====== OpenVPN Bridge to Another Country ======
Certain content is only available to other country's IP addresses.  Set up a Virtual Access Point on your DD-WRT router which is bridged to an OpenVPN server in the other country.

The focus here will be configuring the client bridge on your router.  I am assuming you already have the server portion configured and working with IP masquerading (NAT) configured.
<p>1. Use easy-rsa scripts to generate a new client certificate on the OpenVPN server.</p><p>Edit the file 'vars' to set sane defaults like setting the expiry to 10 years rather than the default 1 year.</p>
<code>
root@openvpn:/etc/openvpn/easy-rsa# ./build-key nexus.mrzesty.net
Generating a 1024 bit RSA private key
.................++++++
...................++++++
...
Certificate is to be certified until Mar 16 16:49:28 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
</code>
Copy the resulting private key nexus.mrzesty.net.key, certificate nexus.mrzesty.net.crt and CA cert ca.crt from the keys/ directory to the client.

3. Create the new Virtual Interface on your local DD-WRT router.  Go to <uri strref="http://192.168.1.1/Wireless_Basic.asp"/> and Add a new Virtual Interface wl0.1.
<p>Configure WPA2 wireless security <uri strref="http://192.168.1.1/WL_WPATable.asp"/> on your new Virtual wireless.</p><p>4. Create a new ethernet bridge on your router <uri strref="http://192.168.1.1/Networking.asp"/> and assign the new Virtual Interface wl0.1 to the new bridge br1.  Assign an IP of 192.168.x.2.  192.168.x.1 will be on the OpenVPN server, assigned to the tap0 interface there.</p><p>/etc/network/interfaces on Debian/Ubuntu:</p>
<code>
auto tap0
iface tap0 inet static
        pre-up /usr/sbin/openvpn --mktun --dev tap0
        address 192.168.x.1
        netmask 255.255.255.0
</code>
5. Add an additional DHCP server on the Setup -&gt; Networking page for the bridge br1.

6. Configure the DHCP server to hand out 192.168.x.1 as the gateway IP to clients.
<p><uri strref="http://192.168.1.1/Services.asp"/> -&gt; DNSmasq</p>
<code>
dhcp-option=br1,3,192.168.3.1
</code>
7. Configure the OpenVPN client of the DD-WRT router <uri strref="http://192.168.1.1/PPTP.asp"/>

If you SSH to the router, the resulting configuration file should look like:
<p>root@DD-WRT:/tmp/openvpncl# cat openvpn.conf</p>
<code>
client
dev tap
proto udp
remote 66.55.44.33 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
ns-cert-type server
key /tmp/openvpncl/client.key
comp-lzo
</code>
8. Reboot the router and add the tap0 interface to the new bridge br1.  I was not able to do this in the web interface, I ran the following from the SSH shell instead:

<code>
root@DD-WRT:~# brctl add br1 tap0
</code>
You will want to have this command run when the router reboots, so add to nvram rc_startup.  I use 60 seconds so the OpenVPN tunnel has enough time to start.

<code>
nvram set rc_startup=&quot;
sleep 60
ip link set tap0 up
brctl addif br1 tap0
&quot;
</code>
(You can also set the startup via the web interface on <uri strref="http://192.168.1.1/Diagnostics.asp"/>)

Verify the Current Bridging Table on the <uri strref="http://192.168.1.1/Networking.asp"/> page is correct, so that tap0 is now bridged to your Virtual AP wl0.1.

<code>
Current Bridging Table
Bridge Name     STP enabled     Interfaces
br0    no    vlan1 eth1
br1    no    wl0.1 tap0 
</code>