I configured my OpenVPN to connect 2 network at layer 2. Since broadcast goes across the tunnel and the 2 network have their own dhcp server for their respective gateway. The dhcp packet should be filtered.

iptables -I zone_lan_forward -o br-lan -m physdev --physdev-out tap0 -p udp --dport 67:68 --sport 67:68 -j REJECT
iptables -I zone_lan_forward -i br-lan -m physdev --physdev-in tap0 -p udp --dport 67:68 --sport 67:68 -j REJECT

The system should be configured to enable bridge firewalling in /etc/sysctrl.config

net.bridge.bridge-nf-call-iptables=1

I configured the above setting on my custom OpenWRT 15.05 image and run into some issues.

sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key
xt_physdev: Unknown symbol br_netfilter_enable (err 0)
nf_conntrack: table full, dropping packet

I would like to avoid changing my kernel on my device, just adding kernel module.

Since I build my own image with only certain packages, the kernel doesn't have support for everything. On a clean build with the default configuration, the kernel only has CONFIG_BRIDGE=y. Support for bridge firewall is not enabled,CONFIG_BRIDGE_NETFILTER is not set.

The kernel configuration can be change to generate net/bridge/br_netfilter.ko module for the system which has it missing. OpenWRT doesn't have a package for that kernel module. It would need to be copied manually.

Add bridge firewalling support to iptables with iptables-mod-extra. The kmod-ipt-extra will have xt_physdev module because CONFIG_BRIDGE_NETFILTER is enabled in the kernel.

How does default OpenWRT image has the support for bridge firewalling in their images ?

OpenWRT enables all packages to be build which configure the kernel configuration with the required dependencies. When enabling ebtables package, the kernel configuration is overwritten with CONFIG_BRIDGE_NETFILTER=y.

build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config.old:CONFIG_BRIDGE=y
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config.old:CONFIG_BRIDGE_NETFILTER=y
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config:CONFIG_BRIDGE_NETFILTER=y
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config:CONFIG_BRIDGE=y
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config.override:CONFIG_BRIDGE=m
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config.override:CONFIG_BRIDGE_NETFILTER=y
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config.target:CONFIG_BRIDGE=y
build_dir/target-mips_34kc_uClibc-0.9.33.2/linux-ar71xx_generic/linux-3.18.36/.config.target:CONFIG_BRIDGE_NETFILTER=m
build_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/linux-3.18.36/.config:CONFIG_BRIDGE_NETFILTER=m
build_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/linux-3.18.36/.config:CONFIG_BRIDGE=m

I guess I will be need to be more careful when using opkg --force-depends option in the future. Once I have generated my image, I should use the matching SDK so I don't cause some kernel panic on the system.