OpenVPN TUN share subnet with LAN devices

[Jeffrey]

Hello,

I am looking to share the same subnet of my LAN network with my VPN devices. The reason being, my Netgear Arlo Ultra cameras would not stream in high resolution unless you are on the same local network, VPN would not work either and according to this post, it is possible to fool Arlo if you put VPN devices on the same subnet.

My devices:
Router: RT-AC88U
Router Firmware: 383.13
Mobile Device: iPhone 11Pro
VPN: OpenVPN TUN

Just to clarify, I have tried exploring PPTP and IPsec VPNs, PPTP is not supported by iPhones and IPsec doesn’t seem to have options to specify subnet information in the configurations. OpenVPN TAP looks like it will do the job easily but it is not supported by iPhones anymore. Looks like the only option I have left is OpenVPN TUN (please let me know if there’s a better option).

What I did was, first (first screenshot) I split the subnet into two and assigned 192.168.1.1-126 to LAN devices in the DHCP server on the router. Then in the VPN > OpenVPN > advanced settings page, I tried using VPN subnet (192.168.1.200) / Netmask (255.255.255.252) but I am getting error (second screenshot) “Conflict with the router’s DHCP IP pool: 192.168.1.2-192.168.1.126”.

Can someone please advise? I have a bit of knowledge but definitely not very good, apologies if I missed any important information.

Thanks,
Jeffrey

 

[Zonkd]

Hello,

I am looking to share the same subnet of my LAN network with my VPN devices. The reason being, my Netgear Arlo Ultra cameras would not stream in high resolution unless you are on the same local network, VPN would not work either and according to this post, it is possible to fool Arlo if you put VPN devices on the same subnet.

My devices:
Router: RT-AC88U
Router Firmware: 383.13
Mobile Device: iPhone 11Pro
VPN: OpenVPN TUN

Just to clarify, I have tried exploring PPTP and IPsec VPNs, PPTP is not supported by iPhones and IPsec doesn’t seem to have options to specify subnet information in the configurations. OpenVPN TAP looks like it will do the job easily but it is not supported by iPhones anymore. Looks like the only option I have left is OpenVPN TUN (please let me know if there’s a better option).

What I did was, first (first screenshot) I split the subnet into two and assigned 192.168.1.1-126 to LAN devices in the DHCP server on the router. Then in the VPN > OpenVPN > advanced settings page, I tried using VPN subnet (192.168.1.200) / Netmask (255.255.255.252) but I am getting error (second screenshot) “Conflict with the router’s DHCP IP pool: 192.168.1.2-192.168.1.126”.

Can someone please advise? I have a bit of knowledge but definitely not very good, apologies if I missed any important information.

Thanks,
Jeffrey

Not sure how to get around that conflict (haven’t got a chance to test it myself) but I’d say by choosing those subnet masks (.128 and .252) you have chopped up your network into 2 seperate networks (subnetting). Therefore that puts your lan and VPN devices on seperate subnets. Try using the same IP and subnet mask for both? Does the standard 255.255.255.0 work?

 

[ColinTaylor]

I don't know why you're seeing that message*, it's possibly a validation bug. But regardless, this will never work. As @Zonkd pointed out you're still creating two different subnets (as required for a TUN interface) no matter how "similar" the number ranges are.

* Check the IP range at LAN > DHCP Server.

 

[Jeffrey]

Thanks Zonkd. Actually I made the LAN .128 but I cant change the VPN range to anything in the 192.168.1.x range, if i tried 255.255.255.0 or anything else I am getting the same conflict error..

Got it Colin, I was just hoping even after i split the subnet to two, it would still fool my Arlo.. Heres a screenshot of my LAN DHCPserver.. any other ways I can work around this?

 

[Jeffrey]

So I spoke to the person who posted the same issue on Arlo forum, heres what he said

Hi, it's a limitation in Arlo app that's need to have one ip in the same wifi network interface subnet, app seems to not don't check vpn network interface and it's a Arlo choice and they will probably not fix it. It works if you are at some neighbor, friend or work that have wifi in the same subnet that you have in your home and start vpn. I haven't tried but internet sharing from android or portable router could work, iOS internet sharing gives some odd ip adress range and will nor work. Happy hunting!

Basically if i can get my vpn devices addresses to also be on 192.168.1.x (same as my lan devices) it should solve my problem..

 

[Zonkd]

Thanks Zonkd. Actually I made the LAN .128 but I cant change the VPN range to anything in the 192.168.1.x range, if i tried 255.255.255.0 or anything else I am getting the same conflict error..

Got it Colin, I was just hoping even after i split the subnet to two, it would still fool my Arlo.. Heres a screenshot of my LAN DHCPserver.. any other ways I can work around this?

I tested this and got the same conflict error. @ColinTaylor confirmed TUN won't do it. It looks like you'll need to use interface type TAP if you want all LAN and VPN clients on the same subnet. If the router supports multiple OpenVPN servers then you might configure one server as TUN for regular use and another as TAP just for checking the Arlo. Give it a go and see if it works.

Edit: Just noticed your statement about iOS not supporting TAP. That does make things tricky.

 

[ColinTaylor]

Basically if i can get my vpn devices addresses to also be on 192.168.1.x (same as my lan devices) it should solve my problem..

It's badly described, but what he's effectively saying (which we already knew) is that the app needs to be part of the same subnet that the Arlo is. What the actual IP addresses are is irrelevant. You can achieve this is by using a TAP connection or (as he speculates) connecting to another device on the LAN and using that as a proxy.

Similar to his second suggestion you could do this. What this does is masquerade the incoming VPN traffic so that it appears to all be coming from the router's IP address rather than a remote network.

 

[TNCS]

Regardless of which VPN protocol whether it L2TP/IPSec, PPTP or OpenVPN, you can't make a next hop over IPv4 within the network subnet range even if it different masking (ie. 192.168.1.1/25 -> 192.168.1.128/25). The default of OpenVPN's 10.0.1.0 (?? can't remember exactly) works, why would you want to change it?

Even the final result to the reference link you point to, OpenVPN was on a different subnet:

Credits for making all this work go to ColinTaylor.

My configuration:

192.168.8.0 - OpenVPN network
192.168.10.0 - local LAN
192.168.10.1 - the primary router (Linksys LRT214), connected to WAN
192.168.10.7 - the secondary router for serving OpenVPN (Asus RT-AC68U, firmware 384.13)

 

[Jeffrey]

Thanks guys. I understand it would still be on different subnets but it seems even so, if I can get it in the same range of 192.168.1.x, then my Arlo device would be stupid enough to believe we are on the same subnet and allow me to stream in 4k.

That said, it seems to be not possible in the TUN interface and it seems to be the only option for me in the devices I own. Anyway, I guess we can close this as I do not think it is feasible.

Thanks everyone for your input anyway, much appreciated.

 

[ColinTaylor]

@Jeffrey I posted the solution to your problem in post #7.