How to access OpenVPN remote LAN when local LAN has the same network address
-
It took me a little while to figure this out, so I hope to save someone else the aggravation.
Problem
I have two separate LAN segments that have the same network address (192.168.1.0/24). One LAN has a pfSense OpenVPN server to connect remote clients to a local FTP server (for this example).Network A
- pfSense OpenVPN Server
LAN: 192.168.1.1
OpenVPN: 192.168.2.1- FTP Server
LAN: 192.168.1.100Network B
- Third-party Gateway
LAN: 192.168.1.1- Host 1 (OpenVPN client)
LAN: 192.168.1.20
OpenVPN: 192.168.2.2In my scenario, Host 1 (on Network B) needs to access the FTP server on Network A. Ideally, traffic should be routed from the Network B gateway to the pfSense OpenVPN server, then to the Network A LAN.
Since both networks share the same network address, a connection attempt from Network B to 192.168.1.100 fails because that address is considered part of the local LAN and does not get routed through the tunnel.
Solution
To get around this problem, I created a "virtual" IP address for the FTP server using port forwarding.Under Firewall->NAT->Port Forward, create a new rule.
- Set the interface to OpenVPN.
- Set the protocol, as necessary.
- Set the destination to your "virtual" IP address. I used 192.168.2.100.
- Set the destination port range (21 in this example).
- Set the redirect target IP to the real IP address of the FTP server (192.168.1.100).
- Set the redirect target port range (21 in this example).
- Set the filter rule association to Pass.Now the FTP server on Network A essentially looks like this:
- FTP Server
LAN: 192.168.1.100
OpenVPN: 192.168.2.100Clients on Network B can access the FTP server over the tunnel by referring to it using its "virtual" IP address.
Aaron