Skip to main content

Tutorial (Legacy): Switching Between Layer 3 Routing and Layer 2 Bridging

Abstract

You can set Access Server to use layer 2 bridging for limited functionality and in an on-premise server. Note that we don't provide support for bridging.

Overview

Important word of caution:

This setup is deprecated, and we don't support it. We recommend using layer 3 routing mode but provide this documentation for legacy layer 2 bridging mode setups.

Layer 2 bridging mode should only be used in rare cases, typically with on-premise hardware.

Important considerations:

  • Layer 2 Bridging Mode: Use only with on-premise hardware. It is deprecated and not supported.

  • Upgrading Access Server: If operating in layer 2 mode, the setting remains intact after upgrading.

  • Connection Profiles: Switching to layer 2 bridging mode requires new connection profiles for VPN clients.

  • Complexity: Layer 2 bridging mode can cause issues with external equipment.

Prerequisites

  • An installed Access Server.

    Note

    Your Access Server is running on a platform that supports Ethernet Bridging (OpenVZ, Docker, LXD, and other container-based platforms are not supported).

  • Console access and the ability to get root access. We recommend ensuring physical access to the Access Server host, as network access may become unavailable in the event of a misconfiguration.

  • An understanding of the OSI layer model.

  • An OpenVPN client that supports TAP Ethernet Bridging functionality.

    Note

    OpenVPN 3 clients (such as OpenVPN Connect for Windows, macOS, iOS, and Android) are not supported. Use OpenVPN v2 community clients instead.

  • Understanding that this is a legacy setup with limited support.

Switch to layer 2 bridging mode

  1. Connect to the console and get root privileges.

  3. Switch to layer 2 bridging mode:

    ./sacli --key "vpn.general.osi_layer" --value "2" ConfigPut
./sacli start

    Important

    • This mode is only recommended for on-premise hardware.

    • After switching, you must generate new connection profiles for your VPN clients to support the new configuration.

Revert to layer 3 routing mode

  • To revert to the recommended layer 3 routing mode, use the command below:

    ./sacli --key "vpn.general.osi_layer" ConfigDel
./sacli start
In this section: