Layer 2 VPN (bridge?)


#1

Hi all,

I was wondering if I could set up a layer 2 VPN between two GL-AR300M devices? So the same subnet is in both locations and broadcasts will work across the two sites.

By the way I already have a GL-AR300M connected to a Sophos XG Firewall (OpenVPN) and it’s great, but layer 3.

Cheers,
Steve


#2

I don’t have a layer 2 solution now. Sorry for that.


#3

All you need to do is configure your open VPN using tap instead of tun. You may need to do an extra bit of bridge configuration (adding the tap device to the local bridge) but that’s not a big deal. Google on how the setup needs to be done but it is definitely achievable.


#4

I agree; it should be easy. But not for me! I have a pretty simple set up:

  • server is a Shibby router, set up for tap with 192.168.70.1/24 configured on its LAN (static key)
  • if the client is another Shibby router set up with tap and 192.168.70.201/24 on its LAN, I can ping from client lan to devices on the server lan
  • similar config with MT300N does not work

MT300N info:
root@GL-MT300N:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.e4956e42d981 no eth0.1
wlan0
tap0

root@GL-MT300N:~# netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.67.1 0.0.0.0 UG 0 0 0 eth0.2
192.168.67.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
192.168.67.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0.2
192.168.70.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

client.ovpn :

dev tap
proto udp
remote nnn 1194
verb 3
‘[secret]’
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
‘[/secret]’

daemon

MT300N Syslog:
Tue Nov 27 09:01:20 2018 kern.info kernel: [59926.530000] br-lan: port 3(tap0) entered forwarding state
Tue Nov 27 09:01:20 2018 kern.info kernel: [59926.540000] br-lan: port 3(tap0) entered forwarding state
Tue Nov 27 09:01:20 2018 daemon.notice netifd: Interface ‘VPN_client’ is enabled
Tue Nov 27 09:01:20 2018 daemon.notice netifd: Network device ‘tap0’ link is up
Tue Nov 27 09:01:20 2018 daemon.notice netifd: Interface ‘VPN_client’ has link connectivity
Tue Nov 27 09:01:20 2018 daemon.notice netifd: Interface ‘VPN_client’ is setting up now
Tue Nov 27 09:01:20 2018 daemon.notice netifd: Interface ‘VPN_client’ is now up
Tue Nov 27 09:01:21 2018 user.notice firewall: Reloading firewall due to ifup of VPN_client (tap0)
Tue Nov 27 09:01:22 2018 kern.info kernel: [59928.540000] br-lan: port 3(tap0) entered forwarding state


#5

server syslog when Shibby client connects (works):
Nov 27 11:22:14 UV-shibby daemon.notice openvpn[20900]: Inactivity timeout (–ping-restart), restarting Nov 27 11:22:14 UV-shibby daemon.notice openvpn[20900]: Closing TUN/TAP interface
Nov 27 11:22:14 UV-shibby daemon.notice openvpn[20900]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 11:22:14 UV-shibby daemon.notice openvpn[20900]: Restart pause, 2 second(s)

Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: Static Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: Static Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key

Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: Static Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: Socket Buffers: R=[112640->131072] S=[112640- >131072]

Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: TUN/TAP device tap21 opened

Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: TUN/TAP TX queue length set to 100 Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: UDPv4 link local (bound): [undef] Nov 27 11:22:16 UV-shibby daemon.notice openvpn[20900]: UDPv4 link remote: [undef]
[-- when MT300N connects, syslog ends with line above; lines below occur when Shibby client connects --]
Nov 27 11:23:11 UV-shibby daemon.notice openvpn[20900]: Peer Connection Initiated with [AF_INET]68.108.255.149:31226 Nov 27 11:23:11 UV-shibby daemon.notice openvpn[20900]: Initialization Sequence Completed