Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Connecting OpenVPN Sites with Conflicting IP Subnets

One common use of NAT with OpenVPN is to mask conflicting LAN subnets between two locations. If two networks are using the exact same subnet, or overlapping subnets, as their LAN or other internal network they cannot communicate across a site-to-site VPN without NAT.

Site-to Site Example

In this example 10.3.0.0/24 is the LAN on both sides of a VPN. Hosts on the 10.3.0.0/24 subnet will never reach the other end of the VPN to communicate with the remote 10.3.0.0/24 subnet. Clients will always treat that network as local, attempting to reach the other systems via ARP. With NAT, however, the remote side can be made to function as if it were using a different subnet.

Note

Utilizing NAT will work for many protocols but some that are commonly desirable across VPN connections, primarily SMB/CIFS file sharing between Windows hosts, will not function in combination with NAT. If a protocol is used that is not capable of functioning with NAT, this is not a viable solution.

Figure Site to Site with Conflicting Subnets shows an example where both ends are using the same subnet. After assigning the OpenVPN interface to an OPT interface on both sides, as described in Assigning OpenVPN Interfaces, 1:1 NAT can be applied.

../_images/diagrams-openvpn-sitetosite-nat.png

Site to Site with Conflicting Subnets

The traffic from Site A will be translated to 172.16.1.0/24, and Site B will be translated to 172.17.1.0/24. A 1:1 NAT entry is added on each end to translate the entire /24 range. To reach Site A from Site B, 172.16.1.x IP addresses will be used. The last octet in the 10.3.0.x IP will be translated to the last octet in the 172.16.1.x translated IP. To reach 10.3.0.10 at Site A from Site B, use 172.16.1.10 instead. To reach 10.3.0.50 at Site B from Site A, use 172.17.1.50. Figure Site B 1:1 NAT Configuration show the 1:1 NAT configuration for each side, where the tun interface is assigned as OPT1.

../_images/openvpn-1to1nat-sitea.png

Site A 1:1 NAT Configuration

../_images/openvpn-1to1nat-siteb.png

Site B 1:1 NAT Configuration

In the OpenVPN configuration on both sides, the Remote network must be specified as the translated IP subnet, not as 10.3.0.0/24. In this example, the Remote Network at Site A is 172.17.1.0/24, and 172.16.1.0/24 at Site B.

After applying the NAT configuration changes and configuring the Remote network accordingly on both sides, the networks will be able to communicate using the translated subnets.

Site-to-Multi-Site Example

This section describes how to map multiple subnets that have the same IP address range using OpenVPN so that they can be accessed from a central site. For example 192.168.0/24 is a very common addressing scheme and the main site may need access to all the systems on those networks.

This is the desired outcome, Site 0 is “us”:

Site 0 - 10.1.1/24
Site 1 - 192.168.0/24 -> 10.10.1/24
Site 2 - 192.168.0/24 -> 10.10.2/24
Site 3 - 192.168.0/24 -> 10.10.3/24

So we can now access 192.168.0.33 on say site 2 as 10.10.2.33.

This configuration requires 1:1 NAT and that means that some things may not work, see notes below.

There are multiple alternate ways to reach this goal. This example has the remote sites (Sites 1-3) run the “server” and Site 0 runs the “clients”. Either direction works.

Preliminary

Pick two ranges for this scheme. The first one will be the mapping subnets and the second one will be for OpenVPN client to server connections. This example uses 10.10/16 for the mappings and 10.254.100/24 for connections. The first choice gives 253 mappings and the second choice gives 64 /30 subnets to link it all up.

Examples before NAT:

Site 0 to Site 1:

           <--------             (OpenVPN)            ---------->

10.1.1/24 --- 10.254.100.2/30 --- INTERNET --- 10.254.100.1/30 --- 192.168.0/24

Site 0 to Site 2:

           <--------             (OpenVPN)            ---------->

10.1.1/24 --- 10.254.100.6/30 --- INTERNET --- 10.254.100.5/30 --- 192.168.0/24

Note

Notice how the addresses on the right are still non unique - they are still always 192.168.0/24.

We use NAT to make each remote site unique:

10.1.1/24 --- (OpenVPN) --- INTERNET --- OpenVPN_Interface - NAT - 10.10.1/24 <=> 192.168.0/24
10.1.1/24 --- (OpenVPN) --- INTERNET --- OpenVPN_Interface - NAT - 10.10.2/24 <=> 192.168.0/24
10.1.1/24 --- (OpenVPN) --- INTERNET --- OpenVPN_Interface - NAT - 10.10.3/24 <=> 192.168.0/24

Site 0 throws packets to a non existent destination (the mapping subnet) down the tunnel that corresponds to the desired Site 1,2 or 3 and the NAT at the other end translates to and from that mapping and sends the result back to Site 0.

Recipe

In the following examples, only necessary changes from default are given. Pick suitable transports (UDP by default) and ports (1194 by default) Put in a suitable firewall rule on the server WAN interfaces to allow the inbound connection VPN. This should be restricted to the WAN IP address of Site 0. Both ends must have a suitable firewall rule on the OpenVPN interface for traffic to pass.

At Site 1-3

OpenVPN server

At each remote site, create a new OpenVPN server:

Server Mode:          Peer to Peer
Description:          Link to Site 0
TLS authentication:   Tick "Automatically generate a shared TLS authentication key."
IPv4 Tunnel Network:  <link subnet> eg 10.254.100.0/30
IPv4 Remote networks: <IP range(s) at Site 0> eg 10.1.1.0/24

If Site 0 has multiple IP ranges then specify them all in IPv4 Remote networks, comma separated. After saving, copy the key (“2048 bit OpenVPN static key”) that was generated to the other end (see below)

1:1 NAT

Add one of these for each network range at Site 0:

Interface:          OpenVPN
External subnet IP: <mapping subnet, first IP> eg 10.10.1.0
Internal IP:        LAN net
Destination:        Network, <IP range on Site 0> eg 10.1.1.0/24
Not the default gateway

If this firewall is not the default gateway for the site then use an outbound NAT rule on LAN to ensure that replies from the clients return via the OpenVPN tunnel. Without this, the systems at Sites 1-3 will reply via their default gateway because they will be unaware of the Site 0 network. Another option is to put a suitable route on the site gateway via the LAN address of the OpenVPN system but this will introduce an asymmetric route and which will potentially break things even more than the double NAT.

At Site 0

OpenVPN client

Create a separate OpenVPN client for each remote subnet (Where examples are given they are for Site 1 ):

Server mode:            Peer to Peer (Shared key)
Server host or address: <ip.add.re.ss of the other end>
Description:            <NAME mapping_subnet link_subnet> eg Site 1 10.254.100.0/30 10.10.1.0/24
Shared Key:             <Copy from the server for the site link>
IPv4 Tunnel Network:    <link subnet> eg 10.254.100.0/30
IPv4 Remote networks:   <mapping network> eg 10.10.1.0/24

Notes

  • SIP and RTP for example will be tricky

  • DNS may not work well under this scheme

  • Anything relying on DNS eg web links that don’t use the passed host name but use the built in name

  • Don’t forget to put suitable firewall access rules on the various OpenVPN interfaces