subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
803 views 0 comments
by anonymous

I am currently experimenting with employing openvpn as our main means of remoting into our machines scattered across the country but there are some issues with dealing with identical subnet addresses.

We are dealing with automation systems with devices that has a fixed IP address and this means that we run into situations where we have multiple systems with same subnet on different sites connecting to the same cloud server:


LAN on and so forth.

I have seen suggestions made around setting up a NAT on each router so that devices on its LAN can have the same IP address but I am not quite sure how to implement this method.. it would be immensely appreciated if someone knowledgeable in this area could make suggestions/recommendations.



1 Answer

0 votes
by anonymous

Hi, Jin,

Haven't tried this solution myself but it should be possible by using iptables NETMAP target.

Lets say there's a topology with 2 OpenVPN clients - client1 and client2.

Both clients use subnet but using iptables we can "fake" source/destination IP's of incoming/outgoing packets for each client e.g.:

Client1 -

Client2 -

On client1 in WebUI -> Network -> Firewall -> Custom rules insert following rules: 

iptables -t nat -I PREROUTING -i tun_c_client1 -j NETMAP --to
iptables -t nat -I POSTROUTING -s -o tun_c_client1 -j NETMAP --to

PREROUTING rule will change destination IP address for incoming packets in tun_c_client1 interface to

POSTROUTING rule will change source IP address for outgoing packets in tun_c_client1 interface from to

tun_c_client1 is your OpenVPN client interface name, tun_c_ gets automatically added before the name you've used when creating OpenVPN client interface via WebUI.

Do the same for client2:

iptables -t nat -I PREROUTING -i tun_c_client2 -j NETMAP --to
iptables -t nat -I POSTROUTING -s -o tun_c_client1 -j NETMAP --to

Only thing that's left is to properly route networks. Client1 should become reachable via address range, client2 via and so on.

Let me know if you'll have any additional questions regarding configuration.