what is considered best practice for selecting the VPN IP range?
i’ve seen some devices which don’t respond to requests from outside of their subnet preventing access to clients on VPN. i’ve also had some issues where devices on LAN happened to use the VPN range for other services locally e.g. docker networks also preventing access to clients on VPN.
No device would have issues responding to subnets outside its own range unless there’s a configuration issue on one or more routers in the mix not having a route to that subnet. I use dedicated private ip ranges all over for vpn subnets, it simply depends what the business requirement is. I typically use something in the 172.16.x.x range and the size again, depends on the business requirements and how many anticipated vpn users. Always use a unique range that isn’t being used for other purposes in the business. I always use ospf for routing so I just look at the routing table and my own notes for the location or business I am working with.
I also have never used NAT for internal routing at all, it just causes issues. If businesses are merging, best to just re-ip one or more of the locations so they’re unique.
do whatever you like, but maybe now is the time to move from using a /24 for your whole site, to a /23 or /22
then you can use a /24 for the VPN, another /24 for your LAN , and the rest of your routing rules will be much easier especially if you are doing site-to-site.
IPSec and OpenVPN (unless doing TAP) need to be a unique subnet. You can choose anything that isn’t in use in your network already within the RFC1918 spec for IPv4 or any unused IPv6 subnet.
If you need cross-network discovery for things like Bonjour Avahi can help with that.
seems like the most common practice, just thought it was worth asking given the (manageable) downsides i’ve seen.
i have an AP router that i can’t access the webgui from the VPN range. i think by design it rejects requests outside of its subnet.
If this is a wireless router you’re referring to, then yes, by default it would block inbound requests from the wan port. I don’t use these in any business setting. I use dedicated wireless AP’s, managed switches, etc along with pfsense for routing and firewall.
Using wireless routers will likely lead to issues later on, hence using dedicated hardware built for this purpose.
It’s a router in AP mode. It’s definitely subnet related not port related as access from LAN is via the same port. Yeah good advice all around.