Install and Configure OpenVPN using a TAP interface

With this procedure we will configure OpenVPN server using TAP instead of TUN.

You will find this option useful when you want your LAN and VPN clients to be in the same broadcast domain.

We will use a scenario where: –> Is your network –> Is your Gateway and DNS server –> Is your OpenVPN Server

Let’s start.

1 – Install prerequisities.

 In Debian you will not find the “easy-rsa” package but don’t worry we will take care of that later.

2 – Configure the bridge adapter.

This adapter will be the bridge in between the physical interface and the tap interface and it will pass the traffic from one to the other.

First get the necessary scripts:

Edit the bridge-start script:

Configure your interfaces configuration file:

 and configure it as follows:

Save and exit.

3 – Enable the routing function on the server.

Uncomment the line  containing:


4 – Create the easy-rsa directory.

In Ubuntu run this command:

 In Debian you have to create the directory and copy the files into it.

5 – Edit the variables.

Go into /etc/openvpn/easy-rsa/ and edit the vars file to your needs:

Change the key size from 1024 to 2048.

And comment the line:

6 – Generate the server keys.

While inside /etc/openvpn/easy-rsa/ run the following commands:

Now enter the keys directory:

generate the server keys:

and copy the necessary files to the openvpn directory

7 – Configure the server configuration file.

First copy the example configuration file:

Extract it:

Edit it:

Add the following to the beginning of the file:


port 1194


port 8294

I like to change the default port.


;proto tcp
proto udp


proto tcp
;proto udp


;dev tap
dev tun


dev tap0
;dev tun


dh dh1024.pem


dh dh2048.pem









(This is the IP of your OpenVPN server and the DHCP Pool for the clients. They will get an address in the range


;push “dhcp-option DNS”
;push “dhcp-option DNS”


push “dhcp-option DNS”

This is your DNS server IP address.

You can also push your domain with:

push “dhcp-option DOMAIN”






;user nobody
;group nogroup


user nobody
group nogroup

Look for the line containing log-append and edit it to look like this:

log-append  /var/log/openvpn/openvpn.log

Save and exit

Create the openvpn log folder:

9 – Create the client keys.

Change to the easy-rsa folder:

Load the variables defined in the vars file:

Generate the key and certificate:

Set the PEM pass phrase (this is the password required when the openvpn client tries to connect )

Accept all the others options until you get to “A challenge password

When asked for “A challenge password” just press Enter

When asked for “An optional company name” just press Enter

When asked for “Sign the certificate? [y/n]:” say “yes

When asked for “1 out of 1 certificate requests certified, commit? [y/n]” say “yes

The files will be created in the /etc/openvpn/easy-rsa/keys folder

10 – Restart the server.

Now restart the server and check your network interfaces:

Your output should look similar to this:


If you are installing OpenVPN as a virtual machine, read this.

Leave a Reply