Bridged OpenVPN and DHCP

I’ve setup a VPN recently, and I created a large bridged VPN. I had a little problem though - the DHCP server from the remote network was leaking through to mine, causing all sorts of troubles, as my network devices were trying to use the remote router, which I had of course blocked VPN access to the Internet.

So, lets take a hypothetical network:

* eth0: Internet Connection (192.168.0.2) * eth1: LAN Connection * tap0: VPN Connection * br0: Bridge between eth1 and tap0 (10.0.1.1)

Now, your local DHCP server is saying the subnet is 10.0.0.0/8, and it gives out IPs in the range 10.0.1.100 - 10.0.1.200. The remote end (10.0.2.1) gives out 10.0.2.100 - 10.0.2.200, and sets the routing accordingly. I found running the DHCP server on the bridge was a problem, particulary with the ISC DHCP server, as it uses raw sockets, thus making it quite hard to try and firewall out. The solution?

Set an IP for eth1 locally (and remotely), that is in the range, say 10.254.1.254, with the netmask 255.255.255.252. Bind your DHCP server (in /etc/default/dhcp3-server) to eth1. Then restart the DHCP servers, and voila. The DHCP servers only give out addresses locally. To your clients it will appear that 10.254.1.254 is giving out IP addresses.