Same ip subnet for two VPN

Hi all,
I need some help with configuring OpenVPN server.

I have this configs:
network A (OVPN):

  • subnet:
  • vpn type: TUN

network B (OVPN):

  • subnet:
  • vpn type: TUN

network C (client):

  • subnet:

network A and B are in different geographically locations.
Individual connection at the networks A and B are ok.


  1. If a client from network C connect both at the networks A and B at the same time, it can cause ip conflict, correct?

I want to configure OVPN server in network B with some firewall and/or nat rules to the subnet, so it doesn't conflict with the network A.
I know that I can simply remap the ip configurations in network B, but I can't do it.
Is there a way to achieve this?

Are subnets A and B managed by the same organization?

1 Like

No, I have full access on network B, but on network A i can only connect.

Then change it to

1 Like

I know that I can do this, but it's way too difficult.
Can it be done by some firewall/NAT rules?

Although, it doesn't mean that you can resolve all the issues this way.

If you don’t change the subnet, where do you route a packet with a destination of

Fancy packet manipulation doesn’t solve the disambiguation problem.


That packet must go to network A.
Open vpn server on network B must receive packets with destination and then translate into


network C                 network B
                      openvpn server  -->  -->

If a packet as a destination of, it has to be translated to
if -->
if -->
And so on...

In that command, option -d is or

why not network b?

As @jeff said, this cannot work if you have ambiguous addresses, leading to the possibility of two machines with the same IP. So you really have to change site B to something other than

How are sites A and B connected? By another VPN tunnel? In that case, the client who is connected to B (which is would send a packet down the tunnel with a destination of The routing table in B would then forward that packet to an interface that has connectivity to A.

Because I don't have access to that OpenVPN server, I have access only the one in network B.

Sites A and B are not connected each other directly.

If there is no link from A to B, then C needs to have two client instances, one of A and one of B. The routing table in C would then direct packets to either A or B based on IP. In other words traffic from C to A never touches B, and vise versa.

This is of course conventionally done with subnet ranges. You could conceivably make exceptions for single machines in A but this is a bad practice. And it is impossible if two A and B machines you want to use have the same IP in their respective sites.

1 Like

I have not detailed about this, anyway yes, in network C i have 2 openvpn clients for every client, and packets need to go to network A or B based on IP.
If two machines in network A and B have the same ip, example, then if network A remains as it is, but if it is network B openvpn server translates it into
Is it possible?

And how does the openvpn server know which one he has to translate?

1 Like

OpenVPN server in network A doesn't have to translate anything, but the one in network B does.

It seems you're missing a key problem

  1. Host in your network opens a TCP/IP socket
  2. Host connects socket to remote of and sends the initial packet
  3. Router receives first packet in the stream on its "LAN" interface, with
    • Source IP, Source port 4567
    • Dest IP, Dest port 1234

Now what?

"Crazy talk" would be to manually craft and maintain 250+ static routes, hoping that there is never the situation where the same host IP is present in both of the two, ill-numbered subnets behind the two VPNs.

1 Like

I was making a diagram and I realised my mistake.
Guess I have to change the network B ip addressing...
Thanks to all for the help!


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.