LAN Tunnel Bridging HowTo
About
This document provides an example of how to set up a LAN to LAN tunnel bridge using OpenVPN with a pre-shared key (PSK). For simplicity, only basic configuration options are used.
Introduction
Company X has two sites A and B in different geographical locations, connected by a public network. They want to connect both sites to the same LAN and use a DHCP server on Site A to serve Site B.
Site A Site B .--------. .--------. | DHCP | | | | Server | | Host | | A1 | | B1 | '----+---' '---+----' | IP:192.168.1.1 | IP:DHCP(A1) | | | | | vlan100 | vlan100 eth0 | IP:DHCP(A1) eth0 | IP:DCHP(A1) .----+---. .---+----. | | | | | GW-A | | GW-B | | | | | '----+---' '---+----' vlan2 | .--.-. | vlan2 Public IP: | ( ( )__ | Public IP: 198.19.20.21 '-------------(_, \ ) ,_)-----------' 198.19.20.22 '-'--`--' Public Network/Internet
WeOS devices GW-A and GW-B both have their port eth1 connected to the WAN (Public network/Internet) and eth0 connected to the local network.
The example assumes that an OpenVPN key has been generated offline and
imported into both GW-A and GW-B under the label psk1
.
DHCP Server A1 and Host B1 are not configured in this example. The gateways GW-A and GW-B are assumed to be able to reach each other via public IPv4 addresses.
Server Configuration
In this setup GW-A
is the OpenVPN server node. To configure the
server side of the tunnel, enter the following commands in the CLI:
example:/#> configure example:/config/#> tunnel ssl 0 example:/config/tunnel/ssl-0/#> secret psk1 example:/config/tunnel/ssl-0/#> server example:/config/tunnel/ssl-0/#> method psk example:/config/tunnel/ssl-0/#> type tap example:/config/tunnel/ssl-0/#> leave example:/#>
The OpenVPN server is now up and running, waiting for a connection. You can verify this with the following admin-exec commands:
example:/#> show port ssl0 example:/#> show tunnel ssl
Since the tunnel is a layer 2 (tap
) tunnel, its endpoint ssl0
is
treated as a virtual port. As such, port-type commands can be used to
operate on it. The first command displays ssl0
as Enabled with Link
UP, and with a MAC address assigned to it.
The second command displays the tunnel as DOWN, which is expected. This changes to UP once a connection with a client has been established.
Next, we bridge ssl0
with eth0
to include the tunnel in the
broadcast domain of the local subnet. We also set the bridge interface
vlan100
to request a local IP address via DHCP.
example:/#> configure vlan 100 example:/config/vlan-100/#> untagged eth0,ssl0 example:/config/vlan-100/#> end example:/config/#> iface vlan100 example:/config/iface-vlan100/#> inet dhcp example:/config/iface-vlan100/#> leave example:/#>
Verify that the an IP address was assigned by running:
example:/#> show iface vlan100
Note: this requires that a DHCP server is available on subnet. It may take a couple of seconds for the IP address to be assigned.
Client Configuration
GW-B
is the OpenVPN client. To configure the client side of the
tunnel, enter the following commands in the CLI:
example:/#> configure example:/config/#> tunnel ssl 0 example:/config/tunnel/ssl-0/#> secret psk1 example:/config/tunnel/ssl-0/#> no server example:/config/tunnel/ssl-0/#> peer 198.18.19.20 example:/config/tunnel/ssl-0/#> method psk example:/config/tunnel/ssl-0/#> type tap example:/config/tunnel/ssl-0/#> leave example:/#>
The IP address for the peer is the public IP address of the server.
Again, verify the operational status:
example:/#> show port ssl0 example:/#> show tunnel ssl
The first command displays ssl0
as being Enabled with Link UP, and
with a MAC address assigned to it.
The second command should now display the tunnel as UP. It may, however, take a few seconds for the configuration to be applied and for the tunnel to be established before it is displayed as UP.
Once the tunnel is UP, we bridge ssl0
with eth0
to include the
tunnel in the broadcast domain of the local subnet, like we did for the
server side. This effectively connects the two LAN segments (Site A and
Site B) together.
Also set bridge interface vlan100
to request a local IP address via
DHCP, i.e., over the tunnel:
example:/#> configure example:/config/#> vlan 100 example:/config/vlan-100/#> untagged eth0,ssl0 example:/config/vlan-100/#> end example:/config/#> iface vlan100 example:/config/iface-vlan100/#> inet dhcp example:/config/iface-vlan100/#> leave example:/#>
Verify that the an IP address was assigned by running:
example:/#> show iface vlan100
It should be a DHCP-assigned IP address. It may take some time for the IP address to appear – keep in mind that all DHCP traffic has to be passed across the tunnel, which in turn means encrypting the traffic, encapsulating it in UDP packets, routing them across the public network, and doing the reverse procedure at the other end.
Final Topology
The following figure illustrates the resulting topology, with an L2 tunnel connecting the two LANs via the virtual port ssl0 on each GW device.
Site A Site B .--------. .--------. | DHCP | | | | Server | | Host | | A1 | | B1 | '----+---' '---+----' | IP:192.168.1.1 | IP:DHCP(A1) | | | | | vlan100 | vlan100 | IP:DHCP(A1) | IP:DCHP(A1) eth0 | Untagged:eth0,ssl0 eth0 | Untagged:eth0,ssl0 .----+---. .---+----. | `. | OpenVPN L2 Tunnel | .´ | | GW-A `+===========================+´ GW-B | | | ssl0 ssl0 | | '----+---' '---+----' | | vlan2 | .--.-. | vlan2 Public IP: | ( ( )__ | Public IP: 198.18.19.20 '------------(_, \ ) ,_)-----------' 198.18.19.21 '-'--`--' Public Network/Internet