Connect by VPN when local and remote networks use identical address ranges

Question

As part of my work I connect to a VPN that uses the 192.168.1.* address range on the remote network. Often I connect from public WiFi hotspots that I rarely have control over their configuration. The hotspots are not within the organization. They are public hotspots, in coffee shops, hotels, etc.

The problem I have is that sometimes the WiFi hotspot uses the same 192.168.1.* address range.

Usually my solution is to pull out my phone and use its portable hotspot, but that can get pricey, especially if I'm roaming.

To avoid using my phone, I bought a travel router and configured it to provide a private subnet with IP address range 192.168.2.* so even if the greater WiFi hotspot was 192.168.1.*, I would avoid a conflict.

Even after I changed the IP address range for the router to 192.168.2.* the conflict still seemed to be happening. Perhaps the network that my subnet was a part of (192.168.1.*), was still conflicting with the VPN somehow? I'm not sure. And I could not find any resources on the Internet to help me with this specific problem.

I have since lost that router and I'm looking to replace it. But before I do, I want to be sure that I am able to fix my VPN address conflict problem.

How can I connect to a VPN that uses the same IP address range as the local network I'm connecting from?

EDIT:

• I am using a Mac.
• I'm using the org-provided VPN client, SonicWall Mobile Client.
• I'm not sure which IP address exactly is causing the conflict. There are a bunch of 192.168.1.* addresses in the organization. How can I find that out?
• I cannot request that my org change their VPN range to something more obscure.
• The VPN subnet mask is 255.255.255.0
• I do not access the internet through the VPN.
• I have not everbeen able to access any of the resources I need on the VPN network during conflict, but it is possible perhaps that there are resources that are still accessible that I didn't know about or test.

Answer 1

TL;DR

Use a travel router. Configure it to assign your laptop an IP address in the IP subnetwork 10.15.15.0/24. Also, make sure the DHCP lease it hands out specifies itself as the DNS server.

---

Nothing Works™ when a device has two network interfaces connected to overlapping IP subnetworks

When connected to a VPN your computer has two network interfaces:

1. Wi-Fi adapter
2. VPN adapter

The problem you're experiencing is caused by both of these interfaces claiming they are the correct destination for the 192.168.1.0/24 IP subnetwork. In a typical configuration, the interface with the lowest interface metric (usually the one with the highest bandwidth) will win the tie and get the traffic. That means traffic you want to be sent through the VPN adapter is actually getting sent to the Wi-Fi adapter.

There are cases where it's fine to have two interfaces pointing to the same network. For example, a laptop that's connected to a certain network via wired and wireless interfaces is one such configuration. However, in this case the destination network is the same regardless which network adapter is used to access it...so things work fine.

The travel router is a good idea

If you're able to connect your Wi-Fi adapter to any IP subnetwork other than that used by your VPN's remote network, you'll avoid the problem described above. Note that this new network cannot overlap the VPN network in any way, i.e. 192.168.0.0/16 won't work since that includes the 192.168.1.0/24 range. Fortunately you can control this by configuring the travel router's local IP subnetwork settings to be something like 10.15.15.0/24. It should go without saying, but it's important that the travel router's WAN interface be connected to the Wi-Fi hotspot, otherwise your laptop will still end up communicating directly with the 192.168.1.0/24 subnetwork.

When connected to your travel router your Wi-Fi interface should have an IP such as 10.15.15.2/24. Therefore connections to IP addresses in the 192.168.1.0/24 network will go directly to the VPN adapter because your laptop has no clue what network range exists on the WAN interface side of your travel router.

One last requirement is that your travel router configure your laptop to use itself as the DNS server. The router should pass on DNS requests to the Wi-Fi hotspot's DNS servers. If you don't do this, your laptop might get a DNS server like 192.168.1.1. As explained before, while on the VPN your laptop would expect to find this in the VPN's network, resulting in DNS requests not being properly resolved.

Answer 2

If you can narrow down the IP addresses in 192.168.1.x that you want to reach through VPN, you can add host routes on your laptop to point 'into the tunnel'. This works as long the local gateway address is not conflicting with something you inside your VPN - e.g. if your local/Wifi gateway is 192.168.1.1, you won't be able to reach something with the same address inside your VPN.

Your mobile router should have worked, as long as you don't need to access anything else (incl. local DNS server) in the Wifi network. Next time you are using one, run netstat -nr and check what gateway and interface routes for 192.168.1.0 are pointing to.

Answer 3

You have not advised what type of VPN you are using. If you are not using OpenVPN, the problem could be in network address translation.

You might be better off using a more obscure subnet - like 172.18.0.0/24 (This is in the range 172.16.0.0 - 172.31.255.255 which is a less well known block), or even bend the rules a little by using 100.64.0.0/24 (which is reserved for Carrier Grade NAT).

One issue you might be having with using 192.168.2.x is that your providers might be using 192.168.0.0/16, which includes 192.168.2.x. Its also possible (but unlikely) that your old device was seeing 192.168 as being RFC1918 space and not using network address translation.

A third possibility is that the hotspot is limiting traffic to web traffic or common ports (maybe in a bid to stop torrenting ?) If this is the case you would need to run the OpenVPN server on port 443 [and, of-course, only open it up after you have logged into the WIFI if required ].