I have a similar problem and I was wondering if you ever received an
answer to your question. I have asked similar questions on the list
without receiving a single response so I am guessing that either nobody
here knows how to get this working or it is not possible to get
overlapping subnets to work together.
On Jun 29, 2004, at 1:10 PM, Christian Røsnes wrote:
I'm curious as to whether there are any potential problems with a
OpenVPN setup where there are local (private) subnets/addresses on
of the tunnel which overlap. (Eg 192.168.0/24 are used on both sides)
Has anyone experienced any problemes with a OpenVPN roadwarrior setup
and overlapping local (private) subnets ?
I'm assuming the following roadwarrior setup
(figure best viewed with a fixed width font):
|<pc1 - 192.168.1.5>
| ======> LAN1
|<fw1 - 192.168.1.1>
|FW1| (OPENVPN server - TUNNEL ENDS HERE)
|<public - fw1>
|<public - fw2>
|FW2|--------|PC2B| 192.168.1.5 (same local address as PC1, same lan
|<fw2 - 192.168.1.1>
| ======> LAN2
|<pc2a - 192.168.1.2>
|PC2A| (roadwarrior client - TUNNEL ENDS HERE)
PC2A connects to the public address of FW1.
Since PC2A is a roadwarrior, there's no guarantee that the local ip
of LAN2 (PC2A) does not overlap with those of LAN1 (PC1).
(Eg. 192.168.1.0/27 on both sides)
What if PC2A is in need of connecting (simultaneously) to a machine
(eg. PC2B - see figure) and a machine on LAN1 (eg. PC1 - see figure),
which share the same local address (eg. 192.168.1.5). And TCP/IP is
for both connections.
How will PC2 know which is which of PC1 and PC2B ?
(PC2 sees this as an ip conflict maybe?)
Won't this be a potential problem, unless some sort of natting is
the real local (private) address of one of the LANs ?
If natting is advisable, should the natting be done for the machines
serverside (behind FW1 in the figure above) ?
I read in the OpenVPN FAQ that network which overlap in private
should use natting (eg. iptables NETMAP)
iptables -t nat -A PREROUTING -d 192.168.0.0/24 -j NETMAP --to
Is this type of natting adviceable for _all_ roadwarrior setups, or is
unnecessary, when using either briding or routing ? (And assuming that
roadwarrior person has not got the knowhow to make any changes to the
client configuration themselves - so it's preferrable that it just
works in "most" situations)
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Openvpn-users mailing list
701 Corporate Center Drive
Raleigh, NC 27607
T (919) 865-0671
F (919) 233-9751
Openvpn-users mailing list