[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Potential problems with overlapping networks ?

  • Subject: Re: [Openvpn-users] Potential problems with overlapping networks ?
  • From: Michael Hale <michaelh@xxxxxxxxxxxxxxxx>
  • Date: Wed, 1 Dec 2004 09:40:40 -0500

Hi Christian,

I have a similar problem and I was wondering if you ever received an answer to your question. I have asked similar questions on the list without receiving a single response so I am guessing that either nobody here knows how to get this working or it is not possible to get overlapping subnets to work together.

- Michael

On Jun 29, 2004, at 1:10 PM, Christian Røsnes wrote:


I'm curious as to whether there are any potential problems with a roadwarrior
OpenVPN setup where there are local (private) subnets/addresses on both sides
of the tunnel which overlap. (Eg 192.168.0/24 are used on both sides)

Has anyone experienced any problemes with a OpenVPN roadwarrior setup
and overlapping local (private) subnets ?

I'm assuming the following roadwarrior setup
(figure best viewed with a fixed width font):

|PC1| LAN1
|<pc1 ->
| ======> LAN1
|<fw1 ->
|<public - fw1>
|<public - fw2>
----- ------
|FW2|--------|PC2B| (same local address as PC1, same lan as PC2A)
----- ------
|<fw2 ->
| ======> LAN2
|<pc2a ->
|PC2A| (roadwarrior client - TUNNEL ENDS HERE)

PC2A connects to the public address of FW1.

Since PC2A is a roadwarrior, there's no guarantee that the local ip addresses
of LAN2 (PC2A) does not overlap with those of LAN1 (PC1).
(Eg. on both sides)

What if PC2A is in need of connecting (simultaneously) to a machine on LAN2
(eg. PC2B - see figure) and a machine on LAN1 (eg. PC1 - see figure), both
which share the same local address (eg. And TCP/IP is used
for both connections.

How will PC2 know which is which of PC1 and PC2B ?
(PC2 sees this as an ip conflict maybe?)

Won't this be a potential problem, unless some sort of natting is hiding
the real local (private) address of one of the LANs ?

If natting is advisable, should the natting be done for the machines on the
serverside (behind FW1 in the figure above) ?

I read in the OpenVPN FAQ that network which overlap in private address range
should use natting (eg. iptables NETMAP)
iptables -t nat -A PREROUTING -d -j NETMAP --to
Is this type of natting adviceable for _all_ roadwarrior setups, or is it
unnecessary, when using either briding or routing ? (And assuming that the
roadwarrior person has not got the knowhow to make any changes to the openvpn
client configuration themselves - so it's preferrable that it just plain
works in "most" situations)


------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users

Michael Hale Software Engineer CipherOptics Inc.

701 Corporate Center Drive
Raleigh, NC 27607
T (919) 865-0671
F (919) 233-9751

____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users