Firewall OpenVPN Peer-to-Peer Networking with same IP Address sub-network

Bot · Oct 5, 2023, 8:02 PM

Hello, I'm facing a logic problem regarding peer-to-peer firewall configuration. I have established an SSL/TLS connection that is currently working fine. Here's a brief explanation of the current setup:
LAN Network: 192.168.2.0/24
Remote SSL Network: 192.168.0.0/24
The remote network belongs to Company B, and my company is Company A. When I access the server at 192.168.0.23, it works as expected.
Now, here's my problem: I'm a IT company, and we want to establish peer-to-peer connections with multiple companies. However, each company has its own internal network, and my issue is as follows:
I want to connect to Company C, which also has an internal network of 192.168.0.0/24, exactly the same as Company B. How do I avoid conflicts between these networks? For example, both companies have a server with the IP 192.168.0.23. When I try to connect from my Company A machine, it won't know where to connect, right?
Note: I can't change the subnets of the subsequent companies.
I created an example of a diagram, I'm sorry if it didn't turn out very well.

viragomann · Oct 5, 2023, 9:56 PM

@Bot said in Firewall OpenVPN Peer-to-Peer Networking with same IP Address sub-network:

How do I avoid conflicts between these networks?

I don't think that there would be conflict basically if you connect to both.

But do you even need to connect to both at the same time?

For example, both companies have a server with the IP 192.168.0.23. When I try to connect from my Company A machine, it won't know where to connect, right?

That's right. I guess, the latter added route will be applied in this case.

On your site there is no possibility to workaround this, as far as I know. But you could nat the traffic on one of the remote sites and access this network with a substitute subnet then.

planedrop · Oct 6, 2023, 7:33 PM

What @viragomann mentioned is the solution, you'll need to use NAT and basically create an alternate subnet that "maps" to the real subnet via NAT, otherwise there is no way to route to the same IP belonging to 2 different machines in the same subnet space, if both VPNs are up and running at the same time.

I'd also ask, any reason to not use IPSec for this? That's just out of curiosity, but also IMO it's a bit easier to get going for complex S2S scenarios.

Bot · Oct 9, 2023, 12:27 PM

@planedrop I'll test what you said, if it works, I did it, thanks for the idea.
In fact I didn't even know it was possible to do it through Ipsec, I'm just starting with pfsense, I just followed a YouTube tutorial lol, I only know the basics of networks

planedrop · Oct 23, 2023, 9:33 PM

@Bot I personally would say go with IPsec when you can, OpenVPN is cool and all but IMO just not the same vs IPsec or WireGuard, which are my two go to options. OpenVPN certainly is overall more configurable (not to be confused with capable) than the other 2 but it ends up being harder to setup, slower, and more complex.

But yeah this should be doable either way by using NAT, it's basically the only way to get two identical subnets talking over a VPN.