Wireguard - Local & Destination Network Same IP Range

Started by Deku2, February 24, 2022, 09:04:23 PM

Previous topic - Next topic
Setting up Wireguard and having a routing issue I suspect.  We unfortunately used a common 192.168.1.0 address scheme in our office, but most home networks use a similar IP subnet.  I have the WG network on 10.10.10.0, but can't seem to route out of the VPN to the local or external network on the destination.  Is there any way to make this work with some type of 10.10.10.0 NAT?   I rather not have to readdress the entire office to allow a few people to VPN in.

There is no way around this. Every host will always use the local IP subnet before any routes.

You will need to change the IP range for the office or get your VPN users to change their home networks.

Bart...

February 25, 2022, 08:36:56 AM #2 Last Edit: February 25, 2022, 08:40:04 AM by pmhausen
Quote from: bartjsmit on February 25, 2022, 07:43:07 AM
There is no way around this. Every host will always use the local IP subnet before any routes.
Mostly but not entirely correct. If the local subnet is a typical /24 a single /32 host route will override that. So, while it's not pretty you can

- if the VPN users need to access only one or a few hosts (e.g.) Citrix
- tell the users to make sure these addresses are not part of their dynamic DHCP pool
- set host routes for all of these hosts in the users' wireguard configs
- the VPN users will use the tunnel address to connect, so you don't need to get fancy with NAT at the office

Alternatively, depending on which services need to be accessed:

- set up a remote access solution like Apache Guacamole (can do SSH, Telnet, RDP, VNC)
- use inbound NAT (port-forwarding) on the wireguard interface at the office to access that host
- let users activate a supposedly secure VPN connection and use Guacamole in a browser to access services

Third, least pretty and most error prone but if it works most transparent to users:

- set up an alternate subnet on some interface with a sufficient number of alias adresses
- set up wireguard to access these
- again use port-forwarding to redirect to your servers

I have not implemented the last option and would need to experiment if you can put the alias addresses on the wireguard interface (which would be the most sane and manageable way) or if you need another interface for that.

HTH,
Patrick

P.S. @bartjsmit I've seen things you people wouldn't believe ... Attack ships on fire off the shoulder of Orion ... er, no. I have seen enterprise setups with identical (10/8) networks on both sides, double NAT with DNS translation and Windows domain trusts across that. Not pretty ;) And not possible with just OPNsense.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Thanks Patrick, I bow to your superior knowledge  8)

We had WFH users change their home subnets a few decades ago in a previous gig, but that was a bunch of techies.

An even uglier setup would be VM's on the remote users' workstations that only connect to the tunnel and don't see the local subnet  ???

Sorry Jeff, I would apply the KISS principle  ;)

Bart...

Thank you both for the comments!  I'll have to think about which option would work best for us. 👍