Site to Site VPN with overlapping IP addresses

[shifty]

Hi Guys! I'm very new to OpenVPN but familiar with VPN in general (Cisco ASA mostly). I've got a tricky situation that I'm trying to implement now using OpenVPN. I'm stuck not sure how to proceed, so any advice would be appreciated.

Here's what I'm trying to do:

• Have a Central VPN server
• Multiple remote sites connect to a central VPN server from behind a NAT firewall
• Provide bridge functionality so that all clients and devices on the local site LAN are available
• Remote sites may have overlapping IP address space and can't be changed

My initial thought is to map each remote site to a unique subnet when the client connects and have the client do all the NAT work. So my route table on the server would look something like
10.1.10.0/24 -> tap0
10.1.11.0/24 -> tap1
Then the client would NAT the 10.1.10.x request back to 192.168.0.x

But I can't seem to find a good starting point on this. It may just be a complete RTFM failure on my part but I can't find a reference on how to have the client NAT like I'm requesting.

Anyone have any suggestions or pointers? If I'm going about this all wrong I'll accept that too.

Thanks!

[maikcat]

hi there,

i believe you can use a central vpn server to connect multiple remote
subnets but with some limitations (dont blame openvpn for that) like:

>Remote sites may have overlapping IP address space and can't be changed

if you want to use clear lan-to-lan and ip routing clearly the above is a problem..

also i dont recommend using bridge setup (except you have something specific in your mind).

to accomplish the above you need:

one openvpn service with certificates and
configure it using ccd files to create the appropriate routing setup...

i am glad to help you out.

Michael

[alex_]

Hi,

I'm having the same kind of need where overlapping addresses will have to be connected to a central openvpn server. Would using different openvpn services be a solution? What are the appropriate parameters in the clients files that would help in managing such overlapping?

Alex_

[Mimiko]

If openVPN is on Linux, the netmapping may be done like this: http://openvpn.net/index.php/open-sourc ... range.html

[zalexp]

Hi,

I've used iptables and iproute2 for clients with overlapping subnets connecting to the same openvpn linux server.Only server config changes are made, so clients are don't know anything.
1. modify /etc/iproute2/rt_tables like this
1 cl1
2 cl2
3 cl3

2. add ip rule
ip rule add fwmark 3 table cl3
# ip rule show
0: from all lookup 255
32763: from all fwmark 0x3 lookup cl3
32764: from all fwmark 0x2 lookup cl2
32765: from all fwmark 0x1 lookup cl1
32766: from all lookup main
32767: from all lookup default

3. add route
ip route add default via <openvpn_ip_of_client_here> dev <openvpn_server_iface_here> table cl3

4. and map subnets
iptables -t mangle -A PREROUTING -i eth1 -d 10.123.3.0/24 -j MARK --set-mark 3
iptables -t nat -A PREROUTING -i eth1 -d 10.123.3.0/24 -j NETMAP --to 192.168.1.0/24

May be somebody knows better way?