EdgeRouter - OpenVPN Layer 2 Tunnel


Overview


Readers will learn how to configure a Layer 2 OpenVPN tunnel between two EdgeRouters.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Tunneling Layer 2 Traffic using OpenVPN


Back to Top

topology.png

OpenVPN will be used to tunnel L2 traffic between the sites. See the OpenVPN Site-to-Site article for more information on setting up OpenVPN.


Follow the steps below to set up the OpenVPN Site-to-Site Layer 2 tunnel:

CLI: Access the Command Line Interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Generate the 2048 bit shared secret.

generate vpn openvpn-key /config/auth/secret

2. Display the shared secret and copy the output to a text file.

sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

3. Enter configuration mode.

configure

4. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

5. Create the bridged (br0) interface.

set interfaces bridge br0

6.  Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.1/24

7. Link the shared secret to the OpenVPN tunnel interface.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

8. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces openvpn vtun0 local-host 203.0.113.1
set interfaces openvpn vtun0 remote-host 192.0.2.1

9. Define the tunnel mode.

set interfaces openvpn vtun0 mode site-to-site 

10. Add the tunnel interface (vtun0) and the LAN interface (eth1) to the bridge.

set interfaces openvpn vtun0 bridge-group bridge br0 
set interfaces ethernet eth1 bridge-group bridge br0

11. Commit the changes and save the configuration.

commit ; save

CLI: Access the Command Line Interface on ER-R.

1. Copy the contents of the shared secret generated earlier to a new file in the /config/auth directory.

sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b
<output shortened>
-----END OpenVPN Static key V1-----

2. Use CTRL-D to save the file.

3. Change the file permissions and set the owner to the root user.

sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret

4. Verify that the file is in the correct location and that it has the correct permissions.

ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret

5. Enter configuration mode.

configure

6. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

7. Create the bridged (br0) interface.

set interfaces bridge br0

8.  Assign an IP address to the br0 interface.

set interfaces bridge br0 address 192.168.1.2/24

9. Link the shared secret to the OpenVPN tunnel interface.

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

10. Create the tunnel interface and define the local and remote tunnel endpoints.

set interfaces openvpn vtun0 local-host 192.0.2.1
set interfaces openvpn vtun0 remote-host 203.0.113.1

11. Define the tunnel mode.

set interfaces openvpn vtun0 mode site-to-site 

12. Add the tunnel interface (vtun0) and the LAN interface (eth1) to the bridge.

set interfaces openvpn vtun0 bridge-group bridge br0 
set interfaces ethernet eth1 bridge-group bridge br0

13. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - OpenVPN Site-to-Site

EdgeRouter - EoGRE Layer 2 Tunnel


We're sorry to hear that!