# How can I properly boot with OpenVPN in a bridged setup?



## mariourk (Dec 5, 2012)

I have been running an OpenVPN-server for some time now, on Linux. I want to move this to a new FreeBSD-server. I have always used a bridged setup for OpenVPN, where the OpenVPN tap-interface and the physical network-interface are joined together in a bridge. The bridge is given all the proper network configuration, like an IP-address.

I have OpenVPN up and running and I have worked out how to put it in a bridged setup. however, when I reboot the server, everything is a mess! I patched together a small script that I have to run after the reboot, to make it all work. This is obviously not how I want to implement this.

Does someone know how I can configure FreeBSD to make this all work properly?

/etc/rc.conf

```
hostname="openvpn.somedomain.com"

openvpn_enable="YES"
openvpn_if="tap"

cloned_interfaces="bridge0"
ifconfig_bridge0="addm msk0 addm tap0 up"
ifconfig_msk0="up"
ifconfig_tap0="up"
ifconfig_bridge0=" inet xxx.xxx.xxx.xxx netmask 255.255.255.0"
defaultrouter="xxx.xxx.xxx.xxx"

sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
```

Small script, to make it work again

```
ifconfig bridge0 addm msk0 addm tap0 up
ifconfig msk0 up
ifconfig tap0 up
ifconfig bridge0 inet 192.168.1.70 netmask 255.255.255.0
route add default 192.168.1.1
```


----------



## kpa (Dec 5, 2012)

Add tap0 to cloned_interfaces, that should create it automatically on boot. I recommend that you move your bridge creation to a an openvpn up-script so it's only created when the openvpn service is started. There should be also a down-script that tears down the bridge when openvpn service is shut down.


----------



## mamalos (Dec 5, 2012)

I think that if you just add your tap0 interface on your cloned_interfaces directive, you'll have no problem.

@kpa: sorry man, your answer arrived when I was already editing mine.


----------



## mariourk (Dec 5, 2012)

Unfortunately, adding tap0 to cloned_interfaces doesn't make any difference.

How exactly should I implement the creation of the bridge to the OpenVPN start script? I looked at /usr/local/etc/rc.d/openvpn and it doesn't make much sense to me. Those scripts are not really my cup of tea... :\


----------



## kpa (Dec 5, 2012)

In your openvpn.conf:


```
...
up up.sh
down down.sh
...
```


These scripts go to /usr/local/etc/openvpn

up.sh would be something like:


```
#!/bin/sh
ifconfig bridge0 create
ifconfig bridge0 addm msk0
ifconfig bridge0 addm ${dev}
ifconfig bridge0 up

# Possible firewall rules for pf/ipfw here
```

Not sure about the exact order and if you first have to bring up the bridge before adding members but you should get the idea. Note the ${dev} variable, openvpn fills in tap0 in that for you.

I personally gave up on this type of bridging, I don't have anything that relies on broadcasts and having different subnet on the VPN isn't that cumbersome after all. Also IPv6 neighbour discovery breaks on this type of bridge.


----------



## mariourk (Dec 5, 2012)

That fixed the problem of booting properly. Unfortunately it doesn't work that well when stopping OpenVPN. But that is not really a problem, I don't intent to shutdown OpenVPN manually. Well... maybe in case of an update. And if that happens, I can restart this server without causing too much trouble. So, for now I'm happy.

Thanks! :beergrin


----------



## kpa (Dec 5, 2012)

I left out the matching down.sh that should tear down the bridge in reverse order and also undo any other configuration the up.sh did.


----------

