How can I set up clients with conflicting subnets?

senseivita

I'd like to setup several ISP(or WAN)-over-VPN-type clients but my provider assigns addresses all within the same subnet, sometimes even the same address per client.

All the tunnels are brought up but only one of them is used to route the traffic. This is my current routing table: (minus local interface clutter)

IPv4 Routes                                                                           
--------------------------------------------------------------------------------------
Destination      Gateway         Flags  Use       Mtu    Netif                        
default          200.38.193.226  UGS    6392663   1492   pppoe0  <- MASTER GATEWAY    
1.1.1.1          10.8.8.1        UGHS   206       1500   ovpnc2  <- ovpnc3 MONITOR    
9.9.9.9          10.8.8.1        UGHS   206       1500   ovpnc2  <- ovpnc2 MONITOR    
…                                                                                     
10.8.8.0/24      10.8.8.1        UGS    18        1500   ovpnc2                       
10.8.8.1         link#32         UH     0         1500   ovpnc2  <- ovpnc2-5 GATEWAY  
10.8.8.2         link#32         UHS    0         16384  lo0     <- ovpnc2            
10.8.8.14        link#33         UHS    0         16384  lo0     <- ovpnc3            
10.8.8.19        link#34         UHS    0         16384  lo0     <- ovpnc4            
10.8.8.31        link#35         UHS    0         16384  lo0     <- ovpnc5            
…                                                                                     
45.33.35.53      pppoe0          UHS    206       1492   pppoe0  <- pppoe0 MONITOR    
127.0.0.1        link#5          UH     22535161  16384  lo0                          
149.112.112.112  192.168.111.1   UGHS   206       1500   ovpnc1  <- ovpnc1 MONITOR    
184.105.253.10   200.38.193.226  UGHS   945395    1492   pppoe0  <- gif endpoint      
187.223.117.55   link#29         UHS    15082     16384  lo0                          
192.168.111.1    link#31         UH     2936448   1500   ovpnc1  <- ovpnc1 GATEWAY    
192.168.111.2    link#31         UHS    78201     16384  lo0     <- ovpnc1            
200.38.193.226   link#29         UH     0         1492   pppoe0                       
208.67.220.220   10.8.8.1        UGHS   206       1500   ovpnc2  <- monitor ovpnc5    
208.67.222.222   10.8.8.1        UGHS   206       1500   ovpnc2  <- monitor ovpnc4    
======================================================================================
if      monitor          addr            mask  gateway                             
pppoe0  45.33.35.53      187.223.117.55  /32   200.38.193.226                         
ovpnc1  149.112.112.112  192.168.111.2   /24   192.168.111.1                          
ovpnc2  9.9.9.9          10.8.8.2        /24   10.8.8.1                               
ovpnc3  1.1.1.1          10.8.8.14       /24   10.8.8.1                               
ovpnc4  208.67.222.222   10.8.8.19       /24   10.8.8.1                               
ovpnc5  208.67.220.220   10.8.8.30       /24   10.8.8.1                               

If I'm not too far off this should be corrected with NAT but the outbound NAT set on each tunnel-made-interface only disguises addresses behind the interface not the address on the interface itself. I thought about setting up several upstream microfirewalls each handling a tunnel but it's very resource-wasteful. I saved it as a last resort.

I looked up the OpenVPN documentation and I found two options that might work, but I'm not sure how to set them up and if they'll work without server-side configuration:

[Source: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/]

--client-nat snat|dnat network netmask alias

_
This pushable client option sets up a stateless one-to-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict.network/netmask (for example 192.168.0.0/255.255.0.0) defines the local view of a resource from the client perspective, while alias/netmask (for example 10.64.0.0/255.255.0.0) defines the remote view from the server perspective.
_
Use snat (source NAT) for resources owned by the client and dnat (destination NAT) for remote resources.
Set --verb 6 for debugging info showing the transformation of src/dest addresses in packets.

--ifconfig-push local remote-netmask [alias]

_
Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation.The parameters local and remote-netmask are set according to the --ifconfig directive which you want to execute on the client machine to configure the remote end of the tunnel. Note that the parameters local and remote-netmask are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the server at the time of client connection.
_
The optional alias parameter may be used in cases where NAT causes the client view of its local endpoint to differ from the server view. In this case local/remote-netmask will refer to the server view while alias/remote-netmask will refer to the client view.
_
This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client- connect script.
Remember also to include a --route directive in the main OpenVPN config file which encloses local, so that the kernel will know to route it to the serverʼs TUN/TAP interface.
_
OpenVPNʼs internal client IP address selection algorithm works as follows:

1. Use --client-connect script generated file for static IP (first choice).
2. Use --client-config-dir file for static IP (next choice).
3. Use --ifconfig-pool allocation for dynamic IP (last choice).

Would any of these work? If so, how are they set up?

Unrelated suggestions/workarounds are welcome too. :)

Thanks!