Creating AP for OpenVPN TAP Client Interface

Allow me to set the scene.

I have a home network which is handled by an Asus router, which is running an OpenVPN TAP server.

I am away from home, and I am currently attempting to set up OpenWRT on an RPi to connect to my TAP server at home. OpenWRT would then create an Access Point. Any device connecting to this access point would be sent through the OpenVPN TAP interface. Hence, connecting to the OpenWRT AP will be as if I'm connecting directly to my home network.

Here is where I'm currently at with this setup on the OpenWRT side.

I have an OpenVPN instance enabled and successfully connected to my home network. I have a network interface, OPENVPN_TAP0, connected to the tap0 device.

I have also created an AP. For this AP, I have set the Network field to the OPENVPN_TAP0 interface.

This does not work. (I haven't touched firewall rules). Devices that connect to the OpenWRT AP do not get a local IPv4 address, or IPv4 DNS servers. Devices connected to this network also cannot access the internet.

This is my first time attempting to set up OpenWRT, so I'm a little lost on this at the moment. Let me know if posting any logs/config files/LuCI screenshots would help. Any help or suggestions would be appreciated :slight_smile:


Any ideas would be appreciated.

If at all possible you should find a way to bridge the tap0 and wlanX interfaces. The method depends on the OpenWrt software version.

First make some tests using brctl

brctl addbr br-test
brctl addif br-test tap0
brctl addif br-test wlan0 #Replace wlan0 with the correct wlan interface
ifconfig br-test up
brctl show br-test
1 Like

Yes you need to make a bridge:
In /etc/config/network (version 21):

config device
    option name 'br-vpntap'
    option type bridge
    list ports 'tap0'

config interface
    option name 'vpntap'
    option device 'br-vpntap'
    option proto 'none'

Then use vpntap as the AP's network in /etc/config/wireless.

Why tap and not tun? Tun is much more efficient because it eliminates L2 “noise” such as broadcast and mdns traffic (this is because tun is an L3 process). You can route to your LAN and access almost all of the resources the same way.

Exceptions would be devices that rely on mdns or other L2 connections between the system you are using and what you are trying to connect/control (chromecast, appletv, sonos come to mind). Here, TAP will work best. But it comes at the expense of a potentially not insignificant amount of additional data flowing through the OpenVPN connection, which likely will make the connection slower overall and increase the consumed bandwidth on both sides of the connection.

This worked!

My mistake was not creating a dedicated interface for the AP, and attempting to set the AP's network directly to OPENVPN_TAP0, which didn't work.

So I created a dedicated interface for the AP.

I initially tried @pavelgl suggestion to bridge the interfaces, which worked. This wasn't persistent after a reboot (only realised afterwards that this was intended to be a temporary bridge).

I then tried this solution, and it works as intended. It's persistent, and OpenWRT is now working exactly as intended.

Thanks everyone for the help :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.