OpenVPN Bridge Mode

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Trinity
OpenVpn Newbie
Posts: 5
Joined: Sun Mar 29, 2020 11:19 pm

OpenVPN Bridge Mode

Post by Trinity » Wed Sep 15, 2021 1:47 am

Welcome,

I would like to create a bridge mode on the OpenVPN AS server to connect to it with mikrotik.

I have such data to complete in my Mikrotik client:
https://imgur.com/a/o1USfmx

I tried to enable the bridge mode on the server myself, but immediately lost connection with my machine. I read about it and found out that I need to create a bridge. Only every time I create a bridge, it fails. I would like some tips on how to configure it.

I want my OpenVPN AS server to serve as a server (bridge) and my mikrotik client to connect to this server.

I am using the version: openvpn-as-2.1.12-Ubuntu18.amd_64.deb

I tried according to these materials:
https://openvpn.net/vpn-server-resource ... ss-server/
https://www.slsmk.com/getting-started-w ... using-tap/
https://openvpn.net/community-resources ... ux-server/
https://openvpn.net/vpn-server-resource ... d-network/
and many others ...


Please help! I have been struggling with it for 2 weeks to no avail.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 288
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Bridge Mode

Post by openvpn_inc » Wed Sep 15, 2021 6:53 am

Hello Trinity,

Regarding mikrotik and OpenVPN Access Server, it is technically possible, but not recommended. The mikrotik implementation of OpenVPN is lacking some features. I would not recommend it. I would instead recommend to handle the VPN connection outside of the mikrotik router.

And using bridging, well, that's a feature in deprecation at the moment on Access Server. It's still in Access Server, hidden away, but it's not something we encourage to use. There are serious downsides to using Layer 2 bridging over a VPN. It is better to use the standard Layer 3 routing.

You're on a path that for the above two reasons is not advisable. But if you insist, then see this forum post regarding mikrotik, and this document regarding Layer 2 bridging mode in Access Server:
viewtopic.php?f=24&t=31939&p=98150
https://openvpn.net/vpn-server-resource ... 2-bridging

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Trinity
OpenVpn Newbie
Posts: 5
Joined: Sun Mar 29, 2020 11:19 pm

Re: OpenVPN Bridge Mode

Post by Trinity » Wed Sep 15, 2021 5:40 pm

openvpn_inc wrote:
Wed Sep 15, 2021 6:53 am
Hello Trinity,

Regarding mikrotik and OpenVPN Access Server, it is technically possible, but not recommended. The mikrotik implementation of OpenVPN is lacking some features. I would not recommend it. I would instead recommend to handle the VPN connection outside of the mikrotik router.

And using bridging, well, that's a feature in deprecation at the moment on Access Server. It's still in Access Server, hidden away, but it's not something we encourage to use. There are serious downsides to using Layer 2 bridging over a VPN. It is better to use the standard Layer 3 routing.

You're on a path that for the above two reasons is not advisable. But if you insist, then see this forum post regarding mikrotik, and this document regarding Layer 2 bridging mode in Access Server:
viewtopic.php?f=24&t=31939&p=98150
https://openvpn.net/vpn-server-resource ... 2-bridging

Kind regards,
Johan
I want to bridge the OVH dedicated server to my machine in my server room.

I want to combine it with OpenVPN AS + Mikrotik (as a router to my ProxMox VMs).

As a result, I want to use OVH's IP addresses in my server room (proxmox server).

Can I do it on layer 3? Because I thought that only I can on layer 2.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 288
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Bridge Mode

Post by openvpn_inc » Wed Sep 15, 2021 6:47 pm

Hello Trinity,

You say you want to use OVH's IP addresses in your server room. You can achieve something like it with Layer 3. You can do port forwarding using the DMZ function in Access Server, to forward incoming traffic on VPN server-side IP addresses to specific VPN clients. Outgoing traffic from VPN clients going through the VPN server go through the primary IP of the VPN server. Maybe that's enough for you.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Trinity
OpenVpn Newbie
Posts: 5
Joined: Sun Mar 29, 2020 11:19 pm

Re: OpenVPN Bridge Mode

Post by Trinity » Thu Sep 16, 2021 1:24 am

openvpn_inc wrote:
Wed Sep 15, 2021 6:47 pm
Hello Trinity,

You say you want to use OVH's IP addresses in your server room. You can achieve something like it with Layer 3. You can do port forwarding using the DMZ function in Access Server, to forward incoming traffic on VPN server-side IP addresses to specific VPN clients. Outgoing traffic from VPN clients going through the VPN server go through the primary IP of the VPN server. Maybe that's enough for you.

Kind regards,
Johan
I do this redirect already on my machines (iptables).

But I want to connect about 10 IP addresses from OVH to openvpn as server.. Then I redirect it somehow so that 1 IP address was for one VM (Proxmox). I don't want to install openvpn client on every VM. I want the address assignment to be in front of the VM. That's why I wanted to use mikrotik as a router for these VMs.

I am counting on further help.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 288
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Bridge Mode

Post by openvpn_inc » Thu Sep 16, 2021 2:24 pm

Hello Trinity,

I have some experience with OVH's network. I have doubts it can be made to work that way. The difficulty lies in OVH's mapping IP addresses to specific MAC addresses. And I doubt they appreciate or allow you running a system with promiscuous mode or MAC address spoofing. I believe though you can still have the IP addresses all on your OVH instance running the Access Server, and then port forward from each of those IP addresses to the individual OpenVPN clients.

If this is not sufficient I suggest you take a look at a solution such as ExtraIP, which wraps a public IPv4 subnet in a GRE tunnel and you can pick that up with a mikrotik router. I use this. It lets me have additional public IPv4 addresses on my home network, assignable directly to any of my systems here.

I'm afraid I cannot help you any further on this use case. Good luck.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply