Same Subnet Over Vpn

[schubert1979]

So I am going back and forth with another technician that works for a different company. In a nutshell we need to setup a VPN between our locations to send data from one workstation on our network (192.168.1.x) to his newly created server at his location. I asked him if he could change his IP subnet to something other than 192.168.1.x as that would cause a problem routing traffic over the VPN. His reply was as follows:

"192.168.x.x are standard internal ip addresses and there should not be any issue as long as you write your persistent IP table entries correctly to route through our VPN tunnel; if needed. Our VPNs use 10.x.x.x as an internal VLAN IPs and its through these you should write your IP Table routes. This is not a layer of complexity it is "networking 101". At my home I have a PC with 192.168.1.31 and can pull images from the Image Server at 192.168.1.31 through the VPN gateway with no issue. They are on two different networks seperated by a gateway; there is no conflict."

I would like to use a standard site-to-site hardware VPN between our firewalls, but this guy is asking me to install Open VPN on our workstation. How can he say his home computer is on 192.168.1.31 and he accesses a server on 192.168.1.31 over the VPN? Could he have created a static mapping to a 10.x.x.x IP for the gateway and then the VPN is in some way doing a NAT translation to the other end of the tunnel? Even that doesn't make a lot of sense because his computer would have to be on the 10.x network to access a gateway set to that address.

I like to think I am not totally crazy as the OpenVPN documentation pretty much confirms what I think.

http://openvpn.net/index.php/open-source/documentation/howto.html#numbering

[digip]

By connecting to the VPN and setting a gateway to one of the 10.x.x.x on his network, that would work, since the VPN would know where those servers are via its own gateway. My thinking is, if you and him have a workstation with the same IP and the same service, say http, then to get to his, you would have to create a static route pointing to a gateway known to the VPN to find it. The VPN sort of bridges you with his network and his DHCP server, so you effectively are part of his network when you connect and are assigned an IP by the VPN, hence, virtual private network, and his internal lan, can be any range of IP's and subnet, since HIS gateway, if pointed to in a static route, would handle the connection to his server(s) that you need to speak to.

An OpenVPN connection from your workstation to his VPN, means only your workstation can see his network, and vice versa. If you had a hardware VPN, when connecting to you, they would see the rest of your internal network if it was also your router/gateway, vs just the workstation doing the VPN server. If the workstation they connect to is also a gateway, then they could see the rest of your network, but if its not, they only see what shares you allow out of your VPN and they can authenticate to. There are two sides to this. A vpn client, and a vpn server, and they are mutually exclusive. In order for him to connect to you, you also need to have a VPN server setup, or the connection only goes from you to him and whatever they gave you access to.

Anyone correct me if I am wrong on this though, but I'm pretty sure they guy is correct that you can have the same subnets and IP ranges between the two networks, so long as a service you need to reach on his network, is pointed to with a static route with his VPN IP, or his own gateway IP's. His gateway probably has an interface on both the 10.x.x.x and 192.168.1.x so his gateway would forward it along for you and you would know his gateway when connecting to the VPN, so all should be good.

[Infiltrator]

I can test this out for you, but I am very certain that you can have the same subnet over VPN. When I set up OpenVPN on my network before, I configured it with Natting protocol, which automatically dish out an IP address on a different subnet range to any client connecting to your VPN. Once the client is connected to the VPN, they will be able to ping/see any LAN client even the gateway.