Same ip subnet for two VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,
I need some help with configuring OpenVPN server.

I have this configs:
network A (OVPN):

  • subnet: 192.168.1.0/24
  • vpn type: TUN

network B (OVPN):

  • subnet: 192.168.1.0/24
  • vpn type: TUN

network C (client):

  • subnet: 192.168.2.0/24

network A and B are in different geographically locations.
Individual connection at the networks A and B are ok.

Questions:

  1. If a client from network C connect both at the networks A and B at the same time, it can cause ip conflict, correct?

Goal:
I want to configure OVPN server in network B with some firewall and/or nat rules to the subnet 192.168.11.0/24, so it doesn't conflict with the network A.
I know that I can simply remap the ip configurations in network B, but I can't do it.
Is there a way to achieve this?
Thanks!

2

Are subnets A and B managed by the same organization?

1 Like
3

No, I have full access on network B, but on network A i can only connect.

4

Then change it to 192.168.3.0/24.

1 Like
5

I know that I can do this, but it's way too difficult.
Can it be done by some firewall/NAT rules?

6

https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.4

Although, it doesn't mean that you can resolve all the issues this way.

7

If you don’t change the subnet, where do you route a packet with a destination of 192.168.1.101?

Fancy packet manipulation doesn’t solve the disambiguation problem.

2 Likes
8

That packet must go to network A.
Open vpn server on network B must receive packets with destination 192.168.3.0/24 and then translate into 192.168.1.0/24

Example:

network C                 network B
                      openvpn server
192.168.3.2  -->      192.168.3.1  -->  192.168.1.2

If a packet as a destination of 192.168.3.2, it has to be translated to 192.168.1.2
if 192.168.3.10 --> 192.168.1.10
if 192.168.3.101 --> 192.168.1.101
And so on...

10

In that command, option -d is 192.168.1.0/24 or 192.168.3.0/24?

11

why not network b?

12

As @jeff said, this cannot work if you have ambiguous addresses, leading to the possibility of two machines with the same IP. So you really have to change site B to something other than 192.168.1.0.

How are sites A and B connected? By another VPN tunnel? In that case, the client who is connected to B (which is 192.168.3.0) would send a packet down the tunnel with a destination of 192.168.1.101. The routing table in B would then forward that packet to an interface that has connectivity to A.

13

Because I don't have access to that OpenVPN server, I have access only the one in network B.

14

Sites A and B are not connected each other directly.

15

If there is no link from A to B, then C needs to have two client instances, one of A and one of B. The routing table in C would then direct packets to either A or B based on IP. In other words traffic from C to A never touches B, and vise versa.

This is of course conventionally done with subnet ranges. You could conceivably make exceptions for single machines in A but this is a bad practice. And it is impossible if two A and B machines you want to use have the same IP in their respective sites.

1 Like
16

I have not detailed about this, anyway yes, in network C i have 2 openvpn clients for every client, and packets need to go to network A or B based on IP.
If two machines in network A and B have the same ip, example 192.168.1.10, then if network A remains as it is, but if it is network B openvpn server translates it into 192.168.3.10
Is it possible?

17

And how does the openvpn server know which one he has to translate?

1 Like
18

OpenVPN server in network A doesn't have to translate anything, but the one in network B does.

19

It seems you're missing a key problem

  1. Host in your network opens a TCP/IP socket
  2. Host connects socket to remote of 192.168.1.100:1234 and sends the initial packet
  3. Router receives first packet in the stream on its "LAN" interface, with
    • Source IP 192.168.2.123, Source port 4567
    • Dest IP 192.168.1.100, Dest port 1234

Now what?

"Crazy talk" would be to manually craft and maintain 250+ static routes, hoping that there is never the situation where the same host IP is present in both of the two, ill-numbered subnets behind the two VPNs.

1 Like
20

I was making a diagram and I realised my mistake.
Guess I have to change the network B ip addressing...
Thanks to all for the help!

4 Likes
21

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.