Configure VPN Bridge with Raspberry Pi

Need to connect two Nintendo Switches in different locations for local game. A memo so that I don’t forget how I did this.

  • Openvpn Network: 192.168.255.0/24

Software installation:

apt install hostapd dnsmasq openvpn net-tools bridge-utils wireless-tools

/etc/hostapd/hostapd.conf (To create WLAN Access Point on Raspberry Pi):

country_code=DE
interface=wlan0
bridge=br0
ssid=ConnectSwitchHere
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=somesecurepassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
systemctl unmask hostapd
systemctl enable hostapd

/etc/systemd/resolved.conf (for DNS on Raspberry Pi)

[Resolve]
DNSStubListener=no
DNS=84.200.69.80 84.200.70.40
systemctl restart systemd-resolved

/etc/dnsmasq.conf (to provide addresses for Nintendo Switch):

listen-address=127.0.0.1
port=53
domain-needed
bogus-priv
no-resolv
server=84.200.69.80
server=84.200.70.40

interface=br0
 dhcp-range=192.168.255.51,192.168.255.100,255.255.255.0,24h
 domain=wlan
 dhcp-option=3,192.168.255.1
 dhcp-option=6,84.200.69.80,84.200.70.40
systemctl restart systemd-resolved
systemctl enable dnsmasq
systemctl start dnsmasq

/etc/systemd/network/bridge-br0.netdev

[NetDev]
Name=br0
Kind=bridge

/etc/systemd/network/br0.network

[Match]
Name=br0

[Network]
Address=192.168.255.101

/etc/systemd/network/br0-member-tap0.network

[Match]
Name=tap0

[Link]
RequiredForOnline=no

[Network]
Bridge=br0
ConfigureWithoutCarrier=true
DHCP=v4
IPForward=ipv4
IPMasquerade=yes
KeepConfiguration=yes

[DHCP]
CriticalConnection=yes
systemctl restart systemd-networkd

Openvpn client config file is generated on server with:

docker run -v /docker/openvpn/config:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full username nopass
docker run -v /docker/openvpn/config:/etc/openvpn --rm -it kylemanna/openvpn ovpn_getclient username > /docker/openvpn/username.conf
docker-compose stop openvpn ; docker-compose  rm -f openvpn ; docker-compose up --remove-orphans -d

Openvpn client config needs „tun0“ replaced with „tap0“

systemctl enable openvpn@username
systemctl start openvpn@username

One problem: can’t access VPN server’s public IP via the bridge connection. This is by design.

Iptables config (optional):

iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE