Site2Site from multiple clients with the same local network/subnet

jarlel

Hi!

I need to connect from multiple clients with a Site2Site VPN that has the same local network/subnet on the client side.

Will the VPN server keep track of connections from the different public IPs that the clients have? So it knows where to route traffic back?

If not, can this be done in a way?

Thanks for any help!

viragomann

@jarlel
This is not an issue with the VPN server, but with the router. pfSense would not be able to route packets to the other site if it has the same / overlapping network range.

Even you can do a workaround with NAT / masquerading, best and most clear practice would be to change the network of one site.

jarlel

@viragomann said in Site2Site from multiple clients with the same local network/subnet:

@jarlel
This is not an issue with the VPN server, but with the router. pfSense would not be able to route packets to the other site if it has the same / overlapping network range.

Even you can do a workaround with NAT / masquerading, best and most clear practice would be to change the network of one site.

Thanks, viragomann. It is not so easy to change the network as the clients will be standard installs from images in the amount of tens if not hundreds.

The clients will communicate through the tunnel just to go out to the internet via the VPN-server. The clients don't have to reach any local network(s) on the server.
Do you know if one alternative can be the use of one server for each client, just using different ports for the servers? Will it then be able to route correctly?

Thanks again.

viragomann

@jarlel said in Site2Site from multiple clients with the same local network/subnet:

The clients will communicate through the tunnel just to go out to the internet via the VPN-server. The clients don't have to reach any local network(s) on the server.

For upstream traffic only, there would be no issue (redirect gateway).

Do you know if one alternative can be the use of one server for each client, just using different ports for the servers? Will it then be able to route correctly?

Not clear, what you mean.
Running different VPN servers, one for each client? This would be possible, but it has nothing to to with routing.

For accessing the remote site, which has the same local subnet, I recently gave an example here: https://forum.netgate.com/topic/182833/routing-with-vpn/4

jarlel

@viragomann said in Site2Site from multiple clients with the same local network/subnet:

@jarlel said in Site2Site from multiple clients with the same local network/subnet:

The clients will communicate through the tunnel just to go out to the internet via the VPN-server. The clients don't have to reach any local network(s) on the server.

For upstream traffic only, there would be no issue (redirect gateway).

Ok, sounds reasonable. Can you please explain what you mean by "redirect gateway"?

Do you know if one alternative can be the use of one server for each client, just using different ports for the servers? Will it then be able to route correctly?

Not clear, what you mean.
Running different VPN servers, one for each client? This would be possible, but it has nothing to to with routing.

Yes, that is what I am thinking, one server for each client. I want to be able to reach hosts on the client-side from the server-side. The problem is that
the LANs on the clients' side are identical, so to be able to route traffic to specific hosts on the different clients I need to mask each client to different subnets.

Suggestion:

-Use one server for each client (each server on its own UDP port). This way I can have different NAT rules for each client.
-Add an OPT-interface to every OpenVPN interface to be able to do specific NAT settings
-Set up 1:1 nat as you explained in the example, using different single host subnets (e.g. 10.171.45.0) for each interface

Then I will be able to address/access hosts/IPs on the different clients side even if they have the same LAN subnet, right? Do you think this will work?
It is a bit "complex", but I don't see another way of doing it at the moment.

For accessing the remote site, which has the same local subnet, I recently gave an example here: https://forum.netgate.com/topic/182833/routing-with-vpn/4

viragomann

@jarlel said in Site2Site from multiple clients with the same local network/subnet:

Can you please explain what you mean by "redirect gateway"?

This is an OpenVPN option, which replaces the clients default gateway with the OpenVPN server.
In the server settings you can check this option, so the server pushes it to the client.

-Use one server for each client (each server on its own UDP port). This way I can have different NAT rules for each client.
-Add an OPT-interface to every OpenVPN interface to be able to do specific NAT settings

This is only needed if you want policy route traffic to the client side.
Otherwise you can also go with a single server and configure Client specific overrides for each client. The latter is needed anyway.

-Set up 1:1 nat as you explained in the example, using different single host subnets (e.g. 10.171.45.0) for each interface

Note that the nat must be done on the clients. So if you translate one clients subnet to 10.171.45.0/24 as in this example, you have to state this subnet in the CSO and also in the OpenVPN server settings "Remote Networks" box.

Then I will be able to address/access hosts/IPs on the different clients side even if they have the same LAN subnet, right? Do you think this will work?
It is a bit "complex", but I don't see another way of doing it at the moment.

Yes. It's just NAT and you have to use a certain different subnet for each client.

jarlel

This is an OpenVPN option, which replaces the clients default gateway with the OpenVPN server.
In the server settings you can check this option, so the server pushes it to the client.

Ah, I get it, It is just certain destinations that should be routed through the tunnel, so I have specified the hosts/networks in the "IPv4 Remote network(s)" field on the client side.

-Use one server for each client (each server on its own UDP port). This way I can have different NAT rules for each client.
-Add an OPT-interface to every OpenVPN interface to be able to do specific NAT settings

This is only needed if you want policy route traffic to the client side.
Otherwise you can also go with a single server and configure Client specific overrides for each client. The latter is needed anyway.

Ok, I see. I don't need that, I have tested now with single server and 1:1 NAT'ing on the client side withe client specific override on the server side. Is this needed to differentiate
between different remote networks, like 10.171.45.0/24 for the first client?

I guess it is required to use different certificates for each client, right? Otherwise it will not be possible to differentiate between the different clients and different remote networks for each client?

Note that the nat must be done on the clients. So if you translate one clients subnet to 10.171.45.0/24 as in this example, you have to state this subnet in the CSO and also in the OpenVPN server settings "Remote Networks" box.

Nice, I have tested with the first client now, translated the LAN to 10.171.45.0/24 and then I will use 10.171.46.0/24 for the next one and so on.

Then I will be able to address/access hosts/IPs on the different clients side even if they have the same LAN subnet, right? Do you think this will work?
It is a bit "complex", but I don't see another way of doing it at the moment.

Yes. It's just NAT and you have to use a certain different subnet for each client.

Thanks, I have successfully reached local IPs on the client-side now with the mentioned NAT setup :-)

viragomann

@jarlel said in Site2Site from multiple clients with the same local network/subnet:

I have tested now with single server and 1:1 NAT'ing on the client side withe client specific override on the server side. Is this needed to differentiate between different remote networks, like 10.171.45.0/24 for the first client?

Yes, the CSO sets the routes within OpenVPN, so that the traffic is routed to the proper client.

The "Remote Networks" field in the server settings sets the routes for the entered networks to the OpenVPN server in pfSense.

I guess it is required to use different certificates for each client, right?

Yes, each client must use a unique certificate.

jarlel

Yes, the CSO sets the routes within OpenVPN, so that the traffic is routed to the proper client.

The "Remote Networks" field in the server settings sets the routes for the entered networks to the OpenVPN server in pfSense.

Thanks again for your help, viragomann - I now have a setup that seems to work well :-)

I am not quite sure yet what the difference is between "remote networks" in the server settings and "remote networks" in the CSO...

Cheers,
Jarle