[SOLVED]Is there a way to have the same local and remote subnet?



  • Hi,

    I know it's a very common mistake / question regarding OpenVPN but the fact is I can't change the local or remote subnet. Is there a way to make it works?
    Clients need to access remote servers on the pfsense subnet which is the same as the local client subnet : 192.168.0.0/24. I forced clients with option : Force all client generated traffic through the tunnel, on windows XP it's working fine, but Vista / 7 behave differently.

    Pfsense server ( OpenVPN ) Local : 192.168.0.1/24
                               |
                               |
    VPN's client Local : 192.168.0.1/24
    VPN subnet 10.0.8.0/24

    Thank you,


  • LAYER 8 Global Moderator

    Not a good idea even if you can sometimes make it work with force through the tunnel.  Going to be impossible to access a device down the tunnel that just happens to have the same IP as yours ;)

    CHANGE your local network, I could see why you might not have control over the remote - but how is it your setting up the openvpn connection but don't have control over the local IP space?

    You might be able to do something with a NAT if you can not change the IPs just use a 1to1 mapping with some other network, ie say 192.168.10.X = 192.168.1.X
    192.168.10.Y = 192.168.1.Y
    etc…



  • Well despite warnings on Vista / 7 looks like it's working now, I know it's not a good idea to use the same subnet but I can't change it :/
    For Vista / 7 users don't forget to run as admin otherwise you can't change routes
    I'm changing the post title to SOLVED.


  • LAYER 8 Global Moderator

    I wouldn't really mark your work around as solved - because you have not solved the root of the problem.  The root of the problem is you have the same network segment.

    So you force traffic down the tunnel - now clients can not access resources on their own segment ;)  And still have issue with dupes, maybe client wants to access 192.168.1.14 on his segment, and he ends up trying to access 192.168.1.14 on your segment.  Maybe his address is .14, and needs to access .14 on other end ;)

    Your solution may have allowed you to accomplish a portion of what your what your wanting to do - but it in no way is an actual solution.  Now natting would actually be a solution since remote clients would be able to access any IP on the vpn local side, no matter what IP even if matches up with their own.


Log in to reply