Disclaimer before I start rambling: I'm a software engineer, not a network engineer, so I may have fundamental misunderstandings about what I'm asking for.
I'm building a project that involves virtualizing multiple small-to-medium lab networks using Proxmox VE. Each lab network should be accessible from outside via a VPN gateway, so that users can connect to the servers in the network of their choice. Internally, the networks are presently represented using a single large bridge that connects each host on all of the networks, with a VLAN tag configured on each machine within a network to assign it to its network. In addition, to avoid limiting the IP ranges of the networks, they're all configured to be unable to route to each other, which as I understand it is enough to allow them to have overlapping IP ranges (I haven't tested this idea yet- my testing configuration only uses one internal network while I figure out the simpler case of non-overlapping ranges).
I have a single OPNsense VM that is configured with a trunk port on the bridge to create an interface for each VLAN network (where it serves as the gateway), and which has a WAN connection configured on the default (Masquerading) network in Proxmox VE to allow for outgoing traffic. I can forward ports from the Proxmox VE to the OPNsense VM, which I plan to use to expose the VPN listener.
My plan was to base the implementation on the Road Warrior (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html) configuration, generate a certificate for each internal lab network, and to use a Client-Specific override to set the VLAN which any given client's traffic should be exposed on. However, I don't see either VLAN tagging or interface assignment listed as an option in the configuration for the OpenVPN server. Is this possible? If so, how? If not, what's the next best way to approach this?
I've attached a diagram to visualize what I have in mind, if it helps to explain what I mean.
Thank you!
			
			
			
				You cannot route traffic between overlapping subnets. The packets will never leave the router.
This sounds like a use case for an overlay network. Have a look at Tailscale
			
			
			
				Quote from: bartjsmit on April 10, 2024, 07:48:29 AM
You cannot route traffic between overlapping subnets. The packets will never leave the router.
I'm reading this in one of two ways and I don't know which is correct:
- I would not be able to route traffic between the lab networks as they having overlapping IP ranges. (This is the intended behavior.)
- The router can not send traffic when there are overlapping subnets. (Including inbound VPN tunnel traffic?)
Quote from: bartjsmit on April 10, 2024, 07:48:29 AM
This sounds like a use case for an overlay network. Have a look at Tailscale
I do use Tailscale to mesh my personal devices already, but I'm not really sure if it's what I want here. This network setup should be transparent to the devices in the lab subnet (i.e. they have one NIC and DHCP configures everything they need, just like in a standalone basic lab network), and I don't think Tailscale can operate without putting its client on each of the devices.
Either way, if it is impossible with overlapping IP subnets, I can live with that. Would the rest of the plan outside of the overlapping subnets work?