10465 questions

12476 answers

19402 comments

21926 members

0 votes
123 views 0 comments
by

I am currently experimenting with employing openvpn as our main means of remoting into our machines scattered across the country but there are some issues with dealing with identical subnet addresses.

We are dealing with automation systems with devices that has a fixed IP address and this means that we run into situations where we have multiple systems with same subnet on different sites connecting to the same cloud server:

Site1
|Router|
LAN 192.168.1.0/24

Site2
|Router|
LAN 192.168.1.0/24

...so on and so forth.

I have seen suggestions made around setting up a NAT on each router so that devices on its LAN can have the same IP address but I am not quite sure how to implement this method.. it would be immensely appreciated if someone knowledgeable in this area could make suggestions/recommendations.

Regards,

Kevin

1 Answer

0 votes
by

Hi, Jin,

Haven't tried this solution myself but it should be possible by using iptables NETMAP target.

Lets say there's a topology with 2 OpenVPN clients - client1 and client2.

Both clients use 192.168.1.0/24 subnet but using iptables we can "fake" source/destination IP's of incoming/outgoing packets for each client e.g.:

Client1 - 192.168.11.0/24

Client2 - 192.168.12.0/24

On client1 in WebUI -> Network -> Firewall -> Custom rules insert following rules: 

iptables -t nat -I PREROUTING -i tun_c_client1 -j NETMAP --to 192.168.1.0/24
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun_c_client1 -j NETMAP --to 192.168.11.0/24

PREROUTING rule will change destination IP address for incoming packets in tun_c_client1 interface to 192.168.1.0/24.

POSTROUTING rule will change source IP address for outgoing packets in tun_c_client1 interface from 192.168.1.0/24 to 192.168.11.0/24

tun_c_client1 is your OpenVPN client interface name, tun_c_ gets automatically added before the name you've used when creating OpenVPN client interface via WebUI.

Do the same for client2:

iptables -t nat -I PREROUTING -i tun_c_client2 -j NETMAP --to 192.168.1.0/24
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun_c_client1 -j NETMAP --to 192.168.12.0/24

Only thing that's left is to properly route networks. Client1 should become reachable via 192.168.11.0/24 address range, client2 via 192.168.12.0/24 and so on.

Let me know if you'll have any additional questions regarding configuration.