[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Potential problems with overlapping networks ?


  • Subject: Re: [Openvpn-users] Potential problems with overlapping networks ?
  • From: Michael Hale <michaelh@xxxxxxxxxxxxxxxx>
  • Date: Wed, 1 Dec 2004 09:40:40 -0500

Hi Christian,

I have a similar problem and I was wondering if you ever received an answer to your question. I have asked similar questions on the list without receiving a single response so I am guessing that either nobody here knows how to get this working or it is not possible to get overlapping subnets to work together.

- Michael


On Jun 29, 2004, at 1:10 PM, Christian Røsnes wrote:

Hello

I'm curious as to whether there are any potential problems with a roadwarrior
OpenVPN setup where there are local (private) subnets/addresses on both sides
of the tunnel which overlap. (Eg 192.168.0/24 are used on both sides)


Q:
Has anyone experienced any problemes with a OpenVPN roadwarrior setup
and overlapping local (private) subnets ?

I'm assuming the following roadwarrior setup
(figure best viewed with a fixed width font):

-----
|PC1| LAN1
-----
|<pc1 - 192.168.1.5>
| ======> LAN1
|<fw1 - 192.168.1.1>
-----
|FW1| (OPENVPN server - TUNNEL ENDS HERE)
-----
|<public - fw1>
|
INTERNET
|
|<public - fw2>
----- ------
|FW2|--------|PC2B| 192.168.1.5 (same local address as PC1, same lan as PC2A)
----- ------
|<fw2 - 192.168.1.1>
| ======> LAN2
|<pc2a - 192.168.1.2>
------
|PC2A| (roadwarrior client - TUNNEL ENDS HERE)
------


PC2A connects to the public address of FW1.

Since PC2A is a roadwarrior, there's no guarantee that the local ip addresses
of LAN2 (PC2A) does not overlap with those of LAN1 (PC1).
(Eg. 192.168.1.0/27 on both sides)



Q:
What if PC2A is in need of connecting (simultaneously) to a machine on LAN2
(eg. PC2B - see figure) and a machine on LAN1 (eg. PC1 - see figure), both
which share the same local address (eg. 192.168.1.5). And TCP/IP is used
for both connections.


How will PC2 know which is which of PC1 and PC2B ?
(PC2 sees this as an ip conflict maybe?)

Won't this be a potential problem, unless some sort of natting is hiding
the real local (private) address of one of the LANs ?


If natting is advisable, should the natting be done for the machines on the
serverside (behind FW1 in the figure above) ?


I read in the OpenVPN FAQ that network which overlap in private address range
should use natting (eg. iptables NETMAP)
Eg:
iptables -t nat -A PREROUTING -d 192.168.0.0/24 -j NETMAP --to 192.168.1.0/24
Q:
Is this type of natting adviceable for _all_ roadwarrior setups, or is it
unnecessary, when using either briding or routing ? (And assuming that the
roadwarrior person has not got the knowhow to make any changes to the openvpn
client configuration themselves - so it's preferrable that it just plain
works in "most" situations)


Thanks
Christian


------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users



Michael Hale Software Engineer CipherOptics Inc.

701 Corporate Center Drive
Raleigh, NC 27607
T (919) 865-0671
F (919) 233-9751
michael.hale@xxxxxxxxxxxxxxxx


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users