EdgeRouter - OpenVPN Layer 2 Tunnel
Overview
Readers will learn how to configure a Layer 2 OpenVPN tunnel between two EdgeRouters.
Tunneling Layer 2 Traffic using OpenVPN
OpenVPN will be used to tunnel L2 traffic between the sites. See the OpenVPN Site-to-Site article for more information on setting up OpenVPN.
Follow the steps below to set up the OpenVPN Site-to-Site Layer 2 tunnel:
1. Generate the 2048 bit shared secret.
generate vpn openvpn-key /config/auth/secret
2. Display the shared secret and copy the output to a text file.
sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----
3. Enter configuration mode.
configure
4. Add a firewall rule for the OpenVPN traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
5. Create the bridged (br0) interface.
set interfaces bridge br0
6. Assign an IP address to the br0 interface.
set interfaces bridge br0 address 192.168.1.1/24
7. Link the shared secret to the OpenVPN tunnel interface.
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
8. Create the tunnel interface and define the local and remote tunnel endpoints.
set interfaces openvpn vtun0 local-host 203.0.113.1
set interfaces openvpn vtun0 remote-host 192.0.2.1
9. Define the tunnel mode.
set interfaces openvpn vtun0 mode site-to-site
10. Add the tunnel interface (vtun0) and the LAN interface (eth1) to the bridge.
set interfaces openvpn vtun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
11. Commit the changes and save the configuration.
commit ; save
1. Copy the contents of the shared secret generated earlier to a new file in the /config/auth directory.
sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----
2. Use CTRL-D to save the file.
3. Change the file permissions and set the owner to the root user.
sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret
4. Verify that the file is in the correct location and that it has the correct permissions.
ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret
5. Enter configuration mode.
configure
6. Add a firewall rule for the OpenVPN traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
7. Create the bridged (br0) interface.
set interfaces bridge br0
8. Assign an IP address to the br0 interface.
set interfaces bridge br0 address 192.168.1.2/24
9. Link the shared secret to the OpenVPN tunnel interface.
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
10. Create the tunnel interface and define the local and remote tunnel endpoints.
set interfaces openvpn vtun0 local-host 192.0.2.1
set interfaces openvpn vtun0 remote-host 203.0.113.1
11. Define the tunnel mode.
set interfaces openvpn vtun0 mode site-to-site
12. Add the tunnel interface (vtun0) and the LAN interface (eth1) to the bridge.
set interfaces openvpn vtun0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
13. Commit the changes and save the configuration.
commit ; save
Related Articles
Intro to Networking - How to Establish a Connection Using SSH