[SOLVED] OpenVpn and NAT for same subnet
-
Hi guys,
this is my first post and i'm trying to get out from a problem….i have a pfsense on X86 machine that has 2 interfaces, one is on a PPPoE ADSL2+ modem connected to internet and another to my LAN.
The problem was when I want to connect to my home-lan using openvpn and the client is in the same subnet of my home lan.
I think I have to use some kind of Address Translation to... TRANSLATE my home network subnet to something different trough openvpn interface.
For example to remote access my 192.168.1.1 i have to digit (on the client side) 10.10.10.1 (o something like that)... that address is translated to the correct address at server side.
The configuration is intended to use road warrior... not a site-to-site.
What do you suggest about that? with iptables i have some ideas but the problem is interfacing with pfsense and its capabilities.
Thanks for support,
Michele(excuse my english....)
-
Simple, change your home LAN scope to something not used by typical SOHO routers.
-
simple… but not elegant at all :D
there are any way to do that with pfsense nat ?
i used to with iptables on linux... never tryed on a bsd system.
Thanks for reply
-
On my network I've done this with a 1:1 NAT rule (I'm using pfSense 2.0). If your home network is 192.168.1.0/24 and your VPN network is 10.10.15.0/24 and you wanted to translate your home network to 10.10.10.0/24 for access by the connected system, add a 1:1 NAT rule on OpenVPN interface with external subnet IP 10.10.10.0, internal subnet (labeled internal IP) 192.168.1.0/24, and destination 10.10.15.0/24.
For this example, in your OpenVPN server configuration, add this to advanced (replace the subnet with the actual subnet you choose to use for the translation):
push "route 10.10.10.0 255.255.255.0";With this configuration, 192.168.1.11 would be reachable at 10.10.10.11, for example. Depending on where you will be using the VPN, you may want to make sure those two subnets for the VPN are sufficiently unique that you would be unlikely to encounter them elsewhere. In my case, I made up two random numbers for the second and third group in the subnet IP then used a subnet next to it for the translation subnet.
-
thanks…
that was so simple... on iptables i had to do some acrobatic things with NETMAP and so on...thank you again for the help