2

Currently on my Linux server I've enabled bridging so that I can use OpenVPN in bridged mode. Works great. eth0 is connected to the LAN; tun0 is the OpenVPN gateway; these are bridged to a new interface br0.

Same server is also functioning as a firewall/router (eth1 is the internet gateway) and hosting an httpd and several other daemons. Thus I had to reconfigure some of these to listen on br0 instead of eth0.

Thing is, I would like to dynamically tear down the bridge when not using OpenVPN and leave it the old way I had it, where eth0 is the gateway to the LAN.

Basically want I want to do is create a "symbolic link" to whatever is active at the given moment. Something like "lan0" which can "point to" either br0 or eth0.

I've heard about IP aliasing but it's a way to enable multiple IPs on a NIC, which isn't what I'm trying to do. Anyone point me in the right direction?

Or, is any performance penalty, if it exists, by leaving the bridge enabled even when not using it negligible enough that I shouldn't bother?

2 Answers2

1

If you were concerned about performance, you wouldn't be bridging through a VPN: Every broadcast packet that occurs on either side needs to be pushed through the link. If it is not careful, you can get a broadcast storm.

Your best bet: Just leave the bridge up all the time.

If you are concerned about performance, you should set this machine up as a router, and explicitly route traffic through your VPN, instead of bridging through it.

If you think you can't do this; If your "router" is exceptionally stupid, and doesn't allow static routes, you can simply widen your subnet on "this side" of the network.

For example, if your network looks like this:

      networkA | vpnA <-----------> router | networkB <----------> vpnB
192.168.1.0/24                                 192.168.66.0/24      192.168.66.5

then "upgrade" networkB to a /23 and make it look like this:

(internet) -----> router | networkB <----------------> vpnB | tap0 <-----> vpnA
                          192.168.66.0/23      192.168.66.5   192.168.67.1

vpnB will "announce" 192.168.67.1 on the networkB side. This isn't optimal as ethernet broadcast from networkB can still get to networkA, at least the reverse won't be true.

geocar
  • 2,317
  • 14
  • 10
0

If I'm not mistaken, won't the bridge behave properly with only one interface attached to it? I think it should act sort of like the 'symlink' you are describing, pointing to eth0 (when eth0 is the only interface on the bridge).

That way, you can just always have your services bound to br0, and add/remove interfaces from the bridge as necessary.

pkaeding
  • 810
  • 2
  • 13
  • 23