Site to Site OpenVPN

viktor77

Hello,

I have a main site with 3 OpenVPN servers. 1 is Remote access and the other 2 are peer to peer connected with 2 satellite sites.
Both the satellite sites use the same subnet (I cannot change the subnets).

Rules on the OpenVPN interface (server side) are setup as follows

1. Remote access - (remote) 192.168.xxx.xxx - (tunnel/source) 192.168.200.0/24 - (destination/local) 192.168.20.0/24

2. Peer to peer - (remote/source) 192.168.40.0/24 - (tunnel) 192.168.201.0/24 - (destination/local) 192.168.50.0/24

3. Peer to peer - (remote/source) 192.168.40.0/24 - (tunnel) 192.168.202.0/24 - (destination/local) 192.168.60.0/24

The rules need to be setup differently for remote access and peer to peer. I have to use the tunnel network as a source when using remote access. this does not seem to work for peer to peer connections as I have to use the remote network instead.

Is there anyway to setup peer to peer rules using tunnel network ips as the source?

My main aim here is to create completely different rules for different vpn peer to peer sites that use the same subnet.

Thankyou

viragomann

@viktor77
When a client is connecting to the access server he gets a virtual IP out of the tunnel, which he uses to access your network.

In a peer to peer VPN also the client get a virtual tunnel IP, but it's not the client itself accessing your network, but the remote network behind the client.
Hence different sources are needed to state in the filter rules.

Best practice for two peer to peer remote sites with the same network range is to change one.
Less good is to masquerade one sites LAN range with NAT rules. Consider to do this for both directions.

viktor77

@viragomann

Thanks man, had to resort to NAT