VPN with overlapping networks

Categories: firewall

I recently needed to create a new site to site VPN, but there was a few challenges to this. First of all the router of the new site is behind NAT and it would be moved to other physical locations everynow and then. I needed something that works both behind NAT and initiates the connection, that’s when I started to think about wireguard. I have used wireguard in the past, so it wasn’t exactly new to me.

The other challenge was overlapping networks. The new site used for it’s network and I already had that network connected to my site. So I need to use Network Address Translation to rewrite the source/destination address of the packages.

network diagram

Site A

LAN Network 1:
LAN Network 2:
Translated network for Site B:
Wireguard Interface:

Site B

LAN Network:
Wireguard Interface:

Here’s how it works. Without NAT a packet from Client A ( to would arrive at Server A100 ( since network is physically connected to Router A, so how do we get the traffic to Server B100?

This is where 1:1 NAT comes in.

  1. On Router A, create a static route for network destined to an interface on Router B (Wireguard in my case).
  2. On Router B NAT rules are created so packages destined to network gets rewritten to which is physically connected at Router B. This means whenever Client A needs to communicate with Server B100, it needs to use IP instead. Read more about NAT here
Source AddressDestination AddressRewritten Destination Address

I won’t go into details about how Wireguard works or is set up, so if you need help with that, look at the documentation HERE

Configuration Site A

Site A Wireguard configuration
Allow access to the opposite network in wireguard. Please note that I’m using as my translated network for site B

1. Wireguard interface assignment and settings

Site A Interface Assignment

Site A Interface Settings

2. Firewall Rules

Create a firewall rule that allows all traffic over the wireguard tunnel. You can always make it more strict later on, when you know it’s working
Site B Firewall Rules

3. Create a static route to Site B

Site A static Route

Configuration Site B

Allow access to the opposite network in wireguard
Site B Wireguard configuration

1. Assign wireguard to a interface

Find your wireguard network port in the dropdown list and add it as an interface
Site B Interface Assignment

Give the interface a static IPv4 addres. I’m using on Site B
Site B Interface Settings

2. Firewall Rules

Create a firewall rule that allows all traffic over the wireguard tunnel
Site B Firewall Rules

3. Outbound NAT

Traffic destined to needs it’s source to be rewritten to an address in the network. I’m using Bitmask to keep the last portion of the address identical during translation, it makes it a lot easier when looking at firewall logs.
Site B Outbound NAT Rule

Set Outbound NAT Mode to Hybrid
Site B Outbound NAT Rule

3.1. Create a 1:1 NAT rule

Create a rule, so traffic incoming traffic on the wireguard interface to network is translated to
Site B 1 to 1 NAT Rule

Here is an overview after the rule has been created
Site B 1 to 1 NAT Rule