Specific LAN port over VPN to specific VLAN at another location

My final solution should look like something on this diagramm:

Left and right side are at remote location. Both sides have OpenWrt 18.06.5. On the left I have more powerful router and was able to install Softether server on it. On the right I have TP-Link with less RAM and my option was to have OpenVPN over there. VLAN1 on both sides will not see each other. They connect to the internet through local WAN. VLAN3 should be the same subnet with one main DHCP and machines should see each other like they are in the same physical network.

Left side appears to be working. I can connect to VLAN3 over VPN with my smartphone and my phone gets IP from DHCP in VLAN3. Also, I can see that my external IP is the same as others in VLAN3.

OpenWRT router on the right appears to be establishing a OpenVPN tunnel to the SoftEther at the left. I can see that in Softether management console that session is up and running. Logs appear to be also indicating succesful tunnel.

But, I am unable to bridge this VPN to specific ports on the router so that machines on the right at VLAN3 segment would get IP from the same DHCP as other VLAN3 members. I suspect that problem is somewhere on switch, firewall or interface settings on the right side router.Any advice would e really appreciated.

OpenVPNs "tap" mode must be used for this scenario since you want DHCP and other broadcasts to pass through the VPN. This must be configured on both ends.

In the client OpenWrt, first configure the switch. You need to add a VLAN, making it untagged on one of the Ethernet ports and tagged to the CPU. Remove the Ethernet port from the other existing VLANs.

Next set up a kernel bridge interface with protocol None (Unmanaged, because the server side will assign IPs) and add eth0.3 (or 1.3 depending on your hardware) to it. This bridge would also hold OpenVPN's tunnel.

So anything from the PC on the special port would go to eth0.3 then to your new network (named vlan3 for example) then to OpenVPN then over to the server.

Note that you don't have to use the same VLAN number on both sides. The packets going through the VPN tunnel are untagged.

1 Like

Thanks @mk24 for your reply! I have already set OpenVPN dev_type to "tap". My VPN interface physical setting is set to "tap0" as I found from some forums. I also have VLANs set up the way you described. Confusing part is interface configuration. I am not sure if I correctly understood "kernel bridge" part. Is that something different from regular bridge? Let me show you my configuration and maybe this will help to identify where the problem lies:

Physical settings for interface called vpn. You can see that I have bridged together eth0.3 which is untagged to routers 4th physical port and tap0 which should be VPN connection. Notice on interfaces that there are some data under TX, bot no data coming back (RX). It appeast that the connection is up, but no data is being moved. I tried to assign all Firewall zones to this VPN interface, but that did not help. Only that when I assigned lan zone to VPN interface, then internet stopped working for other clients that are sitting on LAN interface.
I paste here my networks configuration file from OpenWRD device. Maybe it helps to identify the problem.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fdbc:d3f1:2ed6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'd4:6e:0e:d0:37:2c'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'd4:6e:0e:d0:37:2d'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1'

config interface 'vpn'
        option proto 'none'
        option _orig_ifname 'tap0'
        option _orig_bridge 'false'
        option auto '1'
        option delegate '0'
        option type 'bridge'
        option ifname 'eth0.3 tap0'

A br-xxx interface is a software bridge in the kernel. You don't need a firewall zone here since it is a level 2 bridge.

When OpenVPN completes the link, it should create the tap0 interface. I don't see a tap0. Check the system log for problems with OpenVPN itself.