OpenVPN bridge config

2 Offices, 2 network (same IP range)
2 nethserver as gw

I want connect the networks so users can work as if it is a single LAN
This is my current situation:

LAN1: 192.168.10.x/24 gw .254
LAN2: 192.168.10.x/24 gw .254

How can I configure a VPN (and the second NS), to bridge LAN1 & LAN2?

And, eventually, also to bridge also a second IP range (192.168.20.x)?

Thanks, P.

P.S.: I know that routing is better, but I need this at the moment :frowning:

Hi

IMHO, I really donā€™t think that this will work.
It would be much less work to adapt one LAN to a different IP range and use routing.

and:

This is not possible, as when using bridge, one LAN will not have a gateway, but a bridge.
The LAN as such can only have one default gateway. (True, there can be several other ā€œinternalā€ gateways, but only one default!).

NethServer doesnā€™t support OpenVPN bridging on a site2site network.
It may be possible to add in a pile of customised scripts, for this to work - and it will likely never be as stable as it should.
In the end youā€™ll mostly be passing broadcast storms - not actual data packetsā€¦

I really suggest to rethink this and redo the network (On whichever side is smaller!).

My 2 cents
Andy

I know your opinion (by previous similar posts), and I agree with you, but I think the bridge is my better option:
I have to migrate a firm from one place to another.
They canā€™t stop all activities for a couple of weeks and then restart in the new place, so we need to migrate PC, servers, devices, ā€¦ few piecies at time.
Many devices or old software have IP ā€œhard-codedā€ into their configuration and canā€™t be changed easily.
I think the migration will lasts some weeks, may be 2-3 months.

Obviously I described the current situation :wink:

There isnā€™t a ā€œsmallerā€ network; there is a slow full migration from one network to the other.
I was thinking to use a couple of SoftEther VM or install SoftEther to a Proxmox server that I have in both the places.
What about this or a similar solution?

Thanks, P.

@PaulVM

Hi

I had to do something similiar 20 years ago:

A large financial institute bought another.

Both institutions used - purely by chance - the exact same IP range, even this was an unusual range, so that they used the same network was like a lotto winning.
The network was something like 172.17.111.0/24 (on both sides).

Licensed software, also services like Bloomberg / Reuters prohibited changing IPsā€¦

I had to connect both networks. :frowning:
At the time, this was a BIG headache.

I used a somewhat tricky solution: A 2-way 1:1 NAT, essentially mapping every IP in 172.17.111.0/24 to a corresponding IP in the 172.17.112.0/24 subnet. From then on, an IPsec VPN from
172.17.111.0/24 <-> 172.17.112.0/24 did the trick.
IP routing made all hosts available to the other side.

From then on (working VPN between the 2 networks) we then secured both networks from each otherā€¦

As in some games tips: ā€œThere be dragons hereā€ā€¦ :slight_smile:

Iā€™m glad it worked, and then long and stable enough until a real integration (New IP range) was possible.

My 2 cents
Andy

PS: A issue with ā€œbridgingā€ is often forgotten:
Quite often, IPs are used on both side, often enough exactly those canā€™t be changed. Watch out for IP conflicts! (Same IP used on both sides).

SoftEther sounds interesting, Iā€™ve never heard about it. However, there are quite a few security ā€œgotchasā€ here, besides language issues. I absolutly donā€™t need chinese or japanese for my clients. Iā€™d need german or french. Chinese or Japanese characters would make my clients freak outā€¦ :slight_smile:

This IMVHO is the biggest trouble with bridging without a 2-way 1:1 NAT.
Next one is the inexplicable amount of noise due to broadcast.

Once I had a ā€œsimilarā€ problem. I was not able to solve it, I simplyā€¦ deleted the problem.
Which is, IMVHO @PaulVM, a better solution.

1 Like