tun
interface can not be bridged, because it doesn't emulate any link layer protocol. tap
interface emulates Ethernet, which can be bridged.
However, you only use tap
and bridge when you are certain you need exactly it, because tun
is better supported (it's the only supported on Android devices, for example) and it is more efficient, because it doesn't need to encapsulate link layer headers, leaving more room to the useful data.
tun
will have its own address (whichever you set up in the VPN server config file). But if VPN packets are routed out via eth0
they will be translated to some address you set on the eth0
. Which one? Right now it is random; if you want to NAT your VPN users to address 10.0.0.5
, remove your MASQUERADE
rule and add the following SNAT
rule:
iptables -t nat -A POSTROUTING -s <vpn-network> -o eth0 -j SNAT --to-source 10.0.0.5
vpn-network
is something like 10.8.0.0/24
or whatever you set it to be in the server config.
Also, it seems you are confusing the bridge term with the bind term.
If you want OpenVPN to only receive (encrypted) packets on 10.0.0.5
and to send them back using 10.0.0.5
, you need to bind it to this address. Add to the server configuration file:
local 10.0.0.5
Or specify it on the command line: --local 10.0.0.5
.