What's new

Asus openvpn same subnet local/remote workaround?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Occasional Visitor
I am wondering if someone can tell me how to setup a subnet alias/masq/translation/forwarding/mapped (not sure of the correct term) on the asus firewall.

Here is the scenario
asus stock firmware, openvpn server, workplace subnet is stuck at 192.168.1.x
vpn/rdc works great for remote workers with anything but the same subnet at home
for home users with the same subnet as the workplace (192.168.1.x) they can connect to vpn, but of course can't rdc to their desktop.

I don't have permission to renumber the workplace subnet
I could try renumber the home subnet, but this is less desirable because this will come up again when traveling, etc

Desired solution:
Setup an alias subnet. Using other better/higher end firewalls, I was able to setup an "alias" subnet. I don't know how to do this with asus. Basically I need the vpn client to rdc to 192.168.88.x and it get translated after going over vpn to 192.168.1.x, and vice versa. If an alias/forwarding subnet isn't possible, maybe I could setup an alias/forwarder for just one ip?


(sorry I posted both here and in the asus open vpn thread. I don't know which is the preferred place to post)
I found this over at serverfault from another poster. It looks related. but I don’t fully understand if all these commands should be placed in the asus openvpn config window, or if some should be placed elsewhere. I am not using the dns over the vpn. Just need basic port access for rdp/rdc to an ip. Would I enter the 3 top commands into the vpn config box, do you think? Or do you think these commands are at the client???? Would be nice if the setup was at the firewall so the clients no matter what or where would work.


In my opinion, NETMAP is actually a pretty valid way of making sure that networks won't collide. Many routers use the same private address space and sometimes there's just no way of changing a setup for a network you don't own (e.g. in an internet café, public WLAN). Yes, you could change your own network to use a rather uncommon address space, but some providers distribute locked-down equipment with no way of changing that, which would require you to add more network gear. Oh, and sometimes it's just very convenient to type 10.0.0.x instead of e.g. 192.168.214.x.

TL;DR: While not advisable in professional setups, NETMAP might come in handy.

Here's an example that allows me to use 10.0.0.x on both sides and still connect via OpenVPN. Instead of pushing the real route to clients, you use an uncommon subnet:


push "route"


iptables -t nat -A PREROUTING -d -j NETMAP --to

Source NAT (assuming you're using OpenVPN's default subnet)

iptables -t nat -A POSTROUTING -s -o eth1 -j SNAT --to-source PUBLICIP

This works pretty well, even with default gateway replacement. It might get messy if you're using your own DNS:

push "dhcp-option DNS"

That's because though you'll be able to reach the DNS server (which is on, it returns addresses based on it's subnet, not the NETMAPed one. There might be ways around that. I'm thinking of BIND's views, e.g., no idea whether Samba is capable of something like that.


Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!