User Guide - Remote access to private networks with overlapping IP address space

Overview

When devices on one private network can have all or some of their IP addresses in common with devices in another private network, the IP address ranges—subnets—for those two networks are said to overlap. When you want to network together multiple overlapping subnets it’s impossible to identify and route traffic to a specific device by its IP address since the same IP address is being used in another network.

The domain routing feature in OpenVPN Cloud enables you to solve this by creating unique domain names that are used as routes to the different networks instead of the IP address subnets. When domain names are configured to uniquely identify each network, OpenVPN Cloud can map the IP addresses within each network to a fully qualified domain name (FQDN) by using DNS. OpenVPN Cloud can route traffic to the correct device even if its IP address overlaps with another network because the FQDN signifies the destination.

About this content

This content is based on a scenario where a fictitious security company, Acme Security, needs remote access to various devices at multiple customer sites. The person managing this effort is Owen, an IT and network specialist for Acme Security.

Scenario

Acme Security provides video monitoring services mainly to small, independently owned stores. Their solution consists of installing one to four cameras in the store along with other monitoring devices and video storage servers. The cameras store videos locally but Acme Security needs to remotely connect to the cameras, servers, and other equipment in order to update firmware, carry out diagnostics, change settings, etc. Technicians at Acme Security need to remotely access the embedded web servers running on the various connected devices to administer them.

Owen has been tasked to do the following:

  • Provide remote access to the cameras and other monitoring equipment at customer sites, Store 1 and Store 2.
  • Manage access to devices on the customer’s LAN in spite of the use of overlapping IP address ranges among customer LANs. The monitoring equipment uses the customer’s network for access to the internet and static IP addresses are configured for the cameras and other equipment from the customer’s LAN IP address range. Therefore, it will not be possible to prevent IP address range overlap among customer sites. For example, two cameras installed in different customer stores might have the same IP address of 192.168.0.101
  • Restrict communication between different customer’s networks.
  • Ensure the remote access solution does not require any additional VPN servers.

Owen decides to use OpenVPN Cloud to build a VPN that provides secure remote access to the camera networks at the different stores. During the signup process, he selects an OpenVPN-ID for his VPN. This [OpenVPN-ID].openvpn.com domain uniquely identifies the VPN that has been set up by Owen.

From the VPN illustration below, note that the IP address of the video server in Store 1 is the same as the camera in Store 2. Connector software running on a Linux computer at all the customer sites connect the sites to OpenVPN Cloud.

Configure domain names for Networks instead of IP subnets and using Access Groups

  1. Owen logged into the Admin Portal and configured a network (Networks > Create Network) to represent the network in Store 1. He installed the Connector on a Linux computer on the network in Store 1. While configuring the network, Owen added domain store1.control.com
    ATTENTION: Do not define a subnet under the Subnets section.
  2. Owen configured another network to represent the network in Store 2 and installed the Connector on a Linux computer on the network in Store 2. While configuring the network, Owen added domain store2.control.com
    ATTENTION: Do not define a subnet under the Subnets section.
  3. Owen checked the Status screen and saw that both the networks had come online.
  4. Next, to prevent communications among the private networks at each customer’s store via the VPN, Owen changed the VPN topology to Custom (see, Change VPN Topology) setup an Access Group to only allow the networks to communicate with the applicable User Groups and not with each other. See, Add Access Group

Accessing devices with configured domain names

  1. Because Owen does not have a DNS server, he opted to create DNS records for the devices on the Network for store 1. From the DNS settings page (Settings > DNS > DNS Records) of the Admin Portal, he added DNS records for the equipment in Store 1. He then mapped vs.store1.control.com to 192.168.0.100 and camera.store1.control.com to 192.168.0.55. For the equipment in Store 2, he mapped vs.store2.control.com to 192.168.0.55 and camera.store2.control.com to 192.168.0.100
  2. Owen connected to OpenVPN Cloud (see, Connecting to OpenVPN Cloud). On connection, Owen opened his web browser and used the domain names of the devices to access the embedded web servers. For example, http://camera.store2.control.com let him access the administration portal of the camera in Store 2 even though it had the same LAN IP address as the video server in Store 1.

Accessing devices without configured domain names

OpenVPN Cloud allows a shortcut to route to specific IP addresses in a Network that is configured with a domain name without needing to configure DNS Records. Owen can directly route to the video server in Store 2 present at 192.168.0.55 by constructing a name on the fly using the destination IP address 192.168.0.55 and the domain name of the Store 2 network store2.control.com. The constructed hostname would replace the . in the IP address with - and prepend it to the domain name of the network to create a unique hostname 192-168-0-55.store2.control.com

  1. Owen wanted to use this ability to create hostnames on the fly without configuring DNS Records. He set the Allow Embedded IP switch for the domain names assigned to the two Networks to ON
  2. Owen connected to OpenVPN Cloud (see, Connecting to OpenVPN Cloud). On connection, Owen opened his web browser and constructed the name of the device he needed to access on the fly. For example, http://192-168-0-100.store2.control.com let him access the administration portal of the camera in Store 2 even though it had the same LAN IP address as the video server in Store 1.