OpenVPN Support Forum

Hi Guys! I'm very new to OpenVPN but familiar with VPN in general (Cisco ASA mostly). I've got a tricky situation that I'm trying to implement now using OpenVPN. I'm stuck not sure how to proceed, so any advice would be appreciated.

Here's what I'm trying to do:

• Have a Central VPN server
• Multiple remote sites connect to a central VPN server from behind a NAT firewall
• Provide bridge functionality so that all clients and devices on the local site LAN are available
• Remote sites may have overlapping IP address space and can't be changed

My initial thought is to map each remote site to a unique subnet when the client connects and have the client do all the NAT work. So my route table on the server would look something like
10.1.10.0/24 -> tap0
10.1.11.0/24 -> tap1
Then the client would NAT the 10.1.10.x request back to 192.168.0.x

But I can't seem to find a good starting point on this. It may just be a complete RTFM failure on my part but I can't find a reference on how to have the client NAT like I'm requesting.

Anyone have any suggestions or pointers? If I'm going about this all wrong I'll accept that too.

Thanks!

hi there,

i believe you can use a central vpn server to connect multiple remote
subnets but with some limitations (dont blame openvpn for that) like:

>Remote sites may have overlapping IP address space and can't be changed

if you want to use clear lan-to-lan and ip routing clearly the above is a problem..

also i dont recommend using bridge setup (except you have something specific in your mind).

to accomplish the above you need:

one openvpn service with certificates and
configure it using ccd files to create the appropriate routing setup...

i am glad to help you out.

Michael

Hi,

I'm having the same kind of need where overlapping addresses will have to be connected to a central openvpn server. Would using different openvpn services be a solution? What are the appropriate parameters in the clients files that would help in managing such overlapping?

Alex_

If openVPN is on Linux, the netmapping may be done like this: http://openvpn.net/index.php/open-sourc ... range.html

Hi,

I've used iptables and iproute2 for clients with overlapping subnets connecting to the same openvpn linux server.Only server config changes are made, so clients are don't know anything.
1. modify /etc/iproute2/rt_tables like this
1 cl1
2 cl2
3 cl3

2. add ip rule
ip rule add fwmark 3 table cl3
# ip rule show
0: from all lookup 255
32763: from all fwmark 0x3 lookup cl3
32764: from all fwmark 0x2 lookup cl2
32765: from all fwmark 0x1 lookup cl1
32766: from all lookup main
32767: from all lookup default

3. add route
ip route add default via <openvpn_ip_of_client_here> dev <openvpn_server_iface_here> table cl3

4. and map subnets
iptables -t mangle -A PREROUTING -i eth1 -d 10.123.3.0/24 -j MARK --set-mark 3
iptables -t nat -A PREROUTING -i eth1 -d 10.123.3.0/24 -j NETMAP --to 192.168.1.0/24

May be somebody knows better way?