WeOSLAN Tunnel Bridging HowTo
About
This document provides an example of how to set up a LAN to LAN tunnel bridge using OpenVPN with a pre-shared key (PSK). For simplicity, only basic configuration options are used.
Introduction
Company X has two sites A and B in different geographical locations, connected by a public network. They want to connect both sites to the same LAN and use a DHCP server on Site A to serve Site B.
Site A Site B
.--------. .--------.
| DHCP | | |
| Server | | Host |
| A1 | | B1 |
'----+---' '---+----'
| IP:192.168.1.1 | IP:DHCP(A1)
| |
| |
| vlan100 | vlan100
eth1 | IP:DHCP(A1) eth1 | IP:DHCP(A1)
.----+---. .---+----.
| | | |
| GW-A | | GW-B |
| | | |
'----+---' '---+----'
vlan2 | .--.-. | vlan2
Public IP: | ( ( )__ | Public IP:
198.19.20.21 '-------------(_, \ ) ,_)-----------' 198.19.20.22
'-'--`--'
Public Network/Internet
WeOS devices GW-A and GW-B both have a port on VLAN 2 connected to the WAN (Public network/Internet) and eth1 connected to the local network.
The example assumes that an OpenVPN key has been generated offline and imported into both GW-A and GW-B under the label psk1.
DHCP Server A1 and Host B1 are not configured in this example. The gateways GW-A and GW-B are assumed to be able to reach each other via public IPv4 addresses.
Server Configuration
In this setup GW-A is the OpenVPN server node. To configure the server side of the tunnel, enter the following commands in the CLI:
server:/#> configure server:/config/#> tunnel ssl 0 server:/config/tunnel/ssl-0/#> method psk server:/config/tunnel/ssl-0/#> secret psk1 server:/config/tunnel/ssl-0/#> server server:/config/tunnel/ssl-0/#> type tap server:/config/tunnel/ssl-0/#> leave server:/#>
The OpenVPN server is now up and running, waiting for a connection. You can verify this with the following admin-exec commands:
server:/#> show port ssl0 ssl0 Link : Up Oper. status : Enabled Admin status : Enabled Description : ssl0 Type : SSL State : ---------- Alarm : N/A VLAN : MAC : a2:67:57:f4:0a:42 server:/#> show tunnel ssl TUNNEL DESCRIPTION STATUS UPTIME 0 ssl0 Down
Since the tunnel is a layer 2 (tap) tunnel, its endpoint ssl0 is
treated as a virtual port. As such, port-type commands can be used to
operate on it. The first command displays ssl0 as Enabled with Link
UP, and with a MAC address assigned to it.
The second command displays the tunnel as DOWN, which is expected. This changes to UP once a connection with a client has been established.
Next, we bridge ssl0 with eth1 to include the tunnel in the broadcast domain of the local subnet. We also set the bridge interface vlan100 to request a local IP address via DHCP.
server:/#> configure vlan 100 server:/config/vlan-100/#> untagged eth1,ssl0 server:/config/vlan-100/#> end server:/config/#> iface vlan100 server:/config/iface-vlan100/#> inet dhcp server:/config/iface-vlan100/inet-dhcp/#> leave server:/#>
Verify that the an IP address to interface vlan100 was assigned by running:
server:/#> show iface INTERFACE OPER ADDRESS/LENGTH SOURCE MAC/PTP ADDRESS lo UP 127.0.0.1/8 static 00:00:00:00:00:00 vlan1 DOWN 169.254.71.83/16 link-local 00:07:7c:1c:cf:a0 vlan2 UP 198.18.19.20/24 static 00:07:7c:1c:cf:a0 vlan100 UP 192.168.1.189/24 dhcp 00:07:7c:1c:cf:a0 server:/#>
Note: this requires that a DHCP server is available on subnet. It may take a couple of seconds for the IP address to be assigned.
Client Configuration
GW-B is the OpenVPN client. To configure the client side of the tunnel, enter the following commands in the CLI:
client:/#> configure client:/config/#> tunnel ssl 0 client:/config/tunnel/ssl-0/#> method psk client:/config/tunnel/ssl-0/#> secret psk1 client:/config/tunnel/ssl-0/#> no server client:/config/tunnel/ssl-0/#> peer 198.18.19.20 client:/config/tunnel/ssl-0/#> type tap client:/config/tunnel/ssl-0/#> leave client:/#>
The IP address for the peer is the public IP address of the server.
Again, verify the operational status:
client:/#> show port ssl0 ssl0 Link : Up Oper. status : Enabled Admin status : Enabled Description : ssl0 Type : SSL State : Forwarding Alarm : N/A VLAN : MAC : a2:3f:63:78:89:7d client:/#> show tunnel ssl TUNNEL DESCRIPTION STATUS UPTIME 0 ssl0 UP 0 Days 0 Hours 0 Mins 18 Secs
The first command displays ssl0 as being Enabled with Link UP, and with a MAC address assigned to it.
The second command should now display the tunnel as UP. It may, however, take a few seconds for the configuration to be applied and for the tunnel to be established before it is displayed as UP.
Once the tunnel is UP, we bridge ssl0 with eth1 to include the tunnel in the broadcast domain of the local subnet, like we did for the server side. This effectively connects the two LAN segments (Site A and Site B) together.
Also set bridge interface vlan100 to request a local IP address via DHCP, i.e., over the tunnel:
client:/#> configure client:/config/#> vlan 100 client:/config/vlan-100/#> untagged eth1,ssl0 client:/config/vlan-100/#> end client:/config/#> iface vlan100 client:/config/iface-vlan100/#> inet dhcp client:/config/iface-vlan100/#> leave client:/#>
Verify that an IP address was assigned to vlan100 by running:
client:/#> show iface INTERFACE OPER ADDRESS/LENGTH SOURCE MAC/PTP ADDRESS lo UP 127.0.0.1/8 static 00:00:00:00:00:00 vlan1 DOWN 169.254.63.249/16 link-local 00:07:7c:1c:d2:80 vlan2 UP 198.18.19.21/24 static 00:07:7c:1c:d2:80 vlan100 UP 192.168.1.153/24 dhcp 00:07:7c:1c:d2:80 client:/#>
It should be a DHCP-assigned IP address. It may take some time for the IP address to appear – keep in mind that all DHCP traffic has to be passed across the tunnel, which in turn means encrypting the traffic, encapsulating it in UDP packets, routing them across the public network, and doing the reverse procedure at the other end.
Final Topology
The following figure illustrates the resulting topology, with an L2 tunnel connecting the two LANs via the virtual port ssl0 on each GW device.
Site A Site B
.--------. .--------.
| DHCP | | |
| Server | | Host |
| A1 | | B1 |
'----+---' '---+----'
| IP:192.168.1.1 | IP:DHCP(A1)
| |
| |
| vlan100 | vlan100
| IP:DHCP(A1) | IP:DHCP(A1)
eth1 | Untagged:eth1,ssl0 eth1 | Untagged:eth1,ssl0
.----+---. .---+----.
| `. | OpenVPN L2 Tunnel | .´ |
| GW-A `+===========================+´ GW-B |
| | ssl0 ssl0 | |
'----+---' '---+----'
| |
vlan2 | .--.-. | vlan2
Public IP: | ( ( )__ | Public IP:
198.18.19.20 '------------(_, \ ) ,_)-----------' 198.18.19.21
'-'--`--'
Public Network/Internet