Layer 2 VPN: It’s ALIVE!

My libreCMC to libreCMC Layer 2 OpenVPN connection worked successfully in a test from home -> work LAN. A few of the cooler looking log snippets:

openvpn(asi_eth_client)[821]: UDP link local: (not bound)
openvpn(asi_eth_client)[821]: UDP link remote: [AF_INET]<snip>:1194
openvpn(asi_eth_client)[821]: TLS: Initial packet from [AF_INET]<snip>:1194, sid=<snip> <snip>
openvpn(asi_eth_client)[821]: VERIFY OK: depth=1, C=US, ST=AK, L=Fairbanks, O=Alaska Satellite Internet, OU=Solutions, CN=Alaska Satellite Internet CA, name=ASICA, emailAddress=<snip>
openvpn(asi_eth_client)[821]: VERIFY KU OK
openvpn(asi_eth_client)[821]: Validating certificate extended key usage
openvpn(asi_eth_client)[821]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
openvpn(asi_eth_client)[821]: VERIFY EKU OK
openvpn(asi_eth_client)[821]: VERIFY OK: depth=0, C=US, ST=AK, L=Fairbanks, O=Alaska Satellite Internet, OU=Solutions, CN=myvpn, name=myvpn, emailAddress=<snip>
openvpn(asi_eth_client)[821]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
openvpn(asi_eth_client)[821]: [myvpn] Peer Connection Initiated with [AF_INET]<snip>:1194
<snip>
openvpn(asi_eth_client)[821]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn(asi_eth_client)[821]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn(asi_eth_client)[821]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Some snippets from tcpdump, showing the traffic being passed back and forth along the tunnel:

05:24:31.717536 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 382
05:24:31.717647 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 81
05:24:31.721769 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 188
05:24:31.722641 IP 10.0.0.184.45965 > <snip>.static.gci.net.1194: UDP, length 163
05:24:31.739124 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 105
05:24:31.800892 ARP, Request who-has 10.0.0.3 tell 10.0.0.1, length 46
05:24:31.927072 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 393
05:24:31.931171 IP 10.0.0.184.45965 > <snip>.static.gci.net.1194: UDP, length 163
05:24:32.205518 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 398
05:24:32.209665 IP 10.0.0.184.45965 > <snip>.static.gci.net.1194: UDP, length 163
05:24:32.482088 IP <snip>.static.gci.net.1194 > 10.0.0.184.45965: UDP, length 130

Screen shot of the interface stats:

I disabled the LAN ethernet and password protected the Wi-Fi to make it a little more challenging for a passerby to casually “plug in” to the exposed VPN. Once I connected to the Wi-Fi, I was able to access my work file share, printer interface, and backup storage system.

I’m going to submit my config info to the official libreCMC docs.