Configuring Layer-2 and Layer-3 Site-to-Site VPN



This article describes configuring Layer-2 and Layer-3 VPN connections for disaster recovery scenarios ONLY (Not Applicable to DR TEST). These changes will require virtualization of a full or partial production network in the Datto cloud.

Layer-2 Site-to-Site VPN

Note: Datto is only responsible for the VPN configuration to the offsite server, and cannot make any changes to your network infrastructure. You will also be responsible for configuring static routes on your offiste virtualizations.

Use Cases

  • You need to virtualize one or more systems protected by a Datto appliance in the Datto cloud.
  • You want the virtualizations to continue to communicate as if they are on the production network with the Datto appliance.
  • You do not want to have to create VPN keys for each client computer that needs access to the VLAN.


  • The production network must be functional.
  • Use this configuration when the offsite VLAN has the same subnet as your client's local LAN.


Figure 1: Layer 2 Site-to-Site SSL VPN overview (click for larger image)

Create a Site-to-Site (B2B) Layer 2 tunnel using OpenVPN. The gateway can be hosted on any of your client's on-site hardware capable of running Linux.

The local hardware can be a Datto appliance, or any Ubuntu 10.04, 12.04, 14.04, or 16.04 device with working network drivers, including a device booted into a live CD environment. Datto does not recommend using a Virtual Machine as the local device, because some hypervisors strip traffic between the host and guest.

Start a hybrid virtualization through the Datto appliance GUI, or start an cloud virtualization through the Recovery Launchpad, and then contact Datto Technical Support for assistance with configuring your endpoint device to route traffic between the offsite (VPN) network and your client's local network.

Layer-3 Site-to-Site VPN

Note: Datto is only responsible for the VPN configuration to the local appliance. You will need to configure static routes on all of the offsite VMs, and return routes on the client's network. You will also be responsible for configuring static routes on your offsite virtualizations. Attempt this procedure only if you are skilled in networking. It involves subnetting, static routes, bridging, and gateway services, such as IP forwarding.

Use Cases

  • The production network will be down for an extended period.
  • One or more large remote sites need to be able to communicate with the Datto cloud.


  • The production network is down.
  • Use this configuration when the offsite VLAN has a different subnet from the client's local LAN.


  • For each network, you will need an endpoint. This can be an on-site computer running Ubuntu, or a Datto appliance.
  • At each site, you will need the ability to add static routes to the default gateway or to the individual computers of each site.
  • All sites must have port 5196 open from the endpoint to the offsite server hosting the VLAN.


The local device needs to be configured to receive the VPN connection from the offsite server. Contact Datto Technical Support for assistance with this configuration after you have completed the steps in Prerequisites and Requirements

Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!