OpenVPN-server & OpenVPN-client with same subnet

escworm · Mar 26, 2015, 8:07 AM

Hello everyone,

I just need to know if there is a solution to have same subnet on a client machine and on the server side to communicate.

Problem:
OpenVPN-server: 192.168.0.0/24
OpenVPN-klient on home network: 192.168.0.0/24

Tunnel network: 192.168.3.0/24.

The problem is that on the server side we have a server with subnet 192.168.0.0/24 and the clients need to connect to the server. Some of our clients have the standard subnet 192.168.0.0/24… But for other subnets it work perfect. I would chosen another subnet on the VPN-site like 192.168.53.0 no make sure everyone can connect. But can't duo the server everyone need to connect to. Changing subnet means reinstall software on everyones computer.

doktornotor · Mar 26, 2015, 8:40 AM

So tell the user to renumber his home network? (By putting yourself on 10.0.0.0/24, 192.168.0.0/24, 192.168.1.0/24 you're really just shooting yourself in the foot, horrible idea, most of the consumer routers/modems/CPE out there default to one of these…)

Derelict · Mar 26, 2015, 8:52 AM

There is a solution but it requires 1:1 NAT at both ends. Good luck with their end.

DO NOT USE:

192.168.0.0/24
192.168.1.0/24
10/anything

escworm · Mar 26, 2015, 8:57 AM

Thank you for the good answer!

I was hoping there was an easy solution to these problems. Only reason I setuped 192.168.0.0/24 is because of the old setup of the server software on the clients. Else I would take something like 192.168.53.x. Less chance someone have the same subnet.

The users is not IT people so they can't just change their subnets without my help. And that could cause problems on their home networks if they have printers and so on :/

Can this be a solution:
Setup one more subnet for say 192.168.53.x. OpenVPN connects to this subnet and from that subnet they can reach 192.168.0.0/24 on the server side? Or will they still crash with their own network?

I'm very new to VPN setups so I hope you people understand it and my bad english :-X

How my network look like:
IPsec solution to connect three networks togheter and OpenVPN for people who travels alot or want to stay home. We have total 6 servers on the network.

Derelict · Mar 26, 2015, 9:12 AM

No. It doesn't matter what the tunnel network is.

192.168.1.0/24 <- 192.168.53.0/24 -> 192.168.1.0/24

That will still be broken. Any time either of the edge sites needs to send traffic to the other it will think it's on its local network and treat it as such. It will never get sent to the gateway/router.

escworm · Mar 26, 2015, 9:17 AM

Thanks for so fast help!

Well. Sounds logic.

How do NAT 1:1 work for me? Can you explain more what it is and how I use it in my environment?

doktornotor · Mar 26, 2015, 9:31 AM

As said, it won't. Needs to be done on both ends. You'll have hard time getting users to do a couple of clicks to change their LAN subnet to something else. Getting them to configure complicated stuff like 1:1 NAT is just waste of time.

(Wondering what kind of completely broken software are you using that requires you to reinstall it when the IP changes.)

Derelict · Mar 26, 2015, 9:38 AM

There is a section in the book called "NAT with OpenVPN: OpenVPN Site-to-Site with conflicting subnets"

I hate to say, "buy the book," but the time it would take me to reiterate what is spelled out there would cost me more than it would cost you to just buy the gold membership.

escworm · Mar 26, 2015, 11:02 AM

Doktornote:
Understand now, sounds yes like wasting time.
Naming the software will not make any sense for anyone here. It's very unpopular/expansive and we are the unlucky company to use it. Changing subnet will require to change the IP for server and reinstall on the clients machine to point to correct IP. And we also have alot of third-parties connecting to that bast*rd.

So I have two options? first is to give up and help clients to change their subnets. The second is to change subnet and reinstall clients?

Derelict:
Thanks, books are good.

robi · Mar 26, 2015, 3:47 PM

Don't think you need to NAT on both ends. You should be able to create a single 1:1 NAT on the VPN server side between 192.168.53.0/24 and 192.168.1.0/24. All the VPN clients (which I presume are simple Windows clients on home PCs or laptops) can see 192.168.53.0/24 ast it would be 192.168.1.0/24.

Question is, of course, how will the software handle this, NAT is something many software implementations don't like.

doktornotor · Mar 26, 2015, 3:56 PM

@robi:

Don't think you need to NAT on both ends. You should be able to create a single 1:1 NAT on the VPN server side between 192.168.53.0/24 and 192.168.1.0/24. All the VPN clients (which I presume are simple Windows clients on home PCs or laptops) can see 192.168.53.0/24 ast it would be 192.168.1.0/24.

No idea how you imagine this to work, really. So, you get traffic from the VPN server side's LAN via VPN. Won't ever reply back via VPN. It's like NAT reflection backwards.