Here I have some (slightly maybe different) questions, but related to each other, therefore I prefered to ask them in one question.
I have been trying to allow my OpenVPN clients (OpenVPN is setup in bridge mode) to connect to Docker containers.
As known, Docker containers are all connected with each other via a bridge (docker0 bridge or what ever).
I always used to use my own bridge (br0) on my home server, where I setup Docker to use that bridge (br0), and I bridge OpenVPN interface (tap0) on that bridge, and my physical interface (eth0), which is connected via LAN to my home router.
And that always worked for me and all OpenVPN clients were always able to access each Docker container bridged on br0 (both OpenVPN clients and Docker containers have IPs in my LAN range).
A couple of days ago I rent a VPS, where my physical interface is directly connected to internet (it has unique public IP).
I did the same as before (setting Docker up to use my br0 for all containers) and I bridged OpenVPN tap0 on br0.
The problem I faced, is that my OpenVPN client was NOT able to ping or access any of Docker's containers, (the containers were able to ping and access other Docker's containers, but NOT OpenVPN client), and the clients were NOT able to ping each other as well.
Does that have anything to that I have no physical interface bridged? If yes I was wondering why should I bridge the a interface of my server (connected to any router via LAN maybe) in addition to OpenVPN TAP interface to get a functional OpenVPN in bridge mode?
And that problem raised a another related question in my mind: as long as the clients are anyway part of tap0 interface, why cannot they simple access each other without going for some reason out of TAP interface. What is the role playing by my physical interface?
If my problem was really because of there is no physical interface bridged, how can I get OpenVPN to be fully functional in bridge mode with out that physical interface (or at least maybe any solution for that as long as my physical interface is connected directly to internet without any LAN)?
I hope that some one can help me to get that OpenVPN to work
ADDED:
After watching some videos I still have that question, if I had two TAP interfaces, every one of them is mapped to one virtualbox system. tap0 -> vb0, tap1 -> vb1, and both tap0 and tap1 are connected to a bridge br0 (which is not connected to any physical interface), only tap0 and tap1 are bridged together, will vb0 and vb1 will be able to ping each other? (I am not interested in any kind of external connections now). According to @shodanshok answer, NO they won't, right? till now I am not able to understand exactly why they can't, could you please explain that point in more details?
Best Answer
OpenVPN
tapinterface operates at the layer 2 of the ISO/OSI model and so it needs a layer 2 (read: bridge/switch) connection to the main, real interface.I strongly suggest you to reconfigure your OpenVPN connection to use
tuninterfaces which, by operating at an higher level (level 3) fo the stack, do not need a bridged connection to the main interface (rather, they route packets as specified in the routing table).Give a look at the "server-bridge" section on openvpn man page for more information.