LAN Tunnel Bridging HowTo

About

This document provides an example of how to set up a LAN to LAN tunnel bridge using OpenVPN with a pre-shared key (PSK). For simplicity, only basic configuration options are used.

Introduction

Company X has two sites A and B in different geographical locations, connected by a public network. They want to connect both sites to the same LAN and use a DHCP server on Site A to serve Site B.

          Site A                               Site B

        .--------.                           .--------.
        |  DHCP  |                           |        |
        | Server |                           |  Host  |
        |   A1   |                           |   B1   |
        '----+---'                           '---+----'
             | IP:192.168.1.1                    | IP:DHCP(A1)
             |                                   |
             |                                   |
             | vlan100                           | vlan100
        eth0 | IP:DHCP(A1)                  eth0 | IP:DCHP(A1)
        .----+---.                           .---+----.
        |        |                           |        |
        |  GW-A  |                           |  GW-B  |
        |        |                           |        |
        '----+---'                           '---+----'
      vlan2  |               .--.-.               | vlan2
  Public IP: |              ( (    )__            | Public IP:
198.19.20.21 '-------------(_,  \ ) ,_)-----------' 198.19.20.22
                             '-'--`--'
                     Public Network/Internet

WeOS devices GW-A and GW-B both have their port eth1 connected to the WAN (Public network/Internet) and eth0 connected to the local network.

The example assumes that an OpenVPN key has been generated offline and imported into both GW-A and GW-B under the label psk1.

DHCP Server A1 and Host B1 are not configured in this example. The gateways GW-A and GW-B are assumed to be able to reach each other via public IPv4 addresses.

Server Configuration

In this setup GW-A is the OpenVPN server node. To configure the server side of the tunnel, enter the following commands in the CLI:

example:/#> configure
example:/config/#> tunnel ssl 0
example:/config/tunnel/ssl-0/#> secret psk1
example:/config/tunnel/ssl-0/#> server
example:/config/tunnel/ssl-0/#> method psk
example:/config/tunnel/ssl-0/#> type tap
example:/config/tunnel/ssl-0/#> leave
example:/#>

The OpenVPN server is now up and running, waiting for a connection. You can verify this with the following admin-exec commands:

example:/#> show port ssl0
example:/#> show tunnel ssl

Since the tunnel is a layer 2 (tap) tunnel, its endpoint ssl0 is treated as a virtual port. As such, port-type commands can be used to operate on it. The first command displays ssl0 as Enabled with Link UP, and with a MAC address assigned to it.

The second command displays the tunnel as DOWN, which is expected. This changes to UP once a connection with a client has been established.

Next, we bridge ssl0 with eth0 to include the tunnel in the broadcast domain of the local subnet. We also set the bridge interface vlan100 to request a local IP address via DHCP.

example:/#> configure vlan 100
example:/config/vlan-100/#> untagged eth0,ssl0
example:/config/vlan-100/#> end
example:/config/#> iface vlan100
example:/config/iface-vlan100/#> inet dhcp
example:/config/iface-vlan100/#> leave
example:/#>

Verify that the an IP address was assigned by running:

example:/#> show iface vlan100

Note: this requires that a DHCP server is available on subnet. It may take a couple of seconds for the IP address to be assigned.

Client Configuration

GW-B is the OpenVPN client. To configure the client side of the tunnel, enter the following commands in the CLI:

example:/#> configure
example:/config/#> tunnel ssl 0
example:/config/tunnel/ssl-0/#> secret psk1
example:/config/tunnel/ssl-0/#> no server
example:/config/tunnel/ssl-0/#> peer 198.18.19.20
example:/config/tunnel/ssl-0/#> method psk
example:/config/tunnel/ssl-0/#> type tap
example:/config/tunnel/ssl-0/#> leave
example:/#>

The IP address for the peer is the public IP address of the server.

Again, verify the operational status:

example:/#> show port ssl0
example:/#> show tunnel ssl

The first command displays ssl0 as being Enabled with Link UP, and with a MAC address assigned to it.

The second command should now display the tunnel as UP. It may, however, take a few seconds for the configuration to be applied and for the tunnel to be established before it is displayed as UP.

Once the tunnel is UP, we bridge ssl0 with eth0 to include the tunnel in the broadcast domain of the local subnet, like we did for the server side. This effectively connects the two LAN segments (Site A and Site B) together.

Also set bridge interface vlan100 to request a local IP address via DHCP, i.e., over the tunnel:

example:/#> configure
example:/config/#> vlan 100
example:/config/vlan-100/#> untagged eth0,ssl0
example:/config/vlan-100/#> end
example:/config/#> iface vlan100
example:/config/iface-vlan100/#> inet dhcp
example:/config/iface-vlan100/#> leave
example:/#>

Verify that the an IP address was assigned by running:

example:/#> show iface vlan100

It should be a DHCP-assigned IP address. It may take some time for the IP address to appear – keep in mind that all DHCP traffic has to be passed across the tunnel, which in turn means encrypting the traffic, encapsulating it in UDP packets, routing them across the public network, and doing the reverse procedure at the other end.

Final Topology

The following figure illustrates the resulting topology, with an L2 tunnel connecting the two LANs via the virtual port ssl0 on each GW device.

          Site A                               Site B

        .--------.                           .--------.
        |  DHCP  |                           |        |
        | Server |                           |  Host  |
        |   A1   |                           |   B1   |
        '----+---'                           '---+----'
             | IP:192.168.1.1                    | IP:DHCP(A1)
             |                                   |
             |                                   |
             | vlan100                           | vlan100
             | IP:DHCP(A1)                       | IP:DCHP(A1)
        eth0 | Untagged:eth0,ssl0           eth0 | Untagged:eth0,ssl0
        .----+---.                           .---+----.
        |     `. |     OpenVPN L2 Tunnel     | .´     |
        |  GW-A `+===========================+´ GW-B  |
        |        | ssl0                 ssl0 |        |
        '----+---'                           '---+----'
             |                                   |
       vlan2 |              .--.-.               | vlan2
  Public IP: |             ( (    )__            | Public IP:
198.18.19.20 '------------(_,  \ ) ,_)-----------' 198.18.19.21
                            '-'--`--'
                     Public Network/Internet