Routing the client's local network to the VPN network witch change of addressing


I am in the process of configuring the my virtual network. At the moment, clients and the server see each other. Here are my assumptions:       Server (Linux)  Static single clients   DHCP clients
20.1.X.X       Local network in place 1
20.2.X.X       Local network in place 2
20.3.X.X       Local network in place 3

In the server configuration ( I have, among others, such entries:

dev tun
topology subnet
client-config-dir /path/to/dir
push "route"
push "route"
push "route"
push "route"
push "route"

client-config-dir for place 1


client-config-dir for place 2


client-config-dir for place 3


On the example of place 2 ( I have the following local network:  TL-MR3420 with OpenWRT as client VPN Server Client 1 Client 2 Client 3

I would like each of the three 192.168.X.X local networks to be visible in the tunnel at 20.NR_PLACE.X.X

For example:

Place 1 - Client 1 - as
Place 1 - Client 2 - as
Place 2 - Client 1 - as
Place 2 - Client 2 - as
Place 3 - Client 1 - as
Place 3 - Client 2 - as

It seems to me that I should perform address routing on every VPN client in these three places.

How can I solve my problem?

You must not use public IP-range for private networking.

Why do you need that?
If there's no strong reason, you'd better forget it, because the result is not worth the effort.

Of course, it's not impossible:

However it's still better to separate those local networks and utilize plain routing.

Addressing 20.X.X.X will be changed to 10.X.X.X in the final mode.

I need this because in these three places I intend to provide servers and other network devices. Although I can install another client on the server, it would be difficult to install a vpn client on eg. IP camera or network switch with official software. I understand that this configuration should be done on the router in these three places?

If you mean NETMAP, logically it should be used on the way of transit traffic and shouldn't contradict the routing, so remote VPN-client looks like the right place.

My changed assumptions of this network:        Server (Linux)  Static single clients      Static router address of the selected place
20.0.1.X        DHCP clients
20.1.X.X        Local network in place 1
20.2.X.X        Local network in place 2
Further network later...

Place 1 - Local server network (no connection to VPN): - to - to

Place 2:


Place 1 (Linux Server

iptables -t nat -A PREROUTING -d -i tun0 -j NETMAP --to

Place 2 (Router OpenWRT

iptables -t nat -A PREROUTING -d -i tun0 -j NETMAP --to

Current problems:

  • Nobody sees the local server network (20.1.X.X)
  • Place 1 (from the server does not see its 20.1.X.X
  • Place 1 (from the server does not see windows 20.2.X.X machines (android and linux only)
  • Place 2 (20.2.X.X) does not see its own network (the router itself and clients of the local network)

What am I doing wrong?

The level of complexity of your network requires comprehensive troubleshooting.
So you should study appropriate instruments, such as traceroute, tcpdump and iptables.
Then collect diagnostics data on the way of your traffic and based on that make a conclusion where the problem is.