VPN Configuration to Avoid IP Conflicts

I’ve recently found the ability to configure Wireguard with the function to only be utilized by my cellphone when away from home Wi-Fi, and only when accessing local network private IP addresses in the 192.168.1.xxx range.

This is awesome, because i don’t need to worry about constantly turning on and off the VPN, or exposing services to the public, so i can access them while away from home. More importantly, i can set my wife’s phone up so it is seamless when accessing something on the home network without exposing it to the public internet.

This is all great, however, when on Wi-Fi somewhere other then at home, if that network shares the same subnet, nothing will work, because it will be searching the local Wi-Fi network, instead of routing through the VPN.

I’ve been reading up on this, and one solution is to change my home network from the 192.168.1.x subnet, to a non conflicting subnet, however residential networks commonly use the 192.168.x.x range, and commercial networks commonly use the 10.x.x.x range. So it seems, it could be difficult to find a subnet that wouldn’t have a conflict.

I also saw people using 1:1 NAT to somehow change the IP across the VPN which somehow aids in avoiding conflict.

What would be the easiest way to avoid private IP conflicts while connected to outside the home Wi-Fi?

Current setup is PFSense for routing, One wireguard tunnel, and three peers (my cell, wife’s cell, and my laptop). Behind PFsense, i have a server that i host various entertainment applications, none of which are exposed to the public internet, other then through wireguard VPN.

Hello,

One solution would be to set up a second profile to route all traffic thru the VPN this should avoid the conflict with network IP addressing moving to a different part of the 192.168.x.x network for your network would be another, moving to something like 192.168.23.x/24 for your home network this would mitigate the issue. Most people don’t reconfigure their equipment, so moving to another part of the address space solves a lot of it.

Change your internal network from 192.168.x.x range , as this is the default on most home networks.

Use of the RFC1918 address ranges - What is an RFC1918 Address? | NetBeez , not 192.168.x.x

I would not worry about commercial networks, as I would guest you would not be able to connect to them if you where on site.

You can’t prevent it a 100% because you have no control over how the WiFi is configured you are connecting to. However, you can significantly reduce the risk by using less frequently used subnets.

RFC 1918 defines the following address ranges as private:

10.0.0.0/8 (addresses 10.0.0.0 through 10.255.255.255 inclusive)
172.16.0.0/12 (addresses 172.16.0.0 through 172.31.255.255 inclusive)
192.168.0.0/16 (addresses 192.168.0.0 through 192.168.255.255 inclusive

So, you could use something like e.g. 192.168.233.0/24 or 10.254.233.0/24 for your VPN clients, or something in the 172.16.0.0/12 space, which is generally less common, for both private and commercial environments.

@Night_Rider0 Id prefer to leave my home network in tact, and instead modify the VPN tunnel address.

@Paul I could be wrong, but if i were in an office building on a 10.x.x.x network, and they provided Wi-Fi, wouldn’t the Wi-Fi be in the 10.x.x.x range?

@bb77 Id like to utilize a different network for the VPN tunnel, if that would solve it, this way i don’t need to modify all of my home network addresses. I have a few dockers running on a NAS, that i would have to re specify all of their addresses independently.

This may be long winded and i apologize in advance.

When i think about it more, anything i try to reach is going to be addressed in the 192.168.1.0/24 subnet, more specifically, using DNS through PFsense/HA proxy basically routes all of my docker access through my firewall address, which is on the 192.168.1.0/24 network, and HAproxy then connects to the specific docker IP.

For example, lets say i want to connect to a server located on my network at 192.168.1.50. When on my home network Wi-Fi, my phone would send the request to 192.168.1.50.

When away from home on cellular network, the VPN (allowed IP.s 192.168.1.0/24) would catch the request to 192.168.1.50, and route through the VPN to my home network.

When at a friends house on their Wi-Fi network addressed in the 192.168.1.0/24 range, request to 192.168.1.50 will go through their Wi-Fi network ARP and never make it out of the VPN to my home network. (At least thats what seems to happen)

If i changed my VPN tunnel address to say 10.200.200.0/24, id still be sending my requests to 192.168.1.0/24 network, So would changing my tunnel address to 10.200.200.0/24 help the situation?

OR because the server is still located in the 192.168.1.0/24 network, would i still be stuck on the local Wi-Fi network?

All internal network will conform to the RFC1918 range

For security companies will not allow you to connect to the main network (cable or wireless)- far too big security risk.

To add to the issue, guest network may only allow certain traffic to the internet, while the rest will be blocked. Wireguard port maybe blocked.

They may allow you to connect to a guest wifi, as mentioned above this could be any of rfc1918 network range

As wireguard uses a transport network (Interface Address, in wireguard setup), just use one at the top end of one of the RFC1918 networks and you should be fine. PFSense does the routing between the wireguard interface address and your actual lan address.

@Paul so to make sure I understand, if an office building was on a 10.0.0.0/8 network, and I connected to their (guest) WiFi network, wouldn’t my network connection be somewhere in the 10.0.0.0/8 range?

Also, if I assigned my WireGuard tunnel (and I assume interface) to the subnet 10.200.200.0/24 and address of 10.200.200.1, then I would avoid any conflict with a 192.168.1.0/24 network?

Wouldn’t DNS returning an IP in the 192 subnet cause issues?

I haven’t used Wireguard, however I do use OpenVPN on pfSense.

If you don’t use split tunneling, you can keep your same setup, all traffic can be routed via the VPN. You’d avoid the problem that you’re facing, from my limited understanding wireguard works more like a site to site VPN.

You could spin up an OpenVPN server and give it a go fairly easily.

@neogrid So i do use wireguard as site to site. I have wireguard configured as “on demand” on my phone. The VPN is only active when NOT connected to my home Wi-Fi, and is limited to IP addresses in the 192.168.1.0/24 range, using the “allowed IP’s” field.

This way when I’m watching YouTube or browsing the internet, its not routing all of that traffic through the VPN.

The issue is when i attempt to access a device on my home network , i point my browser to “myserver.mydomain.com”.

I assume It sends this request to the specified DNS server which is my PFsense, (for example 192.168.1.1) which uses the domain override to return the same 192.168.1.1 address, where HAProxy is configured to accept these requests.

HAProxy then filters by host and domain, apples SSL, and forwards to the correct local IP and port (say 192.168.1.10:80) of the device on my home network i desire to connect to.

So im trying to figure out a way to somehow mask the IP from the current network, to avoid confusion.

Maybe i could somehow configure specific DNS requests to be forces through the VPN, instead of using IP?

I’m not totally following you, it’s probably me but this might be of help pfSense® software Configuration Recipes — Redirecting Client DNS Requests | pfSense Documentation

@neogrid So i don’t use split tunneling.

Ill step back slightly.

Before i set the VPN up for “On Demand” usage and limited the IP range, when the VPN was activated, ALL traffic would flow through the VPN.

This meant that if i watched a YouTube video on my phone, my phone would send the YouTube request to my PFsense via VPN.

PFsense would route that request out to YouTube from my home WAN.

The video would come back from YouTube, to my PFsense via WAN, and get routed back through the VPN to my phone.

All internet traffic would go through the VPN, and my home internet connection.

Because of this, i would selectively turn on, and turn off, the VPN when accessing things on my home network while I’m away from home. There’s no point in routing all traffic through the VPN if I’m just surfing the web or watching YouTube.

This works fine for someone whos somewhat knowledgeable, to go into settings and toggle the VPN, but for someone like my wife, its too much to deal with.

To solve that problem, i utilized a Cloudflare tunnel to (as safely as i could) expose some network devices to the public internet. Now her phone would be able to connect to a public domain that is linked to my devices behind the firewall without needing the VPN.

Moving to the present…

I recently discovered you can configure the wireguard VPN to work “on demand”.

This means you can have the VPN activate conditionally, like if you are on cellular, or Wi-Fi, and even include or exclude specific Wi-Fi networks.

This solves the problem of having to turn off the VPN when at home, because you don’t need it while on your home Wi-Fi network.

But ALSO you can restrict the IP addresses routed through the VPN. So basically if i wanted to reach a device on my home network in the 192.168.1.0/24 subnet, i can enter that subnet into the VPN, and ONLY that subnet will route through the VPN. Anything outside that subnet, will go through the Wi-Fi or cellular connection as normal.

NOW, the VPN can just stay “on”, and it will ONLY be used when connecting outside of home Wi-Fi, when accessing a device in the home network.

However, this doesn’t change that when you are on say, a friends Wi-Fi connection, that uses the 192.168.1.0/24 subnet, the requests get stuck in their network, because it is now resolvable locally. Instead of those requests being directed to the VPN, the request is picked up by the Wi-Fi router and will get “stuck”.

Since my home network is in the super common 192.168.1.0/24 subnet, I cant reach my home network even when the VPN is activated, because the VPN is attempting to find my home network on my friends Wi-Fi router that my phone is connected to.

Sorry if that was long winded.

its entirely possible that i have some of this wrong. I’m definitely not a networking professional. But at least it seems to be the general gist of what is going on.

If you route all traffic through the VPN, the DNS server on the pfSense or another one in your home network should be used. You can specify a DNS server in the wireguard config. Afaik, this should work, if the VPN Network is on a different subnet than the one you are connecting from, but I am not a 100% sure. If not, try changing your home network to something other than 192.168.1.0/24.

Ok I see your dilemma.

The way this is solved between two networks sharing the same subnets with site-to-site OpenVPN is to manipulate NAT at both sites. You can’t do this in your scenario on the remote network at least.

However, I’ve always thought that if you route ALL traffic through the VPN you should be able to be reach devices on your home network, a quick search indicates many people cannot. I can’t work out how the device will reach say 192.168.1.5, if they exist on both networks.

I doubt there is an elegant solution to your problem using any type of VPN.

Unless someone else has a better suggestion, you will need to change your network to a different subnet or address range.

In openVPN you can have a tap connection, which acts as if it is on the same network, however, I have no idea if this will work.

Personally I use vlans, with several OpenVPN connections using different subnets so I haven’t come across this problem as I also don’t use the 192.168.1.x subnet for anything on my home network.

@bb77 Yes i have the DNS server IP entered in for my PFsense, but still didn’t work.

@neogrid Yea its somewhat annoying. From what i have read, if you are connected to a network, and send a request to something on that subnet, it gets routed locally, as the best (in this case local) route takes preference.

I created a second tunnel in the 10.0.0.0/8 subnet, and next time I’m at a friends house I’m going to test and see if that makes a difference. I’m not sure if it will or not, because the DNS is going to still return IP’s on the local range. But maybe because its connecting to the VPN in a different subnet it will work.

@Paul I’m still curious if you could expand on your last remarks about wireguards transport network, and how that effects IP conflicts in this case. Maybe its possible there is something in the configuration that I’m missing that would solve this issue.

Otherwise i think there really isn’t much other answer then to readdress my home network.

I had the same issue. I changed my home address to 192.168.131.x/24 and it has worked fine ever since. Problem easily solved.

Don’t overthink it.

@jeff3820 yea I’m thinking this is the only real solution.

If I were you (and I was) I’d start using vlans, keep your 192.168.1.x as your LAN, don’t use it for anything except perhaps if you need to directly access pfSense, then just setup a couple of vlans, ISP, VPN, GUEST.

You can then setup as many OpenVPN servers as you like, but the handy thing that you can do is set them up so that they either exit out of your ISP or your paid-for VPN service.

Consider something in the 172 range and do not use a 0 or 5 in the 3rd octet for your LAN.

@neogrid Ive readdressed to the 10/8 range, well a /24 subnet within. This should solve all of the issues.

I currently use VLANs to segment the network for some devices. But, the main issue was the conflict of the main LAN address.

@ChessMcK I was considering the 172 range, but i went with a /24 within the 10/8 range.

I dont think there is any simple workaround other then a subnet change to avoid the conflict.