OpenVPN Support Forum

Here's a good one:

We have been running OpenVPN here for about 3 years, and this is the first time this has surfaced:

external user with vpn access connects to our VPN, and can access most of the hosts he is allowed to, with the exception of hosts on our 192.168.1.0/24 subnet.

When the user connects, all routes are set successfully, except the route for 192.168.1.0/24, becase the entry already exists, (because the user's LAN is configured as 192.168.1.0/24), and to make matters worse, he is using an IP that is active on our network, and tunnelblick set his hosts name to the host name of the machine on our LAN.

I suggested he change his LAN setup to something like 10.0.0.0/8 as a short term solution, but I was wondering if there was anything that could be done on our server setup, or in his tunnelblick setup that would fix this.

Obviously the linux client and windows clients don't suffer from this, as I'm sure that this is not the 1st user to ever connect from a LAN configured the same as ours.

TIA

If you want that client has acces to server's LAN but not to client's LAN you have to push route from server for server's LAN. But this may end in loosing VPN tunnel if the client uses local LAN gateway and is not dirrectly connected to internet. If multiple clients may occur with this IP address mask in their LANs, you cant eliminate gateway from pushing, because gateway IP may vary.

If the client needs access only to some IP of server's LAN, you can push only those IP to the client. But may come to some client that will have one of the pushed IP as default gateway, or personal IP on local LAN.

The best way is to change IP mask on server's LAN to something uncommon, like 172.16.0.0 - 172.31.0.0. Or from 10/8 private address.

linux and windows clients can suffer from the same thing.
The truly transparent solution would be some extensive NATting on the OpenVPN server: for this particular client you would make your internal LAN appear to be something other than 192.168.1.0/24.