L3 bridge with two Raspberry Pi 2

I got two Raspberry Pi 2 and I wanted to set up a L3 bridge between them, one positioned at my location, the other at my girlfriends.

The network schematics
network

I chose Softether VPN software as it looked promising. It has a lot of features, and is cross platform.

Their site has a lot of tutorials, the documentation is great, but everything is written for machines with two network adapters, and RPi has only one network adapter. So I started setting things up, and ran into a lot of problems. The best I could get it to work by their tutorials is that the L3 Bridge was up and running, and I could ping and access devices across both networks, but I couldn’t access the RPi on the other network, and neither could the RPi’s access each other.

The documentation for L2 Bridge and L3 Bridge.

I went to their forums, and got some helpful information from several topics, but nothing solid and no examples, so I searched for a lot of things on Google. Eventually I figured out I needed to set up network bridging withing linux with bridge-utils, and after several different configurations finally got it to work.

The schematics and configurations
setup

Location 1
Softether VPN Server
2 Virtual Hubs – Location1 and Location2
Virtual Hub Location1 – Local Bridge to virtual adapter tap_soft
Virtual Hub Location2 – no Local Bridge

Virtual L3 Switch – 2 Virtual interfaces:
VHub Location1 IP 192.168.5.254 Mask 255.255.255.0
VHub Location2 IP 192.168.1.254 Mask 255.255.255.0

User for cascade connection

Linux
Installed bridge-utils

sudo apt-get install bridge-utils

Added script to create br0 network bridge at VPN server startup

cat /usr/local/vpnserver/bridge-up.sh
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap_soft"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.5.145"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.5.255"
gw="192.168.5.1"

brctl addbr $br
brctl addif $br $eth
brctl addif $br $tap

ifconfig $tap 0.0.0.0 promisc up

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

route add default gw $gw

Added script to delete bridge after VPN server shutdown

cat /usr/local/vpnserver/bridge-down.sh
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"
eth="eth0"
eth_ip="192.168.5.145"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.5.255"
gw="192.168.5.1"
tap="tap_soft"

ifconfig $br down
brctl delbr $br
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw

Modified the init.d script to incorporate bridge scripts and added LSB tags

cat /etc/init.d/vpnserver
#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Should-Start:      $network $time
# Should-Stop:       $network $time
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start and stop the Softether VPN Server
# Description:       Controls the main VPN Server server
### END INIT INFO
#
# chkconfig: 2345 99 01
# description: SoftEther VPN Server

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/vpnserver
BRUP=/usr/local/vpnserver/bridge-up.sh
BRDOWN=/usr/local/vpnserver/bridge-down.sh

test -x $DAEMON || exit 0

case "$1" in
 start)
  $DAEMON start
  touch $LOCK
  sleep 5
  $BRUP
 ;;
 stop)
  $DAEMON stop
  rm $LOCK
  $BRDOWN
 ;;
 restart)
  $DAEMON stop
  $BRDOWN
  sleep 3
  $DAEMON start
  sleep 5
  $BRUP
 ;;
 *)
  echo "Usage: $0 {start|stop|restart}"
 exit 1
esac
exit 0

Router
Added port forwarding

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5555'
        option dest_ip '192.168.5.145'
        option dest_port '5555'
        option name 'SoftEther Bridge'

Added static route:

config route
        option interface 'lan'
        option target '192.168.1.0'
        option netmask '255.255.255.0'
        option gateway '192.168.5.254'

Added static DNS entries (/etc/hosts) for equipment in other network

Location 2
Softether VPN Bridge
1 Virtual Hub – BRIDGE (default)
Virtual Hub BRIDGE – Local Bridge to virtual adapter tap_soft
Cascade connection to server on Location 1

Linux
Installed bridge-utils

sudo apt-get install bridge-utils

Added script to create br0 network bridge at VPN server startup

cat /usr/local/vpnserver/bridge-up.sh
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap_soft"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.120"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
gw="192.168.1.1"

brctl addbr $br
brctl addif $br $eth
brctl addif $br $tap

ifconfig $tap 0.0.0.0 promisc up

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

route add default gw $gw

Added script to delete bridge after VPN server shutdown

cat /usr/local/vpnserver/bridge-down.sh
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"
eth="eth0"
eth_ip="192.168.1.120"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
gw="192.168.1.1"
tap="tap_soft"

ifconfig $br down
brctl delbr $br
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $gw

Modified the init.d script to incorporate bridge scripts and added LSB tags

cat /etc/init.d/vpnbridge
#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnbridge
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Should-Start:      $network $time
# Should-Stop:       $network $time
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start and stop the Softether VPN Bridge
# Description:       Controls the main VPN Bridge server
### END INIT INFO
#
# chkconfig: 2345 99 01
# description: SoftEther VPN Bridge

DAEMON=/usr/local/vpnbridge/vpnbridge
LOCK=/var/lock/vpnbridge
BRUP=/usr/local/vpnbridge/bridge-up.sh
BRDOWN=/usr/local/vpnbridge/bridge-down.sh

test -x $DAEMON || exit 0

case "$1" in
 start)
  $DAEMON start
  touch $LOCK
  sleep 5
  $BRUP
 ;;
 stop)
  $DAEMON stop
  rm $LOCK
  $BRDOWN
 ;;
 restart)
  $DAEMON stop
  $BRDOWN
  sleep 3
  $DAEMON start
  sleep 5
  $BRUP
 ;;
 *)
  echo "Usage: $0 {start|stop|restart}"
 exit 1
esac
exit 0

Router
Added static route:

config route
        option interface 'lan'
        option target '192.168.5.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'

Added static DNS entries (/etc/hosts) for equipment in other network

After that, everything works as planned. 🙂
Also, if you are wondering why I used scripts to create a bridge, it is because the network is initialized before the VPN server/bridge is started. The VPN software creates the tap_soft adapter upon startup.

EDIT: If you have trouble with accessing the other location from devices, apart from the router, you need to change a setting in the firewall settings for that router (/etc/config/firewall):

config zone
        option name 'lan'
        ...
        option forward 'ACCEPT'

You need to change the option forward ‘REJECT’ to ‘ACCEPT’.

You may also like...

2 Responses

  1. triwaves says:

    Thanks for that – I too have two RPis in two locations I am trying to connect via L3 switch hosted on an AWS server. I saw your initial thread on SoftEther forum and posted a follow-up questions there as below:

    I follow your post – have single site VPNs working well and even one site connected to AWS and linked via L2. Problem is with multi-sites I sites have different IP ranges so rather than re-configure sites I want both to cascade connect to AWS server L3 switch.

    I added the virtual interfaces for the L3 switch but they don’t show up on my network – what am I doing wrong? Of course nothing works because I have no switch interface to route traffic to … so hoping I’m missing something obvious here.

    Ideas? Thanks

    • Bojan says:

      Sorry for the late reply, but today I stumbled upon the same problem after a configuration change on my RPi. No idea why the Virtual Interface IP didn’t appear on the network, as I couldn’t ping it as well, but then I just stopped and started the vpn server, it rebuilt the bridge, and it started working. Still figuring out why that happened.

Leave a Reply

Your email address will not be published. Required fields are marked *