How can I set up clients with conflicting subnets?
-
I'd like to setup several ISP(or WAN)-over-VPN-type clients but my provider assigns addresses all within the same subnet, sometimes even the same address per client.
All the tunnels are brought up but only one of them is used to route the traffic. This is my current routing table: (minus local interface clutter)
IPv4 Routes -------------------------------------------------------------------------------------- Destination Gateway Flags Use Mtu Netif default 200.38.193.226 UGS 6392663 1492 pppoe0 <- MASTER GATEWAY 1.1.1.1 10.8.8.1 UGHS 206 1500 ovpnc2 <- ovpnc3 MONITOR 9.9.9.9 10.8.8.1 UGHS 206 1500 ovpnc2 <- ovpnc2 MONITOR … 10.8.8.0/24 10.8.8.1 UGS 18 1500 ovpnc2 10.8.8.1 link#32 UH 0 1500 ovpnc2 <- ovpnc2-5 GATEWAY 10.8.8.2 link#32 UHS 0 16384 lo0 <- ovpnc2 10.8.8.14 link#33 UHS 0 16384 lo0 <- ovpnc3 10.8.8.19 link#34 UHS 0 16384 lo0 <- ovpnc4 10.8.8.31 link#35 UHS 0 16384 lo0 <- ovpnc5 … 45.33.35.53 pppoe0 UHS 206 1492 pppoe0 <- pppoe0 MONITOR 127.0.0.1 link#5 UH 22535161 16384 lo0 149.112.112.112 192.168.111.1 UGHS 206 1500 ovpnc1 <- ovpnc1 MONITOR 184.105.253.10 200.38.193.226 UGHS 945395 1492 pppoe0 <- gif endpoint 187.223.117.55 link#29 UHS 15082 16384 lo0 192.168.111.1 link#31 UH 2936448 1500 ovpnc1 <- ovpnc1 GATEWAY 192.168.111.2 link#31 UHS 78201 16384 lo0 <- ovpnc1 200.38.193.226 link#29 UH 0 1492 pppoe0 208.67.220.220 10.8.8.1 UGHS 206 1500 ovpnc2 <- monitor ovpnc5 208.67.222.222 10.8.8.1 UGHS 206 1500 ovpnc2 <- monitor ovpnc4 ====================================================================================== if monitor addr mask gateway pppoe0 45.33.35.53 187.223.117.55 /32 200.38.193.226 ovpnc1 149.112.112.112 192.168.111.2 /24 192.168.111.1 ovpnc2 9.9.9.9 10.8.8.2 /24 10.8.8.1 ovpnc3 1.1.1.1 10.8.8.14 /24 10.8.8.1 ovpnc4 208.67.222.222 10.8.8.19 /24 10.8.8.1 ovpnc5 208.67.220.220 10.8.8.30 /24 10.8.8.1
If I'm not too far off this should be corrected with NAT but the outbound NAT set on each tunnel-made-interface only disguises addresses behind the interface not the address on the interface itself. I thought about setting up several upstream microfirewalls each handling a tunnel but it's very resource-wasteful. I saved it as a last resort.
I looked up the OpenVPN documentation and I found two options that might work, but I'm not sure how to set them up and if they'll work without server-side configuration:
[Source: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/]
--client-nat snat|dnat network netmask alias
_
This pushable client option sets up a stateless one-to-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict.network/netmask (for example 192.168.0.0/255.255.0.0) defines the local view of a resource from the client perspective, while alias/netmask (for example 10.64.0.0/255.255.0.0) defines the remote view from the server perspective.
_
Use snat (source NAT) for resources owned by the client and dnat (destination NAT) for remote resources.
Set --verb 6 for debugging info showing the transformation of src/dest addresses in packets.--ifconfig-push local remote-netmask [alias]
_
Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation.The parameters local and remote-netmask are set according to the --ifconfig directive which you want to execute on the client machine to configure the remote end of the tunnel. Note that the parameters local and remote-netmask are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the server at the time of client connection.
_
The optional alias parameter may be used in cases where NAT causes the client view of its local endpoint to differ from the server view. In this case local/remote-netmask will refer to the server view while alias/remote-netmask will refer to the client view.
_
This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client- connect script.
Remember also to include a --route directive in the main OpenVPN config file which encloses local, so that the kernel will know to route it to the serverʼs TUN/TAP interface.
_
OpenVPNʼs internal client IP address selection algorithm works as follows:- Use --client-connect script generated file for static IP (first choice).
- Use --client-config-dir file for static IP (next choice).
- Use --ifconfig-pool allocation for dynamic IP (last choice).
Would any of these work? If so, how are they set up?
Unrelated suggestions/workarounds are welcome too. :)
Thanks!