Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site2Site from multiple clients with the same local network/subnet

    OpenVPN
    2
    9
    602
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarlel
      last edited by

      Hi!

      I need to connect from multiple clients with a Site2Site VPN that has the same local network/subnet on the client side.

      Will the VPN server keep track of connections from the different public IPs that the clients have? So it knows where to route traffic back?

      If not, can this be done in a way?

      Thanks for any help!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @jarlel
        last edited by

        @jarlel
        This is not an issue with the VPN server, but with the router. pfSense would not be able to route packets to the other site if it has the same / overlapping network range.

        Even you can do a workaround with NAT / masquerading, best and most clear practice would be to change the network of one site.

        J 1 Reply Last reply Reply Quote 0
        • J
          jarlel @viragomann
          last edited by

          @viragomann said in Site2Site from multiple clients with the same local network/subnet:

          @jarlel
          This is not an issue with the VPN server, but with the router. pfSense would not be able to route packets to the other site if it has the same / overlapping network range.

          Even you can do a workaround with NAT / masquerading, best and most clear practice would be to change the network of one site.

          Thanks, viragomann. It is not so easy to change the network as the clients will be standard installs from images in the amount of tens if not hundreds.

          The clients will communicate through the tunnel just to go out to the internet via the VPN-server. The clients don't have to reach any local network(s) on the server.
          Do you know if one alternative can be the use of one server for each client, just using different ports for the servers? Will it then be able to route correctly?

          Thanks again.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @jarlel
            last edited by

            @jarlel said in Site2Site from multiple clients with the same local network/subnet:

            The clients will communicate through the tunnel just to go out to the internet via the VPN-server. The clients don't have to reach any local network(s) on the server.

            For upstream traffic only, there would be no issue (redirect gateway).

            Do you know if one alternative can be the use of one server for each client, just using different ports for the servers? Will it then be able to route correctly?

            Not clear, what you mean.
            Running different VPN servers, one for each client? This would be possible, but it has nothing to to with routing.

            For accessing the remote site, which has the same local subnet, I recently gave an example here: https://forum.netgate.com/topic/182833/routing-with-vpn/4

            J 1 Reply Last reply Reply Quote 0
            • J
              jarlel @viragomann
              last edited by

              @viragomann said in Site2Site from multiple clients with the same local network/subnet:

              @jarlel said in Site2Site from multiple clients with the same local network/subnet:

              The clients will communicate through the tunnel just to go out to the internet via the VPN-server. The clients don't have to reach any local network(s) on the server.

              For upstream traffic only, there would be no issue (redirect gateway).

              Ok, sounds reasonable. Can you please explain what you mean by "redirect gateway"?

              Do you know if one alternative can be the use of one server for each client, just using different ports for the servers? Will it then be able to route correctly?

              Not clear, what you mean.
              Running different VPN servers, one for each client? This would be possible, but it has nothing to to with routing.

              Yes, that is what I am thinking, one server for each client. I want to be able to reach hosts on the client-side from the server-side. The problem is that
              the LANs on the clients' side are identical, so to be able to route traffic to specific hosts on the different clients I need to mask each client to different subnets.

              Suggestion:

              -Use one server for each client (each server on its own UDP port). This way I can have different NAT rules for each client.
              -Add an OPT-interface to every OpenVPN interface to be able to do specific NAT settings
              -Set up 1:1 nat as you explained in the example, using different single host subnets (e.g. 10.171.45.0) for each interface

              Then I will be able to address/access hosts/IPs on the different clients side even if they have the same LAN subnet, right? Do you think this will work?
              It is a bit "complex", but I don't see another way of doing it at the moment.

              For accessing the remote site, which has the same local subnet, I recently gave an example here: https://forum.netgate.com/topic/182833/routing-with-vpn/4

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @jarlel
                last edited by

                @jarlel said in Site2Site from multiple clients with the same local network/subnet:

                Can you please explain what you mean by "redirect gateway"?

                This is an OpenVPN option, which replaces the clients default gateway with the OpenVPN server.
                In the server settings you can check this option, so the server pushes it to the client.

                -Use one server for each client (each server on its own UDP port). This way I can have different NAT rules for each client.
                -Add an OPT-interface to every OpenVPN interface to be able to do specific NAT settings

                This is only needed if you want policy route traffic to the client side.
                Otherwise you can also go with a single server and configure Client specific overrides for each client. The latter is needed anyway.

                -Set up 1:1 nat as you explained in the example, using different single host subnets (e.g. 10.171.45.0) for each interface

                Note that the nat must be done on the clients. So if you translate one clients subnet to 10.171.45.0/24 as in this example, you have to state this subnet in the CSO and also in the OpenVPN server settings "Remote Networks" box.

                Then I will be able to address/access hosts/IPs on the different clients side even if they have the same LAN subnet, right? Do you think this will work?
                It is a bit "complex", but I don't see another way of doing it at the moment.

                Yes. It's just NAT and you have to use a certain different subnet for each client.

                J 1 Reply Last reply Reply Quote 0
                • J
                  jarlel @viragomann
                  last edited by

                  This is an OpenVPN option, which replaces the clients default gateway with the OpenVPN server.
                  In the server settings you can check this option, so the server pushes it to the client.

                  Ah, I get it, It is just certain destinations that should be routed through the tunnel, so I have specified the hosts/networks in the "IPv4 Remote network(s)" field on the client side.

                  -Use one server for each client (each server on its own UDP port). This way I can have different NAT rules for each client.
                  -Add an OPT-interface to every OpenVPN interface to be able to do specific NAT settings

                  This is only needed if you want policy route traffic to the client side.
                  Otherwise you can also go with a single server and configure Client specific overrides for each client. The latter is needed anyway.

                  Ok, I see. I don't need that, I have tested now with single server and 1:1 NAT'ing on the client side withe client specific override on the server side. Is this needed to differentiate
                  between different remote networks, like 10.171.45.0/24 for the first client?

                  I guess it is required to use different certificates for each client, right? Otherwise it will not be possible to differentiate between the different clients and different remote networks for each client?

                  Note that the nat must be done on the clients. So if you translate one clients subnet to 10.171.45.0/24 as in this example, you have to state this subnet in the CSO and also in the OpenVPN server settings "Remote Networks" box.

                  Nice, I have tested with the first client now, translated the LAN to 10.171.45.0/24 and then I will use 10.171.46.0/24 for the next one and so on.

                  Then I will be able to address/access hosts/IPs on the different clients side even if they have the same LAN subnet, right? Do you think this will work?
                  It is a bit "complex", but I don't see another way of doing it at the moment.

                  Yes. It's just NAT and you have to use a certain different subnet for each client.

                  Thanks, I have successfully reached local IPs on the client-side now with the mentioned NAT setup :-)

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @jarlel
                    last edited by

                    @jarlel said in Site2Site from multiple clients with the same local network/subnet:

                    I have tested now with single server and 1:1 NAT'ing on the client side withe client specific override on the server side. Is this needed to differentiate between different remote networks, like 10.171.45.0/24 for the first client?

                    Yes, the CSO sets the routes within OpenVPN, so that the traffic is routed to the proper client.

                    The "Remote Networks" field in the server settings sets the routes for the entered networks to the OpenVPN server in pfSense.

                    I guess it is required to use different certificates for each client, right?

                    Yes, each client must use a unique certificate.

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      jarlel @viragomann
                      last edited by

                      Yes, the CSO sets the routes within OpenVPN, so that the traffic is routed to the proper client.

                      The "Remote Networks" field in the server settings sets the routes for the entered networks to the OpenVPN server in pfSense.

                      Thanks again for your help, viragomann - I now have a setup that seems to work well :-)

                      I am not quite sure yet what the difference is between "remote networks" in the server settings and "remote networks" in the CSO...

                      Cheers,
                      Jarle

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.