Howdy!
I was wondering if there is more documentation around getting OpenVPN or IPsec configured with NAT, I am connecting to a remote site who is using the same LAN IP subnet, I found the following documentation https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html but wondering if it will work with OpenVPN? Do I have to allow remote connectivity to my entire subnet or can I do /32 NAT 1:1?
Why not go the easy road and change your own internal lan range?
Don’t confuse doing NAT with setting firewall rules… Set up the 1:1 NAT for the whole subnet then use firewall rules to determine who can and can’t traverse the link.
Do you mind if I ask what is your end goal with this kind of setup?
While I don’t have any documentation to share, this kind of setup seems difficult to setup and maintain even for an advanced network admin.
Please don’t let this discourage you. If you are willing to learn, I’d say go for it. Let us know what the end results are.
Thought about it, not really interested in re-iping everything. Plus if i wanted to do another site to site in the future having to re-IP again isnt something I want to do multiple times.
I have the absolute damnest time figuring out where to place said rules, would they be on the interface I want to allow from or from the openvpn interface in?
I want to have a tunnel network setup so we can publish NAT’ed IPs between sites much like how they are doing in the following links:
https://forum.opnsense.org/index.php?topic=10459.0
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-nat-subnets-conflict.html
https://forum.opnsense.org/index.php?topic=7282.0
So we both use 192.168.1.X networks for LAN.
I publish 10.70.70.X network over the tunnel.
Other site uses 10.71.71.X network over the tunnel.
I setup a NAT 10.70.70.5 -> 192.168.1.20 on the LAN.
Hope this sheds some light into the ask.
So plan for the future: re-ip now, and keep blocks set aside for later use. It’s not like there aren’t plenty reserved for private use.
Personally I would treat the site-to-site VPN interfaces as if they were WAN interfaces. Allow everything outgoing and restrict incoming. You’d put those rules on the VPN interfaces to protect the local network in each site.
Re-reading your OP, if only one IP needs access to the remote site, why wouldn’t you set that computer up as a “road warrior” of the other site and enable split tunneling so you can access both networks? You’d use a completely different network on the remote site for the incoming VPN connection that didn’t overlap with any of the remote site networks. That would be much simpler to manage IMHO.
Howdy, Once again, not interested in re-ip, looking for more information on NAT.
So I ended up creating a 10.81.81.0/24 network on the remote side, added a gateway and put the server on that network. Assigned the 10.81.81.0/24 to be remote for my side, I can ping the remote computer 10.81.81.10 from the firewall but cannot access it via inside network. I can see the packets in the firewall PASS on both my side and remote side, the only odd thing im seeing is my Inside address on the remote firewall. Would having two overlapping inside networks cause a return path issue?