ITKarma picture

I was recently asked to figure out how to configure an L2 tunnel for a bridge between two remote LANs, and I was amazed at how few convenient solutions I could find. Previously, I was not interested in this topic and naively believed that any adequate VPN protocol can catch broadcast packets and forward them over a regular L3 tunnel. Unfortunately, there are no universal solutions out of the box. There are several protocols and tools for them, most of which work in very limited conditions or are deprecated at all. I’ll share the most enjoyable option further.

Why exactly L2?

I asked this question first of all: I rarely work with network peripherals, and it seemed to me that for a long time all the equipment has been able to walk on L3. Whatever the case: someone needs access to office printers, someone needs DVRs, and someone just wants to hook up with a friend in a LAN duel - without leaving home, of course. Also very attractive is the idea of ​​shared/network folders in the office, accessible from home, especially during the period of general removal.

At the same time, among the developers of VPN clients, L2 bridges are for some reason considered to be something like a strange whim of one or two percent of users, which by and large is not needed by anyone. The situation is completely different in industrial networks where there is a lot of outdated or poorly compatible equipment, and the L2VPN concept (represented by a bunch of other abbreviations) is implemented at the network and provider level.


There are many of them, and they all work with oddities and limitations:

  • For example, the Layer 2 Tunneling Protocol (L2TP) should, judging by the name, provide OSI L2 support, including broadcast'a forwarding. But no, the conventional L2TP + IPsec bundle does not allow bridging networks at the L2 level!
  • PPTP - became a meme due to major vulnerabilities, is now somehow fixed, but it has nothing to do with L2.
  • MPLS is a terribly confusing label-based industrial protocol. It’s difficult to learn, and you can only pick it up on a specialized hardware or RouterOS (with limitations, where without them).
  • PPPoE and enchanting PPPoEoE also work, but on proprietary glands. PPPoE mode is generally available on many routers, but how to cook it correctly is known for the most part only on proprietary equipment such as Cisco.
  • EoIP should become L2VPN made right, but it also works only on microtics, which significantly narrows the scope of application. Like PPTP, using GRE does not go through NAT.

And then I was surprised to find that a real Ethernet Bridging can... OpenVPN!

We often use a personal or working VPN, for many it is generally turned on permanently to bypass locks (although this trend is declining after the Telegram blocking is removed). In my work tasks, I also constantly use remote hosts for development, and almost always use OpenVPN. For a long time I did not understand why a bunch of OpenVPN Access Server + OpenVPN Connect on the client was needed. For my tasks, I always had enough of the classic version with manual editing of configs, and the dedicated admins and GUI seemed out of place in a slender thin client. But it turned out that the interface is much more convenient for setting up a bridge than sheets of configs in the terminal, although not everything is perfect with it.

Setting up

The fact is that Access Server (AS) came out as a paid and rather expensive product, so they carefully stuffed all kinds of buns into it, if only they would buy it. Thus, a sub-menu appeared in the web admin panel, allowing you to select the network mode (L2 bridging/L3 routing), and after a while it was quietly drunk from there for the same reason “nobody needs it”. Nevertheless, the bridging functionality itself and the corresponding scripts were not deleted and they can still be customized.


We need a server or virtual machine.The image for it is located on the download page , and we will further analyze the case with the installation on the server under Ubuntu 18.04:

apt update && apt -y install ca-certificates wget net-tools gnupg wget -qO - | apt-key add - echo "deb bionic main">/etc/apt/sources.list.d/openvpn-as-repo.list apt update && apt -y install openvpn-as 

After installation, the server will rise on its own, you will see this message:

+++++++++++++++++++++++++++++++++++++++++++++++ Access Server 2.8.4 has been successfully installed in/usr/local/openvpn_as Configuration log file has been written to/usr/local/openvpn_as/init.log Access Server Web UIs are available here: Admin UI: Client UI: 

You must immediately specify the password for the admin account:

passwd openvpn 

Then you can open the admin panel in the browser (at: 943/admin, as described above), log in as the openvpn user with the specified password, and configure the server.

ITKarma picture

AS is free for use by two users, then you can add it for only $ 18/month for one user, so it’s better to immediately design your processes for the tunnel using two clients.

Bringing back

cd/usr/local/openvpn_as/scripts./sacli --key "von.general.osi_layer" --value "2" ConfigPut./sacli start 

If everything went well, the output in json will look like this:

{ "errors": {}, "last_restarted": "Thu Jul 2 00:07:37 2020", "service_status": { "api": "on", "auth": "on", "bridge": "on", ... } } 

In the admin panel, the status of "OSI Layer: 3 (routing/NAT)" will change to "2 (bridging)"

NB: in recent versions, information about L3 may remain with the bridge enabled. Why - did not understand, versions safe in this regard are about 2.4

Actually, this know-how ends, then you just need to configure a server for yourself, get a second user through the same web interface and log in to the user page on port 943 (without/admin). There will be links to download OpenVPN Connect clients for all platforms with a baked config for connecting (except for mobile applications, you will have to drive the address manually, and then everything will install itself).

ITKarma picture

After successfully connecting and bridging clients, an L2 tunnel with TCP/UDP traffic will be available. Clients can act as a volume for the internal network, this is also configured in the admin panel.

ITKarma picture.