Peculiar VPN, NAT or Bridge

Installing and Using OpenWrt
1

I have a very peculiar VPN scenario to set up.

I made a more detailed diagram to better explain the logical topology of the network:

msedge_d3kzlpKMCh
msedge_d3kzlpKMCh706×529 26.9 KB

Where the network 172.16.0.0/16 is the internal subnet of VPN and 192.168.0.0/24 are the internal subnets of the devices to be accessed.

OpenWRT routers will connect to the VPN server.
The VPN server needs to scan all devices on the 192.168.0.0/24 networks and connect to those who have the SNMP door open.

Limitations:
Not to change addresses 192.168.0.x.
Not to change the configuration or exchange generic routers.
There can be no communication between sub-rights 192.168.0.0/24.
There will be dozens of client networks to monitor, with the most distinct or conflicting subnet addresses, I need the network configuration to be automatic or automated.

I thought about bridging the VPN and LAN on the OpenWRT routers, but that would cause IP conflict.
I thought of doing Nat 1:1 within the OpenWRT routers.
I wonder if Nat 1:1 is the best option or if anyone suggests a better alternative?

2

While you can setup bridge VPN solutions (OpenVPN TAP or WireGuard with GRETAP/VXLAN) this generates a lot of traffic and exposes your whole site, besides you can have the same subnet but there can not be duplicate IP addreses, so the easy/best way is to use another subnet on one of the sites.

Routed solutions like WireGuard or OpenVPN TUN need three different subnets (the VPN subnet and both sites all need to be different)

3

Unfortunately, it is not possible to eliminate duplicate IP addresses in subnets.

4

SNMP (I think this is what you intended) uses UDP packets at layer 3, so layer 2 linking is not needed.

Set up a /16 in the VPN server with /24s inside for each remote site. Use multiple routing tables so each source address /24 is routed to the tunnel that leads to the corresponding remote site. It will need to NAT the returning packets so they have a unique IP. In order for this to work each site needs its own point to point Wireguard tunnel. Since the remote addresses overlap, it can't be done with multiple peers on one Wireguard interface.

Then the use of different source IPs on the server side determines which site's 192.168.0.X will be accessed.

1 Like
5

Thank you very much, you understood the need.

I don't intend to use WireGuard, I intend to use SoftEther because it allows several protocols.

I liked your idea, I'll start testing it.

But I didn't understand NAT well, please give me more details. NAT type, source, destination?

There will be dozens of client networks to monitor, with the most distinct or conflicting subnet addresses, I need the network configuration to be automatic or automated by dhcp or a script..