Remapping a network over an OpenVPN connection

keylevel · Dec 6, 2022, 11:21 PM

I have two sites that clients need to be able to access at the same time using OpenVPN. Unfortunately, both VPNs use the 10.0.0.0/24 network for their tunnels, and the systems on each site both use 192.168.1.0/24. It is easy enough to reconfigure one of the sites to use a different tunnel, but it is not feasible to move either of the sites from 192.168.1.0/24.

I would like to be able to come up with a configuration that would allow the clients to use 192.168.1.0/24 to access the systems on one site, and 192.168.2.0/24 to access the systems on the other. Is it possible to use 1:1 (or some other) NAT to perform a remapping to make this work?

michmoor · Dec 7, 2022, 12:16 AM

@keylevel achievable. You will need to perform a double NAT. Nat both the source and destination of a packet as it goes out over the tunnel.

keylevel · Dec 7, 2022, 1:07 AM

@michmoor

Thanks - I should have added that I'm not really familiar with NAT (other than basic port forwarding). Does "double NAT" mean I have to use 1:1 in both directions?

rcoleman-netgate · Dec 7, 2022, 1:07 AM

@keylevel It means that you have to translate the following:

Site 1: 192.168.1.0/24 needs to be translated into 10.0.1.0/24
Site 2: 192.168.1.0/24 needs to be translated into 10.0.2.0/24

Site 2 talks to Site 1 via 10.0.1.0/24
Site 1 talks to Site 2 via 10.0.2.0/24

Setting up a bi-directional NAT is tricky. Sometimes it's just easier to readdress the network.

keylevel · Dec 7, 2022, 11:35 AM

@rcoleman-netgate

Thanks, but I've not yet worked out how to set up that sort of translation (still searching for a simple "how-to"). It also looks like I haven't accurately explained what I'm trying to do, as it's not the sites that need to communicate with each other:

Site 1: 192.168.1.0/24 via VPN tunnel 10.0.1.0/24, VPN local network 192.168.1.0/24
Site 2: 192.168.1.0/24 via VPN tunnel 10.0.2.0/24, VPN local network 192.168.2.0/24

Clients need to be able to connect and communicate with both sites at the same time. This is trivial for Site 1, as the VPN local network is the site network, but site 2 needs to map 192.168.2.x onto 192.168.1.x.

I do agree that re-addressing Site 2 would be easier, but that is not possible in the short term.

viragomann · Dec 7, 2022, 12:07 PM

@keylevel
There is nothing you can do on your pfSense at all.
Even if you do a sort of translation, pfSense would have to route the traffic to 192.168.1.0/24, which it has two gateways for. Hence routing is not possible.

The address translation hast to occur on one of the remote sites. So pfSense would see another subnet and could route traffic to it properly.