Hello,
I have got the following situation:
- There is a OpenVPN Server in AWS (private network: 172.24.0.0/24)
- There is a OpenVPN Client on a remote site-1 (private network 192.168.0.0/24)
- There is a OpenVPN Client on a remote site-2 (private network 192.168.0.0/24)
- There is an application within AWS (IP: 172.24.0.10)
- There is a server-1 on remote site-1 (IP: 192.168.0.10)
- There is a server-2 on remote site-2 (IP: 192.168.0.10)
- FW on remote site cant be accessed/configured
- Application needs to access server-1 on remote site-1
- Application needs to access server-2 on remote site-2
Now with just one remote site i could use plain routing to make this work. (reverse vpn)
However if i want to add a second remote site-2 with same ip range as remote site-1 (192.168.0.0) and application needed to access both sites this will lead to a routing conflict.
I have searched and read something about 1:1 NAT - so that for example i can nat 192.168.0.0 on remote site-2 to 10.10.0.0/24 so the application on AWS can reach server-2 on remote site-2 with IP 10.10.0.10 (instead of 192.168.0.10)
Is this correct?
Are there any information how to set this up?
kind regards,
tke
Need help/opinion with 1:1 NAT setup
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Jul 20, 2022 6:48 am
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Need help/opinion with 1:1 NAT setup
Hi tke,
Opinion? Yuck! It is absolutely not correct.
How (and more importantly, WHY) do you expect to be able to route from one 192.168.0.0/24 to another, different 192.168.0.0/24?
Web searches often have the problem you found: someone who knows very little about a subject shares their thoughts on how to address an issue. 1:1 NAT is a very bad idea. IP routing is simple and it works, as long as routers on each side of the VPN tunnel know to go through the tunnel to get to the remote site. Likewise the VPN server needs to know where to route each network.
If you are still constrained to do things the wrong way, the best hope for you is the OpenVPN Cloud service. It actually offers the feature of being able to route from one overlapping network segment to another. It does this through DNS tricks for the VPN clients and behind-the-scenes routing magic.
regards, rob0
Opinion? Yuck! It is absolutely not correct.
How (and more importantly, WHY) do you expect to be able to route from one 192.168.0.0/24 to another, different 192.168.0.0/24?
Why not? This is garbage. Consider replacing it with something not braindead. But anyway, you CAN change the subnet on the other site. Do that.
Web searches often have the problem you found: someone who knows very little about a subject shares their thoughts on how to address an issue. 1:1 NAT is a very bad idea. IP routing is simple and it works, as long as routers on each side of the VPN tunnel know to go through the tunnel to get to the remote site. Likewise the VPN server needs to know where to route each network.
If you are still constrained to do things the wrong way, the best hope for you is the OpenVPN Cloud service. It actually offers the feature of being able to route from one overlapping network segment to another. It does this through DNS tricks for the VPN clients and behind-the-scenes routing magic.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Apr 29, 2023 6:03 pm
Re: Need help/opinion with 1:1 NAT setup
Why is it a very bad idea to implement a feature that OpenVPN itself has built-in (client-nat)?1:1 NAT is a very bad idea