1:1 NAT to avoid changing a subnet
-
I have a client with a very common subnet, 192.168.0/24. It would be a real pain to change it now. Can I use 1:1 NAT in order to address the issues this poses when remote workers are connecting over VPN?
E.g.:
Office network | VPN network | Home network 192.168.0.x <-> 10.8.1.x <-> 192.168.0.x
However, with 1:1 NAT could I not map the 10.8.1.x subnet directly to the office 192.168.0.x IPs, circumventing the issue where the home network machine looks in its network vs the office network?
Is this doable, or advisable?
-
@ash-0
No, not this way. The home machine will not direct the packets over the VPN if the IP is in its LAN and the 10.8.1.x is the VPN tunnel network which is used by the server and clients.It may be doable with NAT using a different network range, e.g. 172.29.136.0/24. To do so, you have to add this to the local networks in the OpenVPN server settings and assign an interface to the OpenVPN server.
Then you should be able to NAT this subnet to your local network.
1:1 NAT is for natting both directions. If you only need incoming access from the VPN client to your local network, you can also go with a port forwarding rule.
The client then has to access for instance 172.29.136.15 if he wants to go to 192.168.0.15. -
@viragomann okay, what you're saying makes sense and that's what I thought 1:1 NAT would do. E.g. map 10.8.1.x "on top of" the office 192.168.0.x, such that home 192.168.0.x would stay at home, and connections to 10.8.1.x would map neatly onto the _office_network. E.g. 10.8.1.123 would map to office 192.168.0.123.
Maybe I'm over-complicating the problem. And realistically, I only need remote workers to have access to a single IP, not the whole subnet. Someone else suggested that VIPs are the way to go but I'm unfamiliar with that, too, and how I would map an OpenVPN subnet onto a VIP.
-
@ash-0
You don't map the OpenVPN subnet to your LAN, you have to map a fictitious network or IP. As I mentioned, for instance you map 172.29.136.15 to 192.168.0.15. So the client has to call 172.29.136.15 when he want to access the .15 in your LAN.I think, it may work without adding virtual IPs to the VPN interface, cause the client directs the packets to your VPN servers IP. Never done it with port forwarding, but should work with 1:1 at all.
If it doesn't you have to add a virtual IP for each single LAN address the client should be able to access.