I want to connect several LANs located on remote buildings.
The "central" site have a Linux computer running OpenVPN. Each remote site also run OpenVPN.
- the central site has a LAN numbered 192.168.0.0/24
- several remote sites are also numbered 192.168.0.0/24
- I can't/won't/don't want to/whatever modify LAN numbering
- I don't have control on most remote OpenVPNs
I then need to :
1. define virtual LANs
2. configure a 1:1 NAT for each site
3. the 1:1 NAT has to be configured on the central router
.
So each site is seen to have a 10.10.x.0/24 LAN.
When a computer want to reach, say, 192.168.0.44 on site 12, it just have to send a paquet to 10.10.12.44
Operating a VPN is not a problem for me. I currently connect 60+ sites. But I don't find a simple way to do this 1:1 NAT.
Here is an example of a packet sent from the central site to a remote site, and its response packet :
I did some tests with iptables NETMAP but I can't manage to make it work because I don't find a way to modify source+destination after routing decision.
I prefer to avoid the new --client-nat OpenVPN's feature.
Maybe I have to force routing with ip route ? Or to loop twice into the network stack with veth ?
Note : I don't want to use masquerade. Only 1/1 NAT.
EDIT :
It's not possible with a regular openVPN setup. Because a packet from a remote site is indistinguishable from a packet from another site : both have similar source and destination addresses, and both come from the same tun (or tap) interface. So it's not possible to source-NAT it.
Solution 1 : do the NAT on the remote sites. Not possible in my case. I have to do it only on the central site.
Solution 2 : setup one VPN for each remote site. So I'll have one tun for each. I think this can be ok. Not very memory efficient but ok.
Solution 3 : setup a (unencrypted) tunnel inside the VPN for each site. This will give one interface for each. Simple tunnels are are not cross-platform (to my knoledge). For example GRE or ipip or sit are ok for Linux, but some distant sites are running only one Windows computer, so openVPN is installed on it. So impossible to setup a simple tunnel. Other option is to use a more complicated tunnel (wich ?) but the overhead on the system and on the sysadmin may be bigger than having multiple VPNs
Solution 4 : compile the latest openVPN, because its include a 1:1 NAT feature. I test this this week.
