Asus openvpn same subnet local/remote workaround?

[neednetworking]

I am wondering if someone can tell me how to setup a subnet alias/masq/translation/forwarding/mapped (not sure of the correct term) on the asus firewall.

Here is the scenario
asus stock firmware, openvpn server, workplace subnet is stuck at 192.168.1.x
vpn/rdc works great for remote workers with anything but the same subnet at home
for home users with the same subnet as the workplace (192.168.1.x) they can connect to vpn, but of course can't rdc to their desktop.

Restrictions:
I don't have permission to renumber the workplace subnet
I could try renumber the home subnet, but this is less desirable because this will come up again when traveling, etc

Desired solution:
Setup an alias subnet. Using other better/higher end firewalls, I was able to setup an "alias" subnet. I don't know how to do this with asus. Basically I need the vpn client to rdc to 192.168.88.x and it get translated after going over vpn to 192.168.1.x, and vice versa. If an alias/forwarding subnet isn't possible, maybe I could setup an alias/forwarder for just one ip?

Thanks!

(sorry I posted both here and in the asus open vpn thread. I don't know which is the preferred place to post)

 

[neednetworking]

bump. Hoping some one has an idea. Maybe some route command?

 

[neednetworking]

I found this over at serverfault from another poster. It looks related. but I don’t fully understand if all these commands should be placed in the asus openvpn config window, or if some should be placed elsewhere. I am not using the dns over the vpn. Just need basic port access for rdp/rdc to an ip. Would I enter the 3 top commands into the vpn config box, do you think? Or do you think these commands are at the client???? Would be nice if the setup was at the firewall so the clients no matter what or where would work.

----------------
“

In my opinion, NETMAP is actually a pretty valid way of making sure that networks won't collide. Many routers use the same private address space and sometimes there's just no way of changing a setup for a network you don't own (e.g. in an internet café, public WLAN). Yes, you could change your own network to use a rather uncommon address space, but some providers distribute locked-down equipment with no way of changing that, which would require you to add more network gear. Oh, and sometimes it's just very convenient to type 10.0.0.x instead of e.g. 192.168.214.x.

TL;DR: While not advisable in professional setups, NETMAP might come in handy.

Here's an example that allows me to use 10.0.0.x on both sides and still connect via OpenVPN. Instead of pushing the real route to clients, you use an uncommon subnet:

OpenVPN

push "route 10.11.12.0 255.255.255.0"

NETMAP

iptables -t nat -A PREROUTING -d 10.11.12.0/24 -j NETMAP --to 10.0.0.0/24

Source NAT (assuming you're using OpenVPN's default 10.8.0.0/24 subnet)

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source PUBLICIP

This works pretty well, even with default gateway replacement. It might get messy if you're using your own DNS:

push "dhcp-option DNS 10.11.12.1"

That's because though you'll be able to reach the DNS server (which is on 10.0.0.1), it returns addresses based on it's subnet, not the NETMAPed one. There might be ways around that. I'm thinking of BIND's views, e.g., no idea whether Samba is capable of something like that.

“__________________

 

[neednetworking]

I also found these related links. But I am not quite knowledgeable how to put it altogether to work. It looks like it should, but need direction on which actual commands to type into the asus openvpn custom configuration window

https://forums.openvpn.net/viewtopic.php?t=21311
http://www.nimlabs.org/dirtynat.html
https://serverfault.com/questions/4...unnel-when-both-lans-have-the-same-addressing
http://tech.snathan.org/tech/pptp_vpn_routing#vpn_into_a_network_with_same_ip_range