We currently have an OpenVPN access server and a Linux OpenVPN Client at our 2 Campus' which is currently configured in Layer3 Mode.
We are having some issues which we believe are caused by the current mode of the VPN and would like to know what is involved in changing the current setup from Layer 3 to Layer2.
The current issue we are having is that clients in 1 site are not getting the correct site in AD as their requests seem to be coming from the IP address of the VPN GW and not the actual client address.
So to alleviate this would I be correct in thinking that we should be changing to Layer2?
Please bear with me on this as I am new to VPN's OpenVPN and Linux.
Changing Mode Layer3 to Layer2
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
Adam.B
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Feb 20, 2018 3:10 am
Re: Changing Mode Layer3 to Layer2
Sorry we are using the OpenVPN Access server
OpenVPN Access Server 2.1.9
which we got from here: https://openvpn.net/index.php/access-se ... rview.html
The website seems to have been updated with how to setup SSH access so I will work through that so I can get a copy of the server config file.
The client is the turnkey OpenVPN appliance running Debian 8
# Automatically generated OpenVPN client config file
# Generated on Mon Aug 7 08:25:07 2017 by openvpnas2
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=HallsHead
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=HallsHead@172.19.2.11/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=172.19.2.11:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote xxx.xxx.xxx.xxx udp
remote xxx.xxx.xxx.xxx udp
remote xxx.xxx.xxx.xxx tcp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
67425a76075e0c9a3cc0b2e7021d5b8a
a45f848cb11e0958119f21000255ac3e
c54f54a520731659f7edd1d7f14a91a8
6670572aaff5a051015d46ebf89ddcf4
0e2621beadc0873a0a9708aa338f2aec
7054c11d52c986e638f4eb543c68d79e
d98b4d955254895f4c6c46089c7cc695
dc1a5112ac4457224cefab12f28faafe
e3de8f1c11c7507b204b6c7741d5848f
fc3d54dfe5df6b833de8fcb867905f2c
9298b0cd1bca89bf3f4ca4af88754990
edf43bd556f448dedd70ca580052197e
2bf9e211e6b6262f75907cabf1cf7ca2
7d92a07f913c24936eabb65a32e9e83b
481f4b8f03bc8ea570745fd282c067b7
3bdf229e68d568f8a3afdb04e3403b93
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## fGZ72Mem0o5QRr3SQSeeJwIc7Wv6PjeS6X1L0LQ0RkqJEvf7Oq
## QfSBPxl79bUim0VrlM7P1lzLbMsP6LuRxVKUMDZ8L5GCkDkIHq
## PdpuiM3WdhyntJtccg9gCWCvWhcgDxT2FLQehyIPvxCJHc7sY3
## vPKHuwsKJKqnVNd0eDUXtd60HHQNvZnxoNAdLcObJ37r5MkQjI
## MF3y4Gy14n8+PGpZSrCRw17VZHuX0rcHRjZoQMazc+wW/SoW1o
## LmlJQvZpakMIh/yYZi8k9IBNbGy9blYzY6XNtry2P13wWHlLQy
## H7mLyyOkNn/9j3GNBTRVa4kNXHFM7SCBEeyrWEqkAA==
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
Client Appliance network config
Hope this helps getting some assistance.
if there is anything else requiered please let me know and i will do my best to get it.
OpenVPN Access Server 2.1.9
which we got from here: https://openvpn.net/index.php/access-se ... rview.html
The website seems to have been updated with how to setup SSH access so I will work through that so I can get a copy of the server config file.
The client is the turnkey OpenVPN appliance running Debian 8
Client
# Automatically generated OpenVPN client config file
# Generated on Mon Aug 7 08:25:07 2017 by openvpnas2
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=HallsHead
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=HallsHead@172.19.2.11/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=172.19.2.11:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote xxx.xxx.xxx.xxx udp
remote xxx.xxx.xxx.xxx udp
remote xxx.xxx.xxx.xxx tcp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
67425a76075e0c9a3cc0b2e7021d5b8a
a45f848cb11e0958119f21000255ac3e
c54f54a520731659f7edd1d7f14a91a8
6670572aaff5a051015d46ebf89ddcf4
0e2621beadc0873a0a9708aa338f2aec
7054c11d52c986e638f4eb543c68d79e
d98b4d955254895f4c6c46089c7cc695
dc1a5112ac4457224cefab12f28faafe
e3de8f1c11c7507b204b6c7741d5848f
fc3d54dfe5df6b833de8fcb867905f2c
9298b0cd1bca89bf3f4ca4af88754990
edf43bd556f448dedd70ca580052197e
2bf9e211e6b6262f75907cabf1cf7ca2
7d92a07f913c24936eabb65a32e9e83b
481f4b8f03bc8ea570745fd282c067b7
3bdf229e68d568f8a3afdb04e3403b93
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## fGZ72Mem0o5QRr3SQSeeJwIc7Wv6PjeS6X1L0LQ0RkqJEvf7Oq
## QfSBPxl79bUim0VrlM7P1lzLbMsP6LuRxVKUMDZ8L5GCkDkIHq
## PdpuiM3WdhyntJtccg9gCWCvWhcgDxT2FLQehyIPvxCJHc7sY3
## vPKHuwsKJKqnVNd0eDUXtd60HHQNvZnxoNAdLcObJ37r5MkQjI
## MF3y4Gy14n8+PGpZSrCRw17VZHuX0rcHRjZoQMazc+wW/SoW1o
## LmlJQvZpakMIh/yYZi8k9IBNbGy9blYzY6XNtry2P13wWHlLQy
## H7mLyyOkNn/9j3GNBTRVa4kNXHFM7SCBEeyrWEqkAA==
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
Client Appliance network config
Code: Select all
root@OpenVPNClient ~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:f3:9f:e5
inet addr:10.10.90.3 Bcast:10.10.90.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fef3:9fe5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:721766019 errors:1325 dropped:3364 overruns:0 frame:0
TX packets:718400953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:353267155441 (329.0 GiB) TX bytes:356890825263 (332.3 GiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:195802 errors:0 dropped:0 overruns:0 frame:0
TX packets:195802 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15578381 (14.8 MiB) TX bytes:15578381 (14.8 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.232.16 P-t-P:192.168.232.16 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:40552441 errors:0 dropped:0 overruns:0 frame:0
TX packets:43601736 errors:0 dropped:18808 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:21051920611 (19.6 GiB) TX bytes:14269650675 (13.2 GiB)
if there is anything else requiered please let me know and i will do my best to get it.
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Changing Mode Layer3 to Layer2
> The current issue we are having is that clients in 1 site are not getting the correct site in AD as their requests seem to be coming from the IP address of the VPN GW and not the actual client address.
> So to alleviate this would I be correct in thinking that we should be changing to Layer2?
Nah. You want traffic to be routed instead of going through NAT. See this page to describe how this is done:
https://docs.openvpn.net/connecting/rea ... e-network/
> So to alleviate this would I be correct in thinking that we should be changing to Layer2?
Nah. You want traffic to be routed instead of going through NAT. See this page to describe how this is done:
https://docs.openvpn.net/connecting/rea ... e-network/
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
Adam.B
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Feb 20, 2018 3:10 am
Re: Changing Mode Layer3 to Layer2
Thanks for that document and apologies for the late reply.
once we get some time to work on this we will give it a go but it looks like just what we need.
once we get some time to work on this we will give it a go but it looks like just what we need.