Bridging a vlan and OpenVPN tap on Debian

Solution 1:

"the most Debian-like means I've found" -- you need to look harder, possibly in the bridge-utils-interfaces(5) man page.

Bridging VLAN interfaces is trivial; you just put the VLAN interface in as a manual one (ie iface eth0.1 inet manual) and then add eth0.1 into the bridge_ports list.

A quick note on OpenVPN and it's Ethernet mode -- don't.

Solution 2:

You can bring up your tuntap device together with the vlan interface and bridge afterwards:

  # The physical network port
  allow-hotplug eth0
  auto eth0
  iface eth0 inet manual

  # The interface used for the bridge
  auto vlan1
  iface vlan1 inet manual
        vlan_raw_device eth0
        pre-up ip tuntap add dev tap0 mode tap user openvpn-system-user
        pre-up ip link set tap0 up
        post-down ip link set tap0 down
        post-down ip tuntap del dev tap0 mode tap

  # The bridge interface
  auto br0
  iface br0 inet static
        pre-up ip link set vlan1 up
        pre-up ip link set tap0 up
        bridge_ports vlan1 tap0
        bridge_waitport 5
        bridge_waitmax 10
        bridge_fd 0
        bridge_stp off
        address 10.0.0.254
        netmask 255.255.255.0
        network 10.0.0.0
        boradcast 10.0.0.255
        gateway 10.0.0.1
        dns-nameservers 10.0.0.1
        dns-search-domain openvpn.example.net
        post-down ip link set tap0 down
        post-down ip link set vlan1 down

You need to adjust the user you want the tap interface to be owned and of course all ip settings and timings.

You need to have the vlan and bridge-utils package installed for your setup to work.

This setup up is even possible on a bonded ethernet interface: I described it in the Debian network configuration for a briged tap on a bonded interface with VLAN Pseudo-HOW-TO.