OpenVPN Support Forum

I have connectes two PC's via OpenVPN Access server. The PC's hase address 10.1.1.5 and 10.1.1.6 in the tunnel. (But physically in two different bulidings). In the same network (LAN) as 10.1.1.5 there is a IP camera (or some other equipment). Camera has a static address 10.1.1.4 (?!). Is it possible in some way to communicate from PC 10.1.1.6 (LAN B) to camera IP 10.1.1.4 on lan A? (The camara has no OpenVPN client.)

Maybe the camera should not be given a static adress belonging to the tunnel, but rather an address om the pysical network, lets say 192.168.1.4 (?!) Then there might be needed some kind of routing on the OpenVPN Access server to send the trafic via 10.1.1.5 to 192.168.1.4? Could this be "the right way"? If so, how to do that?

Could this descpription give the right solution?
https://openvpn.net/vpn-server-resource ... ss-server/

Hi Arne,

You definitely do need to use separate networks, on each side of the tunnel, and for the tunnel itself.

The Access Server's default VPN network is in 172.27.0.0/16, which won't usually overlap with anything but another Access Server. You could use any other RFC 1918 networks on each end of the tunnel.

If you are using embedded devices which don't allow you to set an IP address, well, my first suggestion would be not to buy such a thing. But poorly designed devices like that can be reached through a VPN directly (if they run the openvpn client themselves) or via NAT on the site client. You would access the device using your VPN client IP address (as assigned by the Access Server.)

Bridging is another option, but very rarely is it a good idea. Don't consider it.

Here is a troubleshooting flowchart for connecting to a LAN behind a VPN client. It is written for community openvpn servers, so it's not quite right for how you would do it with Access Server. But the ideas are very much the same. The iroute & CCD parts are different; see "VPN Gateway" in User Permissions. If you get stuck on the AS configuration just reply, or open a support ticket at the link in my signature.

regards, rob0

Thanks for answer!

Just now I am testing with Windows so it is not a problem to configure IP adresses, and of course there were two LAN's before clients on those LAN's were connectet via OpenVPN Access server. Connection between those clients works fine.

I guess the question actually is: How to route traffic between those two LAN's.

Hi Arne,

The bottom line seems to be: change one of those LAN addresses. You can't easily have different routes to the same IP network, in Access Server.

The OpenVPN Cloud service, OTOH, has a hack to do this:
User Guide - Remote access to private networks with overlapping IP address space

Still, RFC 1918 is plenty big enough to give no excuse for any organization of any size to have overlapping LAN networks.

regards, rob0