4

I was following this tutorial http://wiki.debian.org/OpenVPN#TLS-enabled_VPN and this one http://users.telenet.be/mydotcom/howto/linux/openvpn.htm to create openvpn connection to my remote LAN.

But both examples assumed that both LANs have different addresses (ie 192.168.10.0/24 and 192.168.20.0/24, check out this image i.stack.imgur.com/2eUSm.png).

Unfortunately in my case both local and remote lan have 192.168.1.0/24 addresses. I am able to connect directly on the openvpn server (I can ping it and log in with ssh), but I can't see other devices on the remote LAN (not mentioning accessing them via browser which was the point from the first place). And don't know if the addressing issue may be the reason of that? If not - how to define routes, so I could ping other devices in remote LAN?

Greg
  • 149
  • 1
  • 1
  • 6
  • 1
    I should maybe mention that openvpn server is behind publicly available router, which has forwarded port 22 to local 192.168.1.3:22 and the same way 1194 port for openvpn – Greg Oct 11 '12 at 23:13

3 Answers3

4

Even if this question is already answered, here is another option:

  • Assign a secondary IP in a free subnet to the gateway on one side
  • Use the NETMAP target in iptables to translate everything

If you choose 192.168.2.0/24 as alternative subnet on one side, you could use this rule to translate the Network:

iptables -t nat -A POSTROUTING -o tap0 -j NETMAP --to 192.168.2.0/24
Alex
  • 538
  • 1
  • 4
  • 15
Thomas Berger
  • 1,700
  • 13
  • 22
2

You're sunk. All the machines are using the same subnet. How do you propose they would be able to distinguish local from remote hosts? Your only option here would perhaps be some form or port forwarding from the VPN hosts at each site. This would work for a few services, but would be a nightmare to support long term.

You really just need to bite the bullet and re-number one of the sites.

My guess is that you don't have a good grasp on some core networking fundamentals. I'd highly recommend you read though this Serverfault Q&A on IPv4 subnetting. That will help you better understand the why behind your present difficulties.

Community
  • 1
EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Thank You Eric for confirming my guess. And yes, your guess is correct as well, I have some stuff to get my head around regarding networking. I will definitely read what you suggest. – Greg Oct 12 '12 at 05:41
  • 1
    ps. I just got the idea. My local network is somehow defined by router I'm "behind" - I would not always have power to re number it. Is there a way to hide myself behind some kind of "virtual router" so I'm in the "local-local" network I can control? I work on ubuntu linux so I guess this should be possible but what should I google? – Greg Oct 12 '12 at 06:04
  • 1
    Sorry, with your current state of networking knowledge, you have no business trying to do anything complex or unorthodox. Get your head around the basics and then the solution (which is re-numbering) will become self evident. – EEAA Oct 12 '12 at 14:47
  • 1
    Oh, come on. You don't need to be overprotective. Let's say I can not re-number any of those networks. Just give me a hint what to look for and I will bang my head through this wall. I promise I will not hurt myself in case of failing ;) – Greg Oct 12 '12 at 18:50
  • 1
    I'm not being overprotective. I'm being realistic. What you propose is impossible. Read about how routing works. – EEAA Oct 12 '12 at 20:57
  • Ok, I believe you then :) Thanks for the link, the article is great. – Greg Oct 13 '12 at 07:38
2

In my opinion, NETMAP is actually a pretty valid way of making sure that networks won't collide. Many routers use the same private address space and sometimes there's just no way of changing a setup for a network you don't own (e.g. in an internet café, public WLAN). Yes, you could change your own network to use a rather uncommon address space, but some providers distribute locked-down equipment with no way of changing that, which would require you to add more network gear. Oh, and sometimes it's just very convenient to type 10.0.0.x instead of e.g. 192.168.214.x.

TL;DR: While not advisable in professional setups, NETMAP might come in handy.

Here's an example that allows me to use 10.0.0.x on both sides and still connect via OpenVPN. Instead of pushing the real route to clients, you use an uncommon subnet:

OpenVPN

push "route 10.11.12.0 255.255.255.0"

NETMAP

iptables -t nat -A PREROUTING -d 10.11.12.0/24 -j NETMAP --to 10.0.0.0/24

Source NAT (assuming you're using OpenVPN's default 10.8.0.0/24 subnet)

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source PUBLICIP

This works pretty well, even with default gateway replacement. It might get messy if you're using your own DNS:

push "dhcp-option DNS 10.11.12.1"

That's because though you'll be able to reach the DNS server (which is on 10.0.0.1), it returns addresses based on it's subnet, not the NETMAPed one. There might be ways around that. I'm thinking of BIND's views, e.g., no idea whether Samba is capable of something like that.

Alex
  • 538
  • 1
  • 4
  • 15