Posts: 1
Joined: Tue May 21, 2019 11:53 pm

Question: VPN LAN Switch- How to Bridge Tun0 and eth1 [External adapter]

Wed May 22, 2019 12:22 am

Hello All,

I have a RPi3 running an openvpn client via the Rpi3 ethernet(eth0) port and notice Tun0 being created in interface as connections are established. I was successful in routing vpn traffic to a Wifi hotspot i created.

However now I would like to know how to route the VPN traffic to a external Ethernet(eth1) I attached. So,

Internet Gateway --> RPi3's eth0 iface -->OpenVPN (tun0) --> Rpi3's externel ethernet adapter eth1.

Gateway is
eth0 (static)

I am trying to re-purpose a few old devices for streaming and monitor and if I directly run OpenVPN there, I experience performance issues. Previously I used the RPi3 as VPN gateway and that worked. Now i would like to learn more to see if I could use the RPI3 to encrypt and route the encrypted traffic to eth1. I have read topics on Bridge-utils, iptables, route and later a little on layers tun and eth are of different layer and cannot be bridged.

I felt it was something to do with IPtables and I tried the following.

Code: Select all

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
But still unsuccessful. Any advice will be much appreciated. Thank you

Posts: 2981
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Question: VPN LAN Switch- How to Bridge Tun0 and eth1 [External adapter]

Wed May 22, 2019 11:32 am

To reply to the question in your title:
- You can't bridge a tun device, it is not designed for that. You can bridge a tap device. You can route either device types.
- OpenVPN cannot use tun at one tunnel end and tap at the other. The device type used at both ends must be consistent.

In general:
Routing differentially on a single network (e.g. according to the interface, aka linux policy-based routing, is complicated even before Ovpn enters the dance. If you want a routed tunnel, use 2 different networks, eth0 attached to one and eth1 attached to the other.

If you setup a bridged tunnel, what you do is extend the reach of one network over the tunnel.
Imagine a 2-floor building, with one concentrating switch at each floor and every machine on that floor connected to it. A router and DHCP server is at the 1st floor, 1st floor machines are happily served via their switch. Machines on the 2nd floor are useless.
Now connect the 2 switches together with an ethernet cable, and the 2nd floor machines also get served an IP address and the Internet, by going through both switches.
In a bridged tunnel, the bridge devices (br0) within the machines at each tunnel end (running openvpn) are the switches. The encrypted tunnel is the long ethernet cable between them (tap0 on both sides, usually)

If in fact each floor was running its own network independently before the interconnection, you need to merge the 2 networks (shutdown DHCP/router on one floor) or split the hosts in 2 groups (1st floor + some hosts 2nd floor, 2nd floor independent) or 3 groups (1st floor independent, 2nd floor independent, global). To do this you would basically add dedicated switches and connect machines as needed.
To split hosts in the case of a bridged tunnel, you would use an anonymous bridge, i.e. a bridge device br0 without IP address. The host that runs an anonymous bridge is part of its own network, say via eth0, and is oblivious to the traffic going through br0 (thanks to the tunnel daemon); Machines reaching into br0, say via eth1, are completely unaware of the host, they only see their own network (with some hosts seemingly slow to respond: those on the other side of the tunnel).
Such media-independent networks can happen to use the same IP network. Machines don't get confused as they see a single network at a time, but roaming users might...

"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Return to “Networking and servers”