm going to echo @3cHeLoN's request. @bitcoinissue, please post your config files and scripts. I'd dearly love tap mode.

@0-kaladin 0-kaladin self-assigned this Dec 15, 2016
@fyellin
Copy link

@fyellin fyellin commented Dec 15, 2016

I'm able to run OpenVPN on my tomato router, and it automatically creates the configuration files.

For the server's configuration file, the difference is:

tun:
server 255.255.255.0
dev tun21
push "route 255.255.255.0"
tap:
server-bridge 255.255.255.0
dev tap22

If for example, your device was 192.168.100.100, then
tun-address = 192.170.0.0
network-address = 192.168.100.0
this-ip-address = 192.168.100.100
dhcp-start, dhcp-end = 192.168.100.240 192.168.100.250 (or some range in your net)

The only difference between the client ovpn is "dev tap" vs "dev tun".

I'm not sure what network configuration need to be done, though.

@glonch
Copy link

@glonch glonch commented Dec 27, 2016

Greetings all...

I really would like to set this up, but having a hard time following along (understand the high level concepts of VPN but bridging settings are throwing me for a loop). Is there a step by step rundown for PiVPN out there?

(Casting my vote for this to be added as a setup script feature too)

@0-kaladin
Copy link
Member

@0-kaladin 0-kaladin commented Dec 27, 2016

It shouldn't be too difficult to add this to the install script. Just need time more than anything else. I'd guess a month or two. Depending on if I prioritize over the unattended install feature.

@glonch
Copy link

@glonch glonch commented Dec 27, 2016

Totally understand! Excellent job!

@Sungray
Copy link

@Sungray Sungray commented Jan 11, 2017

@bitcoinissue I've been trying to make this work all day, and I have, kinda.

The only issue is that when the pi starts, the eth0 interface gets the server IP, and the br0 gets another IP address apparently from dhcp, and nothing works. I also noticed br0 gets a different mac address than eth0.

Then if I stop and start the openvpn service, everything is suddenly looking good and everything works. br0 gets the IP address, eth0 doesn't have one, I can access the internet from the pi and open the vpn connexion. I guess this is an issue with the script not being able to remove the ip address from eth and attribute it to br at startup, but no idea why, especially since it works afterwards...

Any idea ?

@0-kaladin
Copy link
Member

@0-kaladin 0-kaladin commented Feb 8, 2017

I have a need for this now. So in my free time (if such a thing truly exists) expect this done in short order.

@mjnks
Copy link

@mjnks mjnks commented Feb 26, 2017

Will bridged mode as part of the install script be available soon? I have limited networking experience and would like to setup my VPN to allow access to my entire home network remotely. I attempted to get it working myself, but no luck.

@nemxwasp
Copy link

@nemxwasp nemxwasp commented Mar 13, 2017

Agreed! Another vote for bridged mode! The pivpn installer is awesome and incredibly simple but I need to be able to operate in bridged mode. I tried a few of the guides I found to operate in bridged mode but am having no luck. I tried the emaculation guide provided by bitcoinissue but installed pivpn first then jumped to the section in the guide where it sets up bridged mode (not the whole guide). I trashed all network connectivity and had to reinstall my pi os lol! I am debating trying the entire emaculation guide but I love the simplicity of pivpn like being able to add and revoke clients but mostly how easy it is to install (In my quest for bridged mode I have reset my pi and reinstalled pivpn at least 12 times this week lol) Like others I need to be on my home subnet to access shares, printers, etc.. as well as use wake on lan broadcast to turn on my machines since I don't leave them on all the time. Thanks in advance!

@d0nlab
Copy link

@d0nlab d0nlab commented Mar 14, 2017

+1 for bridged mode
Having access to all services on my network through VPN would be helpful

@scottd83
Copy link

@scottd83 scottd83 commented Mar 21, 2017

Edited/removed my original comment: I misread that you guys were talking about using the tap rather then tun making my comment irrelevant!

@f-ben
Copy link

@f-ben f-ben commented Apr 5, 2017

Ist there any news on this one?

@matej86
Copy link

@matej86 matej86 commented Apr 6, 2017

I need the TAP mode too. Also a web based GUI would be a very nice feature so the server could be configurable from every device on the network

@mmarbut
Copy link

@mmarbut mmarbut commented May 16, 2017

ok I got it up and running

I started by running pivpn setup then I ran through the tutorial here and made some changes to the script and the conf files.
http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

This guide will use the following example private IP address numbering (adjust this to your numbering):

IP address for RP : 192.168.1. 3
Netmask: 255.255.255.0
Broadcast address: 192.168.1.255
Router's IP address: 192.168.1.1

We'll use the text editor “nano” to create a script called “openvpn-bridge” that performs the Ethernet bridging. Enter

nano /etc/openvpn/openvpn-bridge
Copy and paste the following script into that (empty) file.

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.3"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
eth_gateway="192.168.1.1"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done

    sleep 10

    ifconfig $eth 0.0.0.0 promisc up

    sleep 5

    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    sleep 2

    route add default gw $eth_gateway
    ;;
stop)
    ifconfig $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    route add default gw $eth_gateway
    ;;
*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;
esac
exit 0

I made the script executable by entering

chmod 744 /etc/openvpn/openvpn-bridge

then I edited the server configuration file.

port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
duplicate-cn
remote-cert-tls client
server-bridge 192.168.1.3 255.255.255.0 192.168.1.51 192.168.1.61
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

then i edited the openpn service

nano /lib/systemd/system/openvpn@.service

Copy these two lines:

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

Paste the two lines at the bottom of the [Service] section so that its last three lines look like

WorkingDirectory=/etc/openvpn
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

I confirmed that /etc/sysctl.conf had net.ipv4.ip_forward = 1

and then rebooted

I edited the OVPN file I created following your tutorial so that dev was set to tap

dev tap

and tested everything

@afcdmc
Copy link

@afcdmc afcdmc commented May 28, 2017

I also need to have the bridge option to have the option to use all my Bonjour services remotely!! I tried for a whole day to makes this work!! but couldn't connect at all!!! It Would be GREAT to have this option incorporated in the install script!! This is a Great Script but whit the option to be on the same network range remotely as my local network it would be a Lifesaver for me!!!
Keep up the great Work!! Hope to se an update or a tutorial on how to do it manually step by step using pipvpn as the starting point!!

@ezhes
Copy link

@ezhes ezhes commented May 30, 2017

I'd actually recommend anyone who does this makes a tun-tap server. Duplicate your PIVPN config and rename your original to something like tun-server.conf and your new one to tap-server.conf. Set your tap server to a different port and configure it that way. Mobile devices don't support TAP so you need TUN.

@911pcdoc
Copy link

@911pcdoc 911pcdoc commented Jun 1, 2017

I also would like to see the tap / bridge option in the installer

@redfast00
Copy link
Contributor

@redfast00 redfast00 commented Jun 1, 2017

@0-kaladin: how about two OpenVPN config files that will each start a server on a different port, one with tun, one with tap? Or alternatively, prompt the user at the end of the script if they want to setup another server config?

@tim-west
Copy link

@tim-west tim-west commented Jun 23, 2017

@0-kaladin: Great work on the script. It makes the whole process so easy! I'm excited to see you are working on this feature and I was just wondering how it was coming along and whether you had an idea of when it would be complete?

@tuf07378
Copy link

@tuf07378 tuf07378 commented Jun 23, 2017

@mmarbut I followed your steps to do the same and got local access working but it appears that internet traffic is not being passed through as I can't access anything external when connected to the VPN. Did you have to configure anything else to establish internet access?

@mmarbut
Copy link

@mmarbut mmarbut commented Jun 24, 2017

is your Pi able to get out to the internet? it sounds like ether an issue with DNS or firewall. did you do this push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
is your gateway correct?

if you are using windows try this in command prompt: ipconfig /all | findstr /R "DNS\ Servers"
also you can NSLOOKUP and type in the web address it might show you were you are getting hung up.
finally you are connecting from outside the network where the RP resides right?

@rgulden
Copy link

@rgulden rgulden commented Jun 12, 2018

@AlbioB I tried to follow it with no success. Does it work with the newest versions of PIVPN, also, if you have successfully accomplished yourself, would you mind sharing your step by step? Thanks!

@tmladek
Copy link

@tmladek tmladek commented Jun 13, 2018

@rgulden I can also attest to @mmarbut's tutorial, worked with the latest version of pivpn. My step by step would be identical to @mmarbut's.

Maybe try troubleshooting the issues you're having?

@rgulden
Copy link

@rgulden rgulden commented Jun 14, 2018

@tmladek Hey thanks for the response! Maybe my issue is im using it on a Ubuntu VM instead of a PI. The interface is ens160 instead of eth0, but i did edit that in the script. Also, did you completely copy and paste his sample server.conf or did you just add the things he added? Thanks!

@ayr-ton
Copy link

@ayr-ton ayr-ton commented Jun 26, 2018

Just for giving visibility, I have stopped working on the tap/tun feature. If someone wants to adopt this, feel free. o/

@larrybahr
Copy link

@larrybahr larrybahr commented Jul 7, 2018

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"

Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

@rzolau
Copy link

@rzolau rzolau commented Aug 3, 2018

Just curious if any progress has been made on this issue. Pivpn definitely deserves support for bridged mode. Awesome software btw!

@JamesTX10
Copy link

@JamesTX10 JamesTX10 commented Aug 8, 2018

This broke for me yesterday after having been working for months. I was running two servers TUN and TAP. I wiped and started over. TUN working. Made the listed changes and added the TAP server config. Rebooted and could not connect to either server. Disabled the TUN server, rebooted and then I could connect to the TAP server fine but had no internet. Rebooted the Pi again and then could not connect to the TAP server at all.

@AlbioB
Copy link

@AlbioB AlbioB commented Aug 8, 2018

@JamesTX10 Did you update something?

@JamesTX10
Copy link

@JamesTX10 JamesTX10 commented Aug 8, 2018

Unattended updates were enabled during the initial setup so it is possible that something was updated. I rebuilt it again and it seems to be working fine now. Would really love to have the TAP Bridge option in the installer.

@xbxolivesupport
Copy link

@xbxolivesupport xbxolivesupport commented Aug 28, 2018

How do I put my router in bridge mode? If you have an idea please share with me.

If you are using Belkin router and you face a problem with your router visit here

belkin router setup
I also solved my router issue with this site.

@AngiesBloke
Copy link

@AngiesBloke AngiesBloke commented Sep 6, 2018

I've used PiVPN for a couple of years with mobile devices, I'm delighted with it. In the last few weeks I have tried a dozen times to build the bridge (TAP) configuration, on 'Raspbian Stretch Lite (2018-06-27)' starting from a working PiVPN (TUN). I have used Rasp Pi Model B, Rasp Pi 2 Model B and Rasp Pi 3 Model B. Poor results with all. In case there might be a significant difference between Raspbian releases I have also tried Raspbian Jessie Lite (2017-04-10) and had the same results.

After completing the TAP build (as per examples here and elsewhere) I manage to connect from a Windows 10 machine but not to be able to see any other LAN devices, nor with any access the Internet. Then after restarting the OpenVPN service or rebooting the Rasp Pi I am no longer able to reconnect at all, no longer able to reach the Rasp Pi with SSH. That leads to a whole new rebuild each time, then the same sort of outcome again.

There are many guides out there, I have tried plenty, but always with the same (or very similar) results. Sometimes I have been able to connect a few times, but generally the whole TAP configuration is pretty unstable for me.

There just doesn't seem to be a build that works easily or consistently. Is that the general opinion?

A scripted installer for TAP would be fantastic. The TUN script is very straightforward and works first time, every time.

@larrybahr
Copy link

@larrybahr larrybahr commented Sep 7, 2018

@AngiesBloke I have had the same experience. I'm able to connect but no Internet or LAN access. Having this automated would be awesome

@ddorato
Copy link

@ddorato ddorato commented Sep 11, 2018

@mmarbut How do I set up the config to only route traffic to the specific host rather then all the traffic (aka Split Tunnel)

@FelixSeidel
Copy link

@FelixSeidel FelixSeidel commented Nov 20, 2018

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"

Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

Unfortunately I get exactly the same error ... has anyone already found a solution for this?

@Soporific1
Copy link

@Soporific1 Soporific1 commented Feb 1, 2019

Not sure if this will help anyone but if you are trying to connect two identical networks i.e., 192.168.1.0/24 (local) and 192.168.1.0/24 (remote) you are going to run into trouble setting up a bridge-TAP. It is possible to do, but from my experience it was more trouble than it is worth.

Try changing either the local or remote network to anything else and it should come together fairly easily and all the odd windows network services will start working properly, etc.

@AngiesBloke
Copy link

@AngiesBloke AngiesBloke commented Jun 10, 2019

I decided to give bridging (TAP) another shot, glad to say it's now working for me. I'm beginning to think that the RPi I was using for Pi-Hole, TUN and TAP servers was just not up to all three tasks at once. Either that or I had some bad config set up to make them all work together. I separated the 3 applications to 3 individual RPi's and rebuilt the TAP server from scratch.

Sadly I've not much time for a deep dive into the do's and don'ts but I can confirm a working TAP server on RPi 3 Model B+, a 32 GB SDHC card (Sandisk Ultra, Class 10) and Raspbian Stretch Lite (2019-04-08). This quad-core RPi may have been overkill so my next job was to build the same thing on a lesser model - an RPi Model B. All works perfectly. Here are my tips.

I used the build posted above by @mmarbut on (16-May-2017), starting with PiVPN from http://www.pivpn.io/. I tailored the server config for my own network. Ensure you use the server ID generated by your base PiVPN build when you tailor /etc/openvpn/server.conf - this nugget not explicitly stated in the original post from @mmarbut. Otherwise big thanks to him (or her) for that guide.

The base PiVPN install generated server nd client configs which did not include compression. I added the line comp-lzo to each config.

I updated the RPi's routing table, as explained at: https://www.comparitech.com/blog/vpn-privacy/raspberry-pi-vpn/

As Pi-Hole is in use on my network I set the DNS for the TAP VPN server to the LAN IP address of Pi-Hole, not a public DNS or my router's (ISP's) DNS.

I set port forwarding on my router to translate a couple of random ports to port 1194 on each of my RPi VPN servers. I set these in the VPN client configs accordingly. That way TAP incoming hits my TAP VPN server, TUN incoming hits my TUN VPN server.

My Windows 10 laptop can access all my home network resources (web GUIs and SMB/CIFS shares) from outside my network, and also break out onto the Internet. A simple 'What's my IP' proves it's working.

And of course, you're wasting your time if you try to access your home network from your home network. The LAN IP ranges simply must not be the same.

Your mileage may vary.

@AngiesBloke
Copy link

@AngiesBloke AngiesBloke commented Jun 10, 2019

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"
Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

Unfortunately I get exactly the same error ... has anyone already found a solution for this?

Check your router port forwarding. I've had the same error and found an error in my router config.

@pokono
Copy link

@pokono pokono commented Jul 21, 2019

I've used PiVPN for a couple of years with mobile devices, I'm delighted with it. In the last few weeks I have tried a dozen times to build the bridge (TAP) configuration, on 'Raspbian Stretch Lite (2018-06-27)' starting from a working PiVPN (TUN). I have used Rasp Pi Model B, Rasp Pi 2 Model B and Rasp Pi 3 Model B. Poor results with all. In case there might be a significant difference between Raspbian releases I have also tried Raspbian Jessie Lite (2017-04-10) and had the same results.

After completing the TAP build (as per examples here and elsewhere) I manage to connect from a Windows 10 machine but not to be able to see any other LAN devices, nor with any access the Internet. Then after restarting the OpenVPN service or rebooting the Rasp Pi I am no longer able to reconnect at all, no longer able to reach the Rasp Pi with SSH. That leads to a whole new rebuild each time, then the same sort of outcome again.

There are many guides out there, I have tried plenty, but always with the same (or very similar) results. Sometimes I have been able to connect a few times, but generally the whole TAP configuration is pretty unstable for me.

There just doesn't seem to be a build that works easily or consistently. Is that the general opinion?

A scripted installer for TAP would be fantastic. The TUN script is very straightforward and works first time, every time.

I spent most of yesterday debugging this. As far as I can tell the issue is with the script that set up the 'br0' bridge. It starts conflicting and it cuts ssh access because the the IP conflicting. The bridge is supposed to run on the same IP as the main eth0 interface, but on the newer OS (I'm running baster) it gets his own IP and it starts conflicting. Any idea to start digging?

@AngiesBloke
Copy link

@AngiesBloke AngiesBloke commented Jul 21, 2019

I've used PiVPN for a couple of years with mobile devices, I'm delighted with it. In the last few weeks I have tried a dozen times to build the bridge (TAP) configuration, on 'Raspbian Stretch Lite (2018-06-27)' starting from a working PiVPN (TUN). I have used Rasp Pi Model B, Rasp Pi 2 Model B and Rasp Pi 3 Model B. Poor results with all. In case there might be a significant difference between Raspbian releases I have also tried Raspbian Jessie Lite (2017-04-10) and had the same results.
After completing the TAP build (as per examples here and elsewhere) I manage to connect from a Windows 10 machine but not to be able to see any other LAN devices, nor with any access the Internet. Then after restarting the OpenVPN service or rebooting the Rasp Pi I am no longer able to reconnect at all, no longer able to reach the Rasp Pi with SSH. That leads to a whole new rebuild each time, then the same sort of outcome again.
There are many guides out there, I have tried plenty, but always with the same (or very similar) results. Sometimes I have been able to connect a few times, but generally the whole TAP configuration is pretty unstable for me.
There just doesn't seem to be a build that works easily or consistently. Is that the general opinion?
A scripted installer for TAP would be fantastic. The TUN script is very straightforward and works first time, every time.

I spent most of yesterday debugging this. As far as I can tell the issue is with the script that set up the 'br0' bridge. It starts conflicting and it cuts ssh access because the the IP conflicting. The bridge is supposed to run on the same IP as the main eth0 interface, but on the newer OS (I'm running baster) it gets his own IP and it starts conflicting. Any idea to start digging?

@AngiesBloke
Copy link

@AngiesBloke AngiesBloke commented Jul 21, 2019

See my later post, dated 10 June 2019. All working fine for me now. No changes to bridging script were needed,

@northian
Copy link

@northian northian commented Aug 19, 2019

Alright I got PiVPN bridge working, but not by the bridge script listed above. I kept on trying but never got it working. So I patched together a new way of doing things via multiple tutorials and the one listed above as well. Be warned I've been learning this as I go so this guide is from about 3 weeks of messing around the internet and searching for guides.

This was done on Raspbian Stretch Lite (2019-04-08), it should work on the newest Raspbian Buster but I cannot confirm that it works on there.

I started out with the standard pivpn install.
curl -L https://install.pivpn.io | bash
I then edited the server config.
sudo nano /etc/openvpn/server.conf
This is my current server config, change it how you see fit. I copied over some stuff from our windows openvpn server and for reasons unknown to me it worked, so I'm not going to question it.

dev tap0
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_TLD7eUSSOSjSclDz.crt
key /etc/openvpn/easy-rsa/pki/private/server_TLD7eUSSOSjSclDz.key
dh none
topology subnet
local 192.168.1.141
server-bridge
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

Make sure if you have a dh file to put where its located in the dh section of the config

I then installed bridge-utils to help bridge this new connection.
sudo apt-get install bridge-utils

I followed this up by editing the /etc/network/interfaces
sudo nano /etc/network/interfaces
I made a static IP for the bridge connection. This is my file now.

# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).

 # The loopback network interface
 auto lo br0
 iface lo inet loopback

 # Set up interfaces manually, avoiding conflicts with, e.g., network manager
 iface eth0 inet manual

 iface tap0 inet manual

 # Bridge setup
 iface br0 inet static
    bridge_ports eth0 tap0
        address 192.168.1.141
        broadcast 192.168.1.255
        netmask 255.255.255.0
        gateway 192.168.1.1

After that there was only one more thing I had to do to get the bridge up and running. The connection will work until a reboot is done. The tap0 interface will stop working after a reboot, it will start again if you restart the openvpn service. But that gets annoying to do every time so I made a script.
Make the script directory first with this command
sudo mkdir /etc/scripts

Then I created the file.
sudo nano /etc/scripts/ovpnstartup.sh
Then I put this into the script.
sudo systemctl restart openvpn

I then added the script to the rc.local file.
sudo nano /etc/rc.local
/etc/scripts/ovpnstartup.sh

You can go ahead and reboot now and the tap0 interface should always be running after reboot.

After you create a regular PiVPN profile make sure to edit the
dev tun
to
dev tap
I added comp-lzo to my server config so if you copied and pasted from mine make sure to add comp-lzo as well to your ovpn profile.

This should work, if it doesn't then I can check my configs and whatnot.

@ThierryBegin
Copy link

@ThierryBegin ThierryBegin commented Sep 11, 2019

I tried both scripts and none of them seem to works today. I'm able to connect but get assigned an IP 169.254.x.x each times... with viscosity
using the openvpn client I get this error:
unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing

any ideas?

@welljsjs
Copy link

@welljsjs welljsjs commented Oct 23, 2019

This issue/feature request was created in June 2016.

Afaiaa, nothing has changed since.

Are there any plans? Will this feature be supported soon without having to modify the OpenVPN configuration files directly?

@0-kaladin @redfast00 (sorry to wake you up, but can we get a clear statement from you pls?)

@redfast00
Copy link
Contributor

@redfast00 redfast00 commented Oct 23, 2019

Sorry to be blunt, but I explicitly said in the readme I am no longer supporting this software due to lack of time. I do however see that someone removed this notice, so it's not your fault you didn't read it.

@welljsjs
Copy link

@welljsjs welljsjs commented Oct 24, 2019

This is sad to hear, however, thanks for the response.

@4s3ti
Copy link
Member

@4s3ti 4s3ti commented Oct 24, 2019

@welljsjs, @redfast00 is not maintaining the project anymore and @0-kaladin as vanished and i have tried to reach him a lot of times without success, so it makes me the only one driving this project.

To be completely honest with you ...

I am not at all prioritizing in favor of a lot other tasks and bugs that come up.
I'd rather see PiVPN supporting wireguard which is way more simple and modern than spending time developing support for bridged mode, maybe Bridged can come with wireguard? I don't have a clue as i still have to dig a bit more about that ... @orazioedoardo you have any clue if bridged mode is possible and easier to implement with wireguard?

This is a somewhat complex task for a couple of specific use cases and it requires time to develop, test, maintain and i don't have the time to do it myself.

The reason why this is still open is exactly because this is an opensource project and everyone is welcome to contribute to it so ... do you wanna roll up your sleeves? feel free to do it, I won't discard the PR if it comes, ill test it and review it and merge if its ok.

@redfast00, hope all is well with you! i did removed it because I am actively maintaining it and sailing the boat, just. its not his fault its not there anymore, but it doesn't make sense to have it there either when the project is actually being actively maintained, having bug fixes and new features getting out frequently. but you know how ppl work .. 90% don't even read the issue template right in front of their eyes, so i don't really trust that most of them read the readme either ... @welljsjs should have investigated the status of the project and who is driving it before tagging you.

Kind regards,
4s3ti

@orazioedoardo
Copy link
Member

@orazioedoardo orazioedoardo commented Oct 24, 2019

@4s3ti Bridge mode is not available by design on WireGuard.

@welljsjs
Copy link

@welljsjs welljsjs commented Oct 24, 2019

The reason why this is still open is exactly because this is an opensource project and everyone is welcome to contribute to it so

Sure, I'm aware of that, that's why I was asking for a clear statement because this issue seemed a little abandoned.

should have investigated the status of the project and who is driving it before tagging you.

Might be. I just read the comments on this issue and found that redfast00 was (once) involved in the discussion. As he is still a member of the repo, I simply expected him to be the right person to talk to. Admittedly, I didn't have a look at the latest commits to see who's still contributing. However, I feel like we shouldn't start talking about this in this issue. I appreciate your reply though @4s3ti.

do you wanna roll up your sleeves? feel free to do it

I would if I could. Though at the time being, I don't really have enough knowledge about bridging. However, I'm happy to contribute if I manage to get it to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet