How to access OpenVPN remote LAN when local LAN has the same network address



  • It took me a little while to figure this out, so I hope to save someone else the aggravation.

    Problem
    I have two separate LAN segments that have the same network address (192.168.1.0/24).  One LAN has a pfSense OpenVPN server to connect remote clients to a local FTP server (for this example).

    Network A
      - pfSense OpenVPN Server
              LAN:                      192.168.1.1
              OpenVPN:              192.168.2.1

    - FTP Server
              LAN:                      192.168.1.100

    Network B
      - Third-party Gateway
              LAN:                      192.168.1.1

    - Host 1 (OpenVPN client)
              LAN:                      192.168.1.20
              OpenVPN:              192.168.2.2

    In my scenario, Host 1 (on Network B) needs to access the FTP server on Network A.  Ideally, traffic should be routed from the Network B gateway to the pfSense OpenVPN server, then to the Network A LAN.

    Since both networks share the same network address, a connection attempt from Network B to 192.168.1.100 fails because that address is considered part of the local LAN and does not get routed through the tunnel.

    Solution
    To get around this problem, I created a "virtual" IP address for the FTP server using port forwarding.

    Under Firewall->NAT->Port Forward, create a new rule.
      - Set the interface to OpenVPN.
      - Set the protocol, as necessary.
      - Set the destination to your "virtual" IP address.  I used 192.168.2.100.
      - Set the destination port range (21 in this example).
      - Set the redirect target IP to the real IP address of the FTP server (192.168.1.100).
      - Set the redirect target port range (21 in this example).
      - Set the filter rule association to Pass.

    Now the FTP server on Network A essentially looks like this:
      - FTP Server
              LAN:                      192.168.1.100
              OpenVPN:              192.168.2.100

    Clients on Network B can access the FTP server over the tunnel by referring to it using its "virtual" IP address.

    Aaron


Log in to reply