This article describes configuring Layer-2 and Layer-3 VPN connections for disaster recovery scenarios which require virtualization of a full or partial production network in the Datto cloud.
Layer-2 Site-to-Site VPN
- You need to virtualize one or more systems protected by a Datto appliance in the Datto cloud.
- You want the virtualizations to continue to communicate as if they are on the production network with the Datto appliance.
- You do not want to have to create VPN keys for each client computer that needs access to the VLAN.
- The production network must be functional.
- Use this configuration when the offsite VLAN has the same subnet as your client's local LAN.
Create a Site-to-Site (B2B) Layer 2 tunnel using OpenVPN. The gateway can be hosted on any of your client's on-site hardware capable of running Linux.
The local hardware can be a Datto appliance, or any Ubuntu 10.04, 12.04, 14.04, or 16.04 device with working network drivers, including a device booted into a live CD environment. Datto does not recommend using a Virtual Machine as the local device, because some hypervisors strip traffic between the host and guest.
Start a hybrid virtualization through the Datto appliance GUI, or start an cloud virtualization through the Recovery Launchpad, and then contact Datto Technical Support for assistance with configuring your endpoint device to route traffic between the offsite (VPN) network and your client's local network.
Layer-3 Site-to-Site VPN
- The production network will be down for an extended period.
- One or more large remote sites need to be able to communicate with the Datto cloud.
- The production network is down.
- Use this configuration when the offsite VLAN has a different subnet from the client's local LAN.
- For each network, you will need an endpoint. This can be an on-site computer running Ubuntu, or a Datto appliance.
- At each site, you will need the ability to add static routes to the default gateway or to the individual computers of each site.
- All sites must have port 5196 open from the endpoint to the offsite server hosting the VLAN.
The local device needs to be configured to receive the VPN connection from the offsite server. Contact Datto Technical Support for assistance with this configuration after you have completed the steps in Prerequisites and Requirements.