Connecting OpenVPN Sites with Conflicting IP Subnets¶
One common use of NAT with OpenVPN is to mask conflicting LAN subnets between two locations. If two networks are using the exact same subnet, or overlapping subnets, as their LAN or other internal network they cannot communicate across a site-to-site VPN without NAT.
Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.
Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.
When an SSL/TLS instance is configured with a
/30 tunnel network it
behaves in a similar manner to shared key mode. The primary difference is the
need to create and distribute the certificate structure to peers. See
OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in
Site-to Site Example¶
In this example
10.3.0.0/24 is the LAN on both sides of a VPN. Hosts on the
10.3.0.0/24 subnet will never reach the other end of the VPN to communicate
with the remote
10.3.0.0/24 subnet. Clients will always treat that network
as local, attempting to reach the other systems via ARP. With NAT, however, the
remote side can be made to function as if it were using a different subnet.
Utilizing NAT will work for many protocols but some that are commonly desirable across VPN connections, primarily SMB/CIFS file sharing between Windows hosts, may not function in combination with NAT. If hosts use a protocol which is not capable of functioning with NAT, this is not a viable solution.
Figure Site to Site with Conflicting Subnets shows an example where both ends are using the same subnet. After assigning the OpenVPN interface to an OPT interface on both sides, as described in Assigning OpenVPN Interfaces, 1:1 NAT can be applied.
The firewall at Site A translates its LAN to
172.16.1.0/24 and the firewall
at Site B translates to
172.17.1.0/24. A 1:1 NAT entry on each firewall
translates its entire /24 range.
To reach Site A from Site B, clients at Site B use
172.16.1.x IP addresses.
The 1:1 NAT rule translates the last octet in the
10.3.0.x IP address to the
last octet in
172.16.1.x. A client at Site B attempting to reach
10.3.0.10 at Site A would use
172.16.1.10. To reach
Site B from Site A, a client would use
Figure Site B 1:1 NAT Configuration show the 1:1 NAT configuration for each side, where the tun interface is assigned as OPT1.
In the OpenVPN configuration on both sides, the Remote network must be
the translated IP subnet, not
10.3.0.0/24. In this example,
the Remote Network at Site A is
172.17.1.0/24, and Site B is
After applying the NAT configuration changes and configuring the remote networks accordingly on both sides, the networks will be able to communicate using the translated subnets.
This section describes how to map multiple subnets that have the same IP
address range using OpenVPN so that they can be accessed from a central
site. For example
192.168.0/24 is a very common addressing scheme and
the main site may need to access all the systems on those networks.
This is the desired outcome, Site 0 is the hub:
Site 0 - 10.1.1/24 Site 1 - 192.168.0/24 -> 10.10.1/24 Site 2 - 192.168.0/24 -> 10.10.2/24 Site 3 - 192.168.0/24 -> 10.10.3/24
For example, with this type of setup in place, site 0 can access
192.168.0.33 at site 2 as
This configuration requires 1:1 NAT which means that some things may not work, see notes in the remaining sections for details.
There are multiple alternate ways to reach this goal. This example has the remote sites (Sites 1-3) run the “server” and Site 0 runs the “clients”. Either direction works.
Pick two ranges for this scheme. The first range is for mapping subnets and
the second range is for OpenVPN client to server connections. This example uses
10.10.0.0/16 for the mappings and
10.254.100/24 for the VPN endpoints.
The first choice supports up to 253 mappings and the second choice gives 64
/30 subnets to link it all up.
Examples before NAT:
Site 0 to Site 1:
<-------- (OpenVPN) ----------> 10.1.1/24 --- 10.254.100.2/30 --- INTERNET --- 10.254.100.1/30 --- 192.168.0/24
Site 0 to Site 2:
<-------- (OpenVPN) ----------> 10.1.1/24 --- 10.254.100.6/30 --- INTERNET --- 10.254.100.5/30 --- 192.168.0/24
Notice how the addresses on the right are not unique - they are always
NAT can make each remote site unique:
10.1.1/24 --- (OpenVPN) --- INTERNET --- OpenVPN_Interface - NAT - 10.10.1/24 <=> 192.168.0/24 10.1.1/24 --- (OpenVPN) --- INTERNET --- OpenVPN_Interface - NAT - 10.10.2/24 <=> 192.168.0/24 10.1.1/24 --- (OpenVPN) --- INTERNET --- OpenVPN_Interface - NAT - 10.10.3/24 <=> 192.168.0/24
Site 0 sends packets to a destination in the mapped subnet down the tunnel which corresponds to the desired Site 1, 2, or 3 and the NAT at the other end translates to and from that mapping and sends the result back to Site 0.
In the following examples, only necessary changes from default are given. Pick suitable transports (UDP by default) and ports (1194 by default) Put in a suitable firewall rule on the server WAN interfaces to allow the inbound connection VPN. This should be restricted to the WAN IP address of Site 0. Both ends must have a suitable firewall rule on the OpenVPN interface for traffic to pass.
At Site 1-3¶
At each remote site, create a new OpenVPN server:
- Server Mode
Peer to Peer
Link to Site 0
- TLS authentication
Check “Automatically generate a shared TLS authentication key.”
- IPv4 Tunnel Network
Link subnet, e.g.
- IPv4 Remote networks
IP address range(s) at Site 0, e.g.
If Site 0 has multiple IP ranges then specify them all in IPv4 Remote networks, comma separated. After saving, edit the VPN instance and copy the shared key to the other end (see below)
Add one of these for each network range at Site 0:
- External subnet IP
Mapping subnet, first IP address, e.g.
- Internal IP
Network, IP range at Site 0, e.g.
Not the default gateway¶
If this firewall is not the default gateway for the site then use an outbound NAT rule on LAN to ensure that replies from the clients return via the OpenVPN tunnel. Without this, the systems at Sites 1-3 will reply via their default gateway because they will be unaware of the Site 0 network. Another option is to put a suitable route on the site gateway via the LAN address of the OpenVPN system but this will introduce an asymmetric route and which will potentially break things even more than the double NAT.
At Site 0¶
Create a separate OpenVPN client for each remote subnet (Where examples are given they are for Site 1 ):
- Server mode
Peer to Peer (Shared key)
- Server host or address
IP address of the remote site
Text to describe the connection, such as the site name, mapping subnet, and link subnet. For example,
Site 1 10.254.100.0/30 10.10.1.0/24
- Shared Key
Copy from the server for the site link
- IPv4 Tunnel Network
Link subnet, e.g.
- IPv4 Remote networks
Mapping network, e.g.
SIP and RTP can be tricky with NAT involved
DNS may not work well under this scheme
Anything relying on DNS may have issues, such as web links that do not use the passed host name but use the built in name
Do not forget to put suitable firewall access rules on the various OpenVPN interfaces