OpenVPN Bridge

From ArchWiki
Jump to: navigation, search

This page describes how to create a network bridge on Arch Linux and host an OpenVPN server using a IP layer-2 based Ethernet bridge (TAP) rather than a IP layer-3 based IP tunnel (TUN). The general OpenVPN page describes setting up PAM authentication or OpenSSL security certificates in more detail.


The OpenVPN documentation pages give a full overview of server-side and client-side options that OpenVPN supports. It is easier to set up OpenVPN in tunneling mode and control routing the traffic and it is generally advised to do so if it serves your purpose. However, some applications, such as Windows file sharing or Samba, rely on network broadcasts at the Ethernet level and benefit from believing they are physically located on the same subnet, and software bridging serves this purpose.


The first thing you want to do is install OpenVPN, the Linux bridging utilities and netcfg.

pacman -S openvpn bridge-utils netcfg


Earlier versions of guides for OpenVPN provided by the OpenVPN team or various Linux packagers give example scripts for constructing a bridge when starting OpenVPN and destroying it when shutting OpenVPN down.

However, this is a somewhat deprecated approach, since OpenVPN as of 2.1.1 defaults to not allowing itself to call external scripts or programs unless explicitly enabled to, for security reasons.

Also, constructing the bridge is relatively slow compared to all other parts of the network initialization process. (In fact, so slow that dhcpcd will time out before the bridge is ready. See #Troubleshooting.) Also, when restarting OpenVPN after configuration changes, there is no reason to rebuild a working bridge, interrupting all your other network applications. So, setting up a static bridge configuration as follows is the recommended method.

To create an OpenVPN bridge for your server, you are going to have to use netcfg and create two network profiles - one for the tap interface and one for the bridge.

Go to /etc/network.d/. Then copy the tuntap example file to the directory.

cd /etc/network.d/
cp examples/tuntap openvpn_tap

Now edit openvpn_tap to create a tap interface. It may look like this.


Do not configure the IP address here, this is going to be done for the bridge interface!

To create the bridge profile, copy the example file:

cp examples/bridge openvpn_bridge

Now edit openvpn_bridge. It may look like this:


For more information, for example how to use DHCP instead, check the netcfg article.

Now set the NETWORKS array in /etc/conf.d/netcfg (order is important!):

NETWORKS=(openvpn_tap openvpn_bridge)

Then add net-profiles to your DAEMONS array (net-profiles must be before openvpn!):

DAEMONS=(... net-profiles openvpn ...)


Q: Why does starting the network [FAIL] ?

A:This is probably because you are using DHCP on the bridge and setting up the bridge takes longer than dhcpcd is willing to wait. You can fix this by setting the FWD_DELAY parameter in your bridge network profile (openvpn_bridge). Start with a value of 5 and decrease it until it works.

More Resources

OpenVPN | General page on configuring OpenVPN, including setting up authentication methods.

Any additions, clarifications, reorganizations, feedback etc. etc. are more than appreciated.