Wireguard - Local & Destination Network Same IP Range

[Deku2]

Setting up Wireguard and having a routing issue I suspect.  We unfortunately used a common 192.168.1.0 address scheme in our office, but most home networks use a similar IP subnet.  I have the WG network on 10.10.10.0, but can't seem to route out of the VPN to the local or external network on the destination.  Is there any way to make this work with some type of 10.10.10.0 NAT?   I rather not have to readdress the entire office to allow a few people to VPN in.

[bartjsmit]

There is no way around this. Every host will always use the local IP subnet before any routes.

You will need to change the IP range for the office or get your VPN users to change their home networks.

Bart...

[Patrick M. Hausen]

There is no way around this. Every host will always use the local IP subnet before any routes.

Mostly but not entirely correct. If the local subnet is a typical /24 a single /32 host route will override that. So, while it's not pretty you can

- if the VPN users need to access only one or a few hosts (e.g.) Citrix
- tell the users to make sure these addresses are not part of their dynamic DHCP pool
- set host routes for all of these hosts in the users' wireguard configs
- the VPN users will use the tunnel address to connect, so you don't need to get fancy with NAT at the office

Alternatively, depending on which services need to be accessed:

- set up a remote access solution like Apache Guacamole (can do SSH, Telnet, RDP, VNC)
- use inbound NAT (port-forwarding) on the wireguard interface at the office to access that host
- let users activate a supposedly secure VPN connection and use Guacamole in a browser to access services

Third, least pretty and most error prone but if it works most transparent to users:

- set up an alternate subnet on some interface with a sufficient number of alias adresses
- set up wireguard to access these
- again use port-forwarding to redirect to your servers

I have not implemented the last option and would need to experiment if you can put the alias addresses on the wireguard interface (which would be the most sane and manageable way) or if you need another interface for that.

HTH,
Patrick

P.S. @bartjsmit I've seen things you people wouldn't believe ... Attack ships on fire off the shoulder of Orion ... er, no. I have seen enterprise setups with identical (10/8) networks on both sides, double NAT with DNS translation and Windows domain trusts across that. Not pretty And not possible with just OPNsense.

[bartjsmit]

Thanks Patrick, I bow to your superior knowledge 

We had WFH users change their home subnets a few decades ago in a previous gig, but that was a bunch of techies.

An even uglier setup would be VM's on the remote users' workstations that only connect to the tunnel and don't see the local subnet 

Sorry Jeff, I would apply the KISS principle 

Bart...

[Deku2]

Thank you both for the comments!  I'll have to think about which option would work best for us. 👍