OpenVPN Site-to-Site ethernet-bridge between linux routers DHCP conflicts

I have two routers - one running Tomato and the other OpenWRT (21.02.0-rc3). Both routers serve as the gateway to a local LAN/WLAN network and host an isolated VLAN network which are bridged by OpenVPN. The bridged network allows LAN video streaming from an Amazon Recast (server side) to a remote FireTV (Client side) so that I can watch OTA TV at the second location.

Location A
br-lan 192.168.0.1 (local)
br-lan2 192.168.2.1 (bridged), 255.255.255.0, 192.168.2.100 - 192.168.2.199
OpenVPN Server local 192.168.2.1, 255.255.255.0, 192.168.2.220 - 192.168.2.229

Location B
br-lan3 192.168.3.1 (local)
br-lan4 192.168.2.200 (bridged) 255.255.255.0, 192.168.2.230 - 192.168.2.254
OpenVPN Client TAP bridged with br-lan4

Now the only way I have been able to get this work is by having the br-lan2 and br-lan4 use the same IP subdomains, which seems to lead to DHCP conflicts, inconsistently pulling internet traffic from location B to location A or location A to location B, which is quite frustrating. Really I just want a split VPN tunneling such that only local network resources are pulled through the tunnel and internet browsing goes out through each local gateway.

I think the solution is for br-lan2 and br-lan4 and Tap0 interface to have separate IP subdomains (ie br-lan4 192.168.4.1 and Tap0 10.8.0.1). But once I separate them, I can't get the devices on the server side and the devices on the client side to talk to each other. I thought this was what TAP was supposed to manage? My skill level is novice, and I have no formal network training.

Any hints or recommendations? I suspect there is a problem in my server OpenVPN configuration, but I may not have my interfaces set up right.

Server OpenVPN config

config openvpn 'ServerVPN'
        option keepalive '10 60'
        option fast_io '1'
        option status '/var/run/openvpn.status 5'
        option mute '20'
        option mode 'server'
        option port '1194'
        option dev_type 'tap'
        option persist_tun '1'
        option persist_key '1'
        option ifconfig_pool_persist '/etc/openvpn/ipp.txt 600'
        option client_to_client '1'
        option auth 'SHA256'
        option cipher 'AES-256-CBC'
        option tls_server '1'
        option tls_version_min '1.2'
        option key_direction '0'
        option tls_auth '/etc/openvpn/ta.key'
        option ca '/etc/openvpn/ca.crt'
        option dh '/etc/openvpn/dh.pem'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option server_bridge '192.168.2.1 255.255.255.0 192.168.2.220 192.168.2.229'
        option link_mtu '1585'
        option verb '3'
        option dev 'tap0'
        option enabled '1'
        list push 'dhcp-option DNS 192.168.2.1'
        option proto 'udp'
        option local '192.168.2.1'

Network (Note Tap0 does not have a unique interface, should it?)

config device
        option type 'bridge'
        option name 'br-lan2'
        option igmp_snooping '1'
        list ports 'lan4'
        list ports 'tap0'

config interface 'VPNServNet'
        option proto 'static'
        option device 'br-lan2'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ipaddr '192.168.2.1'

The client side is on Tomato and does not have an easily copied configuration, but does not have the "redirect internet" checked

I think your br-lan2 and br-lan4 are not routing between each other because your subnet mask for both makes them think they are within the same network. Try changing your br-lan4 to a different network address, such as 192.168.4.0. The routers will recognize distinct networks and will do routing between them. I think the openwrt needs a tap device as well, configured as a physical device to an interface and on the lan side of your firewall. I have no experience with openvpn, but i did accomplish the same thing with zerotier one.

1 Like

Thanks for responding. I'll have to give it a shot soon. At present the shared 192.168.2.0 IP address works in the sense the FireTV and Recast can communicate, it just intermittently has DHCP conflicts and pulls all internet traffic from the client to the server through the VPN. When I tired to separate br-lan4 to 192.168.168.4.1 it wouldn't allow communication between the Recast and FireTV, but I didn't have a separate TAP interface configured.

In your configuration did you additionally specify the network IP for the OpenVPN connection (10.8.0.1)? Do you recommend configuring the TAP device with a static IP on br-lan2 (i.e.192.168.2.2)

I think the tap device should have the openvpn ip (10.8.0.1) in the interface, then bridged to br-lan2. Sorry but i have no experience with openvpn. Just did something similar with zerotier one. I setup 2 other locations to be able to access my plex server at home. Had to do it through vpn because all our isps use cgnat.

Perhaps you should try the VPN in routed mode.
This should solve DHCP conflicts and you can access services in both LANs by IP.

Another option is to disable dynamic DHCP and use only static leases.
You can also filter DHCP traffic over the VPN to limit the service scope.