Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual IP Subnet for VPN

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      popwarfour
      last edited by

      Hello,

      Been doing a bunch of googling and I've stumbled across this forum.

      I'm here in regards to a ServerFault question I have posted. http://serverfault.com/questions/681031/virtual-ip-pool-for-nat-with-strongswan-vpn

      Basically I'm trying to come up with a way to setup a VPN tunnel to remote sites that may potentially have the same subnet as my main site. The remote sites are unable to do any NATing on their end so all configuration will fall on the main site.

      I've been learning about StrongSwan recently and was hoping to use that but the more I read on this issue, I'm finding it may not be possible to accomplish with StrongSwan.

      I think, and please correct if I'm wrong, the standard solution to this problem is to create a virtual subnet at my local gateway and map the remote subnet into that virtual subnet. With my current configuration I'm only able to get the remote gateway itself to map into the virtual subnet.

      Would openVPN be a better solution to this problem? If so, any hints in the right direction would be greatly appreciated?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I was going to post that this is impossible without NAT at both ends but I was thinking about it on the way home.  Since, with OpenVPN, you really have two discrete routing tables (routes and iroutes) I thought it might be possible.  Turns out it looks like I was half right.

        Refer to the diagram in my sig.  I am able to allow Host B2 to connect to Host A2 using nothing but the OpenVPN config and 1:1 NAT on pfSense A.  Connections from Host A2 to Host B2, however, are reflected back to Host A2 (or pfSense A OPT1, actually).

        Here's what I did:

        Modified the OpenVPN server config for OVPNS1:

        IPv4 Local Network/s: 172.26.0.0/24,192.168.100.0/24
        IPv4 Remote Network/s: 172.26.2.0/24, 192.168.101.0/24

        Then I made a client specific override

        Common name: pfsenseb.example.com
        Advanced: iroute 192.168.1.0 255.255.255.0

        Then I created two 1:1 NAT entries on pfSense A

        Interface: OPT1
        External subnet IP: 192.168.101.0
        Internal IP: Network: 192.168.1.0/24

        and

        Interface: OVPNS1
        External subnet IP: 192.168.100.0
        Internal IP: OPT1 net

        Connections from Host B2 to 192.168.100.100 hit Host A2.  Host B2 appears to Host A2 as 192.168.101.100.

        Connections from Host A2 to 192.168.101.100 are reflected back to Host A2, but the source IP of the connection appears as 192.168.101.100.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          popwarfour
          last edited by

          I don't have any experience with OpenVPN specifically, but it looks like you are able to accomplish this because you have access to the specific interfaces attached to the VPN tunnel.

          In your example diagram, is OpenVPN traffic passed over the same interface as your WAN traffic or different one entirely?

          I would prefer to keep using IPSec as StrongSwan is free, but of course that includes the requirement that this is possible.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yes.  It's just on the WANs 172.27.0.5/9.

            Search for "OpenVPN assigned interfaces" to see what you need to do to get a pfSense interface assigned to an OpenVPN instance.  Without doing that you can't NAT on it.

            I don't think any of this is possible in pfSense on IPsec.  All the phase 2 entries put routes in the system routing tables I think so there's no way to distinguish two subnets that are the same.

            The best thing to do is renumber something.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.