Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN-server & OpenVPN-client with same subnet

    OpenVPN
    4
    11
    3617
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      escworm last edited by

      Hello everyone,

      I just need to know if there is a solution to have same subnet on a client machine and on the server side to communicate.

      Problem:
      OpenVPN-server: 192.168.0.0/24
      OpenVPN-klient on home network: 192.168.0.0/24

      Tunnel network: 192.168.3.0/24.

      The problem is that on the server side we have a server with subnet 192.168.0.0/24 and the clients need to connect to the server. Some of our clients have the standard subnet 192.168.0.0/24… But for other subnets it work perfect. I would chosen another subnet on the VPN-site like 192.168.53.0 no make sure everyone can connect. But can't duo the server everyone need to connect to. Changing subnet means reinstall software on everyones computer.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        So tell the user to renumber his home network? (By putting yourself on 10.0.0.0/24, 192.168.0.0/24, 192.168.1.0/24 you're really just shooting yourself in the foot, horrible idea, most of the consumer routers/modems/CPE out there default to one of these…)

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          There is a solution but it requires 1:1 NAT at both ends.  Good luck with their end.

          DO NOT USE:

          192.168.0.0/24
          192.168.1.0/24
          10/anything

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • E
            escworm last edited by

            Thank you for the good answer!

            I was hoping there was an easy solution to these problems. Only reason I setuped 192.168.0.0/24 is because of the old setup of the server software on the clients. Else I would take something like 192.168.53.x. Less chance someone have the same subnet.

            The users is not IT people so they can't just change their subnets without my help. And that could cause problems on their home networks if they have printers and so on :/

            Can this be a solution:
            Setup one more subnet for say 192.168.53.x. OpenVPN connects to this subnet and from that subnet they can reach 192.168.0.0/24 on the server side? Or will they still crash with their own network?

            I'm very new to VPN setups so I hope you people understand it and my bad english  :-X

            How my network look like:
            IPsec solution to connect three networks togheter and OpenVPN for people who travels alot or want to stay home. We have total 6 servers on the network.

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              No.  It doesn't matter what the tunnel network is.

              192.168.1.0/24 <- 192.168.53.0/24 -> 192.168.1.0/24

              That will still be broken.  Any time either of the edge sites needs to send traffic to the other it will think it's on its local network and treat it as such.  It will never get sent to the gateway/router.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • E
                escworm last edited by

                Thanks for so fast help!

                Well. Sounds logic.

                How do NAT 1:1 work for me? Can you explain more what it is and how I use it in my environment?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  As said, it won't. Needs to be done on both ends. You'll have hard time getting users to do a couple of clicks to change their LAN subnet to something else. Getting them to configure complicated stuff like 1:1 NAT is just waste of time.

                  (Wondering what kind of completely broken software are you using that requires you to reinstall it when the IP changes.)

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    There is a section in the book called "NAT with OpenVPN: OpenVPN Site-to-Site with conflicting subnets"

                    I hate to say, "buy the book," but the time it would take me to reiterate what is spelled out there would cost me more than it would cost you to just buy the gold membership.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • E
                      escworm last edited by

                      Doktornote:
                      Understand now, sounds yes like wasting time.
                      Naming the software will not make any sense for anyone here. It's very unpopular/expansive and we are the unlucky company to use it. Changing subnet will require to change the IP for server and reinstall on the clients machine to point to correct IP. And we also have alot of third-parties connecting to that bast*rd.

                      So I have two options? first is to give up and help clients to change their subnets. The second is to change subnet and reinstall clients?

                      Derelict:
                      Thanks, books are good.

                      1 Reply Last reply Reply Quote 0
                      • R
                        robi last edited by

                        Don't think you need to NAT on both ends. You should be able to create a single 1:1 NAT on the VPN server side between 192.168.53.0/24 and 192.168.1.0/24. All the VPN clients (which I presume are simple Windows clients on home PCs or laptops) can see 192.168.53.0/24 ast it would be 192.168.1.0/24.

                        Question is, of course, how will the software handle this, NAT is something many software implementations don't like.

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned last edited by

                          @robi:

                          Don't think you need to NAT on both ends. You should be able to create a single 1:1 NAT on the VPN server side between 192.168.53.0/24 and 192.168.1.0/24. All the VPN clients (which I presume are simple Windows clients on home PCs or laptops) can see 192.168.53.0/24 ast it would be 192.168.1.0/24.

                          No idea how you imagine this to work, really. So, you get traffic from the VPN server side's LAN via VPN. Won't ever reply back via VPN. It's like NAT reflection backwards.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post