Hi all,
I need some help with configuring OpenVPN server.
I have this configs:
network A (OVPN):
subnet: 192.168.1.0/24
vpn type: TUN
network B (OVPN):
subnet: 192.168.1.0/24
vpn type: TUN
network C (client):
subnet: 192.168.2.0/24
network A and B are in different geographically locations.
Individual connection at the networks A and B are ok.
Questions:
If a client from network C connect both at the networks A and B at the same time, it can cause ip conflict, correct?
Goal:
I want to configure OVPN server in network B with some firewall and/or nat rules to the subnet 192.168.11.0/24, so it doesn't conflict with the network A.
I know that I can simply remap the ip configurations in network B, but I can't do it.
Is there a way to achieve this?
Thanks!
That packet must go to network A.
Open vpn server on network B must receive packets with destination 192.168.3.0/24 and then translate into 192.168.1.0/24
Example:
network C network B
openvpn server
192.168.3.2 --> 192.168.3.1 --> 192.168.1.2
If a packet as a destination of 192.168.3.2, it has to be translated to 192.168.1.2
if 192.168.3.10 --> 192.168.1.10
if 192.168.3.101 --> 192.168.1.101
And so on...
As @jeff said, this cannot work if you have ambiguous addresses, leading to the possibility of two machines with the same IP. So you really have to change site B to something other than 192.168.1.0.
How are sites A and B connected? By another VPN tunnel? In that case, the client who is connected to B (which is 192.168.3.0) would send a packet down the tunnel with a destination of 192.168.1.101. The routing table in B would then forward that packet to an interface that has connectivity to A.
If there is no link from A to B, then C needs to have two client instances, one of A and one of B. The routing table in C would then direct packets to either A or B based on IP. In other words traffic from C to A never touches B, and vise versa.
This is of course conventionally done with subnet ranges. You could conceivably make exceptions for single machines in A but this is a bad practice. And it is impossible if two A and B machines you want to use have the same IP in their respective sites.
I have not detailed about this, anyway yes, in network C i have 2 openvpn clients for every client, and packets need to go to network A or B based on IP.
If two machines in network A and B have the same ip, example 192.168.1.10, then if network A remains as it is, but if it is network B openvpn server translates it into 192.168.3.10
Is it possible?
Host connects socket to remote of 192.168.1.100:1234 and sends the initial packet
Router receives first packet in the stream on its "LAN" interface, with
Source IP 192.168.2.123, Source port 4567
Dest IP 192.168.1.100, Dest port 1234
Now what?
"Crazy talk" would be to manually craft and maintain 250+ static routes, hoping that there is never the situation where the same host IP is present in both of the two, ill-numbered subnets behind the two VPNs.