Site-to-Site Layer 2 Bridging Using OpenVPN Access Server and a Linux Gateway Client


This functionality is deprecated and we no longer offer support. Please refer to our detailed guide on how to set up Site-to-Site networks using routing: Site-to-Site VPN Routing Explained in Detail

OpenVPN Access Server can be configured in a site-to-site bridging setup that allows you to transparently bridge two sites together using a OpenVPN gateway client.

In order to do so, some requirements must be met. These requirements are detailed below.

Bridging overview and requirements

The diagram above depicts a typical site-to-site layer 2 bridging setup. In order to complete this setup, all of the following requirements must be met:

  1. You have two sites, each one connected to the Internet. One site will be hosting the Access Server and one site will be hosting the OpenVPN client.
  2. The site hosting the Access Server must be accessible from the Internet, or have its required ports forwarded to it from the Internet.
  3. Access Server must not be installed on a virtual platform that does not support bridging capabilities (e.g. OpenVZ). If Access Server is installed on a virtual platform, the network being bridged must have Promiscuous Mode turned on at the vSwitch.
  4. The multi-daemon mode must not be in use. Under Network Settings, set it to run only 1 TCP daemon and only 1 UDP daemon.
  5. The OpenVPN client must have at least two Ethernet interfaces, one connected to the Internet, one connected to the private LAN segment (as depicted in the yellow segments on the left of the diagram).
  6. The OpenVPN client must have IP forwarding enabled, as well as bridge-utils and openvpn installed, and running a Linux operating system (per these instructions).
  7. You must have administrative access to the OpenVPN Client machine, including uploading files and SSH/SFTP access.
  8. The private LAN segment (in left, yellow), should not be connected to another network. In other words, it should be isolated to the computers you want to bridge to the other site.

Bridging Configuration

In order to start the bridging process, you must first have Access Server generate an autologin profile. To do so, visit the User Permissions area, create an appropriate username for the bridging OpenVPN client, and then check the Allow Auto-login checkbox. Click the Update Running Server button to make sure the changes take effect.

Now, login to the Client Web Server (CWS) and select the Login dropdown, when prompted.

Download the autologin profile that is offered to you in the CWS.

Download the following bridging scripts onto your computer:
Using a SFTP client such as Filezilla or Cyberduck, upload the ovpn profile, and the two bridging scripts you have downloaded, onto the Linux OpenVPN client machine. Upload these to the /etc/openvpn/ folder.

NOTE: If you have a ESXi host capable of running 64-bit operating systems, you can save yourself some time by deploying a preconfigured Debian OpenVPN Client here. You will not need to download the bridging scripts if you are using the preconfigured ESXi OpenVPN client.

Login to your Linux OpenVPN Client via SSH. Once logged on:

1) Rename the OpenVPN profile into a .conf extension by issuing the following commands:
cd /etc/openvpn mv client.ovpn client.conf

2) Make sure the bridge-utilities are installed on the system by invoking the brctl command. The command should display the usage help page when it is properly installed. If you get a command not found error, you will need to make sure you have the bridge utilities installed for your Linux distribution.

For Debian/Ubuntu distributions, this can be installed by using the apt-get install bridge-utils command.

3) Determine which interface is your private interface you want to bridge. Theoretically speaking, this should be the interface that is isolated to the clients and not already have an IP address assigned to it. If you are uncertain, use the ifconfig -a command and verify the interface name using its MAC address. Make sure you do not mistakenly note the interface you use to connect to the Internet, or else you WILL lose connectivity! Note this interface name down for the next step.

4) Using a text editor such as nano, edit the file (In the ESXi OpenVPN Client appliance, this file is located in /sbin/). Under the define physical ethernet interface section, change eth="eth1" to the interface name to the one you have determined in the previous step. For example, if you determined that the private interface is called eth2, change eth1 to eth2. Also, change the IP address and subnet mask to a static IP you want to assign to the bridge (this IP address and subnet should be one that is located on the remote site you are trying to bridge). Save the file and exit the text editor.

5) Using a text editor such as nano, edit the autologin profile you have downloaded from the CWS. On the top of the file, add these following lines to the profile:

up "/bin/bash /etc/openvpn/" down "/bin/bash /etc/openvpn/" script-security 2 route-nopull

NOTE: For the ESXi OpenVPN Client, use the /sbin/ and /sbin/ paths instead of /etc/openvpn/ and /etc/openvpn/ paths.

Save the file, and then exit the text editor.

6) Start the OpenVPN profile by restarting the OpenVPN Service, using the /etc/init.d/openvpn restart command.

7) Verify that the connection is active by issuing a ifconfig br0 command. If the bridging is successful, the br0 interface should be configured with the IP address you have set earlier in the configuration file. At this point, your bridged site clients should be able to obtain an IP address via DHCP or by manual configuration.