Skip Navigation
 

Layer2-VPN

  • OpenVPN Layer2 VPN (bridge mode multi-site)


OpenVPN Layer 2 Muilt-Site (Bridge Mode). Remove OpenVPN Layer 2 VPN from the web interface and reset defaults.
OpenVPN Layer 2 Muilt-Site does NOT SUPPORT VRRP and Site-to-Site tunneling together running on the same router.
OpenVPN Layer 2 Muilt-Site Tunnel Tap100 Interface does NOT SUPPORT Multicast and Dynamic Route (OSPF, RIP, BGP, ISIS)
OpenVPN Layer 2 Multi-Site with single tunnel on the same server (hub) and client (sopke) sites only (does NOT SUPPORT dual tunnel design by default)

The OpenVPN Multi-Site (Bridge Mode) is running on the same network with a different IP address, with routers and computers next to each other.

Example: The hub or Server Site is using the 192.168.1.1/24 network on the br-lan interface, and the spoke or client site is at 192.168.1.2/24 
on the br-lan interface. When adding more spokes or client sites, the network should be 192.168.1.3/24 on the br-lan interface. 
The openvpn server tunnel tap100 with the default 1194 port

Server (Hub) Router directly connected to the internet and enabled WAN-side SSH service. (VPN has to enable SSH for client sites to download configuration files.)
Server or Hub Router
Login → http://ip-address/cgi-bin/luci/ → Go to → System → Administration → SSH Access → Add instance → Interface WAN → Port 2233 → Save → Save & Apply
Login → http://ip-address/cgi-bin/luci/ → Go to → Network → Firewall → Firewall - Zone Settings → wan → CHANGE Input reject to accept → Save → Save & Apply


Mini-Router br-lan 192.168.1.1/24 connected the 192.168.1.254/24 home internet router to the internet to fix the real IP address, 
or ddns. The home internet router has to configure 192.168.1.1/24 port forwarding, ssh 22 port to 2233, and openvpn 1194 for 
OpenVPN tunnel interfaces to the internet.

Or

The mini-Router connected to the switch port supports 802.11Q trunk WAN and LAN using the same LAN Port as below. Please refer to the 802.11Q item.

Server (Hub) and Client (Spke) VPN computers with the same network Same as Server (Hub) and Client (Spke) sites, all computers 
are connected to a switch with the same vlan ID on the same network.

Example: 
10.0.0.17/24 on the br-lan Hub router and 172.31.255.26/24 on the WAN to the internet (Need NAT port forwarding for SSH and OpenVPN)
10.0.0.100/24 on the br-lan Spoke router and 172.31.255.226/24 on the WAN to the internet

OpenVPN Bridge Mode VPN keypairs recommand 1024 bit.


Server (Hub) Router WAN to the internet with public real ip address is 1.2.3.4 or replace ddns domain name.
A client (Spoke) router connected to the internet can peer at 1.2.3.4 SSH port 2233 and use OpenVPN service.

Server (Hub) Router run command: set-bm-ovpn-server

root@VPN-Lite:~# set-bm-ovpn-server
ls: /etc/openvpn/bridgeclient.conf: No such file or directory
ls: /etc/openvpn/bridgeserver.conf: No such file or directory

#####################################################################
#### **** layer 2 VPN NOT Support VRRP protocol keepalived **** ####
#### **** keepalived auto disable and stop service **** ####
#####################################################################

##### Ctrl + C Stop and EXIT #####
#######################################################################################
##### Please Enter OpenVPN service udp port number: #####

Server OpenVPN site to muiltsite service udp port number: ( default 1194 udp )

1194


Choose a size in bits for your keypairs 2048=y or 1024=n (y/n)?
n

The bits for your keypairs is 1024 and take a long time for key gen !

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.+........................................+..................+.........+.......................................+................................................................................+..................................................................+......................................................................................................................................................+........................................................+.....................................+.+.+.........+.................................................................................................................................+......................................+.............................+........+........................+.......................................................+..........+......................+......+........................+........................+.................................................................................+.....................+.......................................................................................+...........................................+......................................................+.+........................................................................+.......................+.................................+......+.......+............................+........................................+..................................................+...............+.............................................+....+................................................+..........+.....................................................+.............+...........................+.............+..............................................................................+..+.................+..............................+.........+..........................+.........................+........................................................................................................+...............................................+........................................................+................................+....................................................+.................................................+.........................................+.....................................................................+...................................................................+....+......................................+.................................................................+........+...........+.....................+..........................................................................+....+..................................................................................+..............................................................................................+........................+.......+............................................................................+....+............+.............................+........................................+................................+.........................................................................................+............+.................+..................+..................+.............................................................................................................................................................................................................................................................+.......+..................................................................................................+......................................................................................+...............................+........+..................+....................................+...........................+......................................................................+...............................................................+.......................................................+................+...............+...........................................................................++*++*++*++*++*
Can't load /etc/openvpn/tmp/easyrsa/pki/.rnd into RNG
2012860036:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/openvpn/tmp/easyrsa/pki/.rnd
Generating a RSA private key
..+++++
.+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/ca.key.XXXXlgBMEI'
-----
Generating a RSA private key
..............+++++
.......................+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/server.key.XXXXFiDBGI'
-----
Using configuration from /etc/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jul 6 04:53:42 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

--------- complete openvpn bridge mode server configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

Complete and Please run command : reboot


root@VPN-Lite:~#

Server (Hub) Router add client (Spoke) for remote site name run command : set-bm-ovpn-client or set-bm-ovpn-nocheck-client

root@VPN-Lite:~# set-bm-ovpn-client
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

The Internet connection public IP ADDRESS: 1.2.3.4

###################################################################
## Run set-bm-ovpn-server first for OpenVPN server enable ##

## Ctrl + C Stop wireguard multi site configuration ##
###################################################################
## Please enter The Internet public IP ADDRESS: or DDNS ##
1.2.3.4
1.2.3.4 is matching internet public ip address: 1.2.3.4

###################################################################
OpenVPN Bridge Mode router name list:
bridgeserver

###################################################################
Please enter other's router name:

user1

Generating a RSA private key
...+++++
...............+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/user1.key.XXXXDkNEco'
-----
Using configuration from /etc/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until Jul 6 04:55:06 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

--------- complete openvpn bridge mode server configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

root@VPN-Lite:~#


Client (Spoke) remote site router run command : set-bm-ovpn-peer


root@Layer2-VPN-Spoke:~# set-bm-ovpn-peer
ls: /etc/openvpn/bridgeserver.conf: No such file or directory
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

## Ctrl + C STOP and exit ##
###############################################################
###############################################################
OpenVPN BRIDGE Server the REAL IP Address OR DDNS domain name:
1.2.3.4

###############################################################
Do you need to change SSH default port 22 (y/n): (change=y)!
y

###############################################################
Please enter SSH port numebr here:

2233


###############################################################
Please enter openvpn bm client for scp download configure file
user1

Please enter OpenVPN BRIDGE Server Root passwd:

Host '1.2.3.4' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 02:fa:a7:51:ee:d5:7c:f0:1a:ce:81:4a:13:b5:1f:71:15:d6:7b:da)
Do you want to continue connecting? (y/n) y
root@1.2.3.4's password: ###( NEED ENTER SERVER OR HUB ROUTER ROOT PASSWORD HERE )###
user6.crt 100% 3836 3.8KB/s 00:00
openvpn 100% 183 0.2KB/s 00:00
ca.crt 100% 830 0.8KB/s 00:00
server.pem 100% 636 0.6KB/s 00:00
bridge-server.info 100% 71 0.1KB/s 00:00
bridgeclient.conf 100% 266 0.3KB/s 00:00
user6.key 100% 1704 1.7KB/s 00:00

--------- complete openvpn bridge mode client configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

Complete and Please run command : reboot


root@Layer2-VPN-Spoke:~# 


root@Layer2-VPN-Spoke:~# show-bm-ovpn-tunnel

tap100 Link encap:Ethernet HWaddr BE:FD:EE:44:06:B4
inet addr:10.0.0.171 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1410 Metric:1
RX packets:2032 errors:0 dropped:0 overruns:0 frame:0
TX packets:939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1033179 (1008.9 KiB) TX bytes:118936 (116.1 KiB)


#################################################################################

bridge name bridge id STP enabled interfaces
br-lan 7fff.ac15a23ca029 no eth0
tap100
brctl: invalid argument 'br-lan' to 'brctl'

root@Layer2-VPN-Spoke:~#


C:>ipconfig

Windows IP Configuration


Mobile Broadband adapter Cellular:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lan
IPv4 Address. . . . . . . . . . . : 10.0.0.182
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.100


C:>
C:>
C:>ping 10.0.0.17

Pinging 10.0.0.17 with 32 bytes of data:
Reply from 10.0.0.17: bytes=32 time=17ms TTL=64
Reply from 10.0.0.17: bytes=32 time=8ms TTL=64
Reply from 10.0.0.17: bytes=32 time=18ms TTL=64
Reply from 10.0.0.17: bytes=32 time=12ms TTL=64

Ping statistics for 10.0.0.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 18ms, Average = 13ms

C:>

###############################################################################################################################################################


In the second case, the server (Hub) and client (spoke) are disconnected from the internet.

Server (hub) router add client (spoke) remote site by command: set-bm-ovpn-nocheck-client


root@VPN-Lite:~# set-bm-ovpn-nocheck-client
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

The WAN port connection IP ADDRESS:

###################################################################
## Run set-bm-ovpn-server first for OpenVPN server enable ##

## Ctrl + C Stop OpenVPN multi site configuration ##
###################################################################
## Please enter The Router WAN PORT IP ADDRESS: or DDNS ##
172.31.255.26

###################################################################
OpenVPN Bridge Mode router name list:
bridgeserver

###################################################################
Please enter other's router name:

user1

Generating a RSA private key
......+++++
............................+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/user1.key.XXXXiNECnO'
-----
Using configuration from /etc/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until Jul 6 06:17:07 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

--------- complete openvpn bridge mode server configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

root@VPN-Lite:~#

Client (spoke) remote site router peer vpn by command: set-bm-ovpn-peer

root@VPN-Spoke:~# set-bm-ovpn-peer
ls: /etc/openvpn/bridgeserver.conf: No such file or directory
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

## Ctrl + C STOP and exit ##
###############################################################
###############################################################
OpenVPN BRIDGE Server the REAL IP Address OR DDNS domain name:
172.31.255.26

###############################################################
Do you need to change SSH default port 22 (y/n): (change=y)!
n

###############################################################
Please enter openvpn bm client for scp download configure file
user1

Please enter OpenVPN BRIDGE Server Root passwd:

Host '172.31.255.26' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 74:4b:d7:d6:e5:02:92:84:ef:25:bc:29:18:42:9f:3d:d8:bc:4c:b5)
Do you want to continue connecting? (y/n) y
root@172.31.255.26's password: ###( NEED ENTER SERVER OR HUB ROUTER ROOT PASSWORD HERE )###
user1.key 100% 916 0.9KB/s 00:00
openvpn 100% 183 0.2KB/s 00:00
ca.crt 100% 830 0.8KB/s 00:00
server.pem 100% 636 0.6KB/s 00:00
bridge-server.info 100% 71 0.1KB/s 00:00
bridgeclient.conf 100% 266 0.3KB/s 00:00
user1.crt 100% 3085 3.0KB/s 00:00

--------- complete openvpn bridge mode client configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

Complete and Please run command : reboot


root@VPN-Spoke:~#


C:Usersx>ipconfig

Windows IP Configuration


Mobile Broadband adapter Cellular:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lan
IPv4 Address. . . . . . . . . . . : 10.0.0.182
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.100


C:>ping 10.0.0.17

Pinging 10.0.0.17 with 32 bytes of data:
Reply from 10.0.0.17: bytes=32 time=7ms TTL=64
Reply from 10.0.0.17: bytes=32 time=4ms TTL=64
Reply from 10.0.0.17: bytes=32 time=4ms TTL=64
Reply from 10.0.0.17: bytes=32 time=9ms TTL=64

Ping statistics for 10.0.0.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 9ms, Average = 6ms

C:>


Remove the gateway IP address from the remote window computer and connect it to the server (hub) network.

C:>ipconfig

Windows IP Configuration


Mobile Broadband adapter Cellular:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.222
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :


C:>
C:>ping 10.0.0.17

Pinging 10.0.0.17 with 32 bytes of data:
Reply from 10.0.0.17: bytes=32 time=15ms TTL=64
Reply from 10.0.0.17: bytes=32 time=6ms TTL=64
Reply from 10.0.0.17: bytes=32 time=13ms TTL=64
Reply from 10.0.0.17: bytes=32 time=7ms TTL=64

Ping statistics for 10.0.0.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 15ms, Average = 10ms

C:>


OpenVPN Muilt-Site (Bridge Mode) Sumary:
1). Setup the server and Client br-lan IP addresses with the default configuration. (g.e.: Server/Hub br-lan 192.168.1.1/24, 
first client/spoke br-lan 192.168.1.2/24, second client/spoke br-lan 192.168.1.3/24, same network and different ip for each other.)
2). Server/Hub Mini-Router: enable SSH for the WAN side and change other port numbers 
(e.g., enable SSH port 2233 for directed internet or NAT port forward SSH and OpenVPN service ports).
3). Hub or Server type command : set-bm-ovpn-server → setup OpenVPN port number(default 1194) and keypaire (1024 bit)
4). Hub or Server add remote router type command : set-bm-ovpn-nocheck-client public ip-address or DDNS domain name.
5). Hub or Server configuration remote site name for remote client-site and reboot.
6). Client or Sopke run set-bm-ovpn-peer
7). Client or Sopke Enter Hub or Server public ip-address or DDNS domain name and SSH port number.
8). Client or Sopke Enter own site name and Hub or Server router root's password.
9). Client or Sopke and Hub or Server ping each others router br-lan interface or ifconfig tap100 check RX bytes:974187 (951.3 KiB) TX bytes:9820789 (9.3 MiB) traffic