10465 questions

12476 answers


21926 members

0 votes
123 views 0 comments

I am currently experimenting with employing openvpn as our main means of remoting into our machines scattered across the country but there are some issues with dealing with identical subnet addresses.

We are dealing with automation systems with devices that has a fixed IP address and this means that we run into situations where we have multiple systems with same subnet on different sites connecting to the same cloud server:



...so on and so forth.

I have seen suggestions made around setting up a NAT on each router so that devices on its LAN can have the same IP address but I am not quite sure how to implement this method.. it would be immensely appreciated if someone knowledgeable in this area could make suggestions/recommendations.



1 Answer

0 votes

Hi, Jin,

Haven't tried this solution myself but it should be possible by using iptables NETMAP target.

Lets say there's a topology with 2 OpenVPN clients - client1 and client2.

Both clients use subnet but using iptables we can "fake" source/destination IP's of incoming/outgoing packets for each client e.g.:

Client1 -

Client2 -

On client1 in WebUI -> Network -> Firewall -> Custom rules insert following rules: 

iptables -t nat -I PREROUTING -i tun_c_client1 -j NETMAP --to
iptables -t nat -I POSTROUTING -s -o tun_c_client1 -j NETMAP --to

PREROUTING rule will change destination IP address for incoming packets in tun_c_client1 interface to

POSTROUTING rule will change source IP address for outgoing packets in tun_c_client1 interface from to

tun_c_client1 is your OpenVPN client interface name, tun_c_ gets automatically added before the name you've used when creating OpenVPN client interface via WebUI.

Do the same for client2:

iptables -t nat -I PREROUTING -i tun_c_client2 -j NETMAP --to
iptables -t nat -I POSTROUTING -s -o tun_c_client1 -j NETMAP --to

Only thing that's left is to properly route networks. Client1 should become reachable via address range, client2 via and so on.

Let me know if you'll have any additional questions regarding configuration.