This thought came to me the other day but I don’t have the ability to test it, so I’ll ask. Please excuse me if i don’t use the right networking terminology.
I have a homelab with some services exposed to the internet through cloudflare tunnels, and some other devices that are only accessible from the network. If I’m out of the house, like at work, and I want to connect to one of those local-only services, I fire up wireguard, connect to my home network, and i can navigate directly to my home-local services from my workplace network. All I need to do is navigate to the same local URL I’d use at home, something like 192.168.1.20
My question is, what happens if my workplace uses the same IP range and ALSO has a device on it’s own local network at 192.168.1.20? I understand that if I’m not connected to my wireguard VPN then of course I’d just access the device on the workplace local network, but what happens once I’m connected to the VPN? Is there a routing priority for local vs VPN?
Your current default gateway is 192.168.1.1. To establish your tunnel, you send your traffic out to your routers public IP via that default gateway.
Once your VPN connects, you now have a route that, if it takes precedence, sends traffic for 192.168.1.1 through the tunnel. The tunnel interface receives the packets, encapsulates them, then sends them out the default gateway - but that default gateway points to itself. This will be detected as a recursive loop and the tunnel will be torn down.
Now that your tunnel is torn down, your default gateway is functional again and your packets can now reach your home public IP and the tunnel is re-established. Now that the tunnel is re-established, your default gateway breaks again, etc, etc.
This is known as tunnel flapping and it’s what happens when your overlay routes overlap with your underlay routes and then take precedence.
This can be solved by excluding just the gateway IP (likely 192.168.1.1) from the tunnel route, BUT your WireGuard gateway probably has that exact same IP so that kinda defeats the purpose. The one IP that matters is the gateway. As long as that doesn’t overlap with your WireGuard gateway and everything is routed properly, then you can have overlapping networks.
Because you can’t control how your work network is configured, and you might not have any say over what routes are being published- you would save yourself a big headache if you changed the range of IPs you use at home to a more atypical subnet. I use 172.25.10.0/24 and have never had to worry about conflicts.
Your vpn connection will not work.
I have seen this multiple times with employees trying to connect to the company VPN network but there home network had the same ip address range. Will connect then drop
what happens if my workplace uses the same IP range and ALSO has a device on it’s own local network at 192.168.1.20? I understand that if I’m not connected to my wireguard VPN then of course I’d just access the device on the workplace local network, but what happens once I’m connected to the VPN? Is there a routing priority for local vs VPN?
It depends on how the VPN is configured, but TYPICALLY (almost always) routes advertised over a VPN will take higher priority than native routes. It is a more specific route. Otherwise there’d be no point of the VPN, since everything would continue to flow out your default gateway.
In the situation you’d describe here, I’d bet money you connect to your home (vpn) 192.168.1.20 over your works local .20 address.
from the comments, it seems that easiest solution is to change your home network’s default gateway address.
but if you are placed in this situation where this has already happened, is there nothing you can do to bandaid a connection temporarily? where the only solution is to wait till you have direct access to your home network again to modify the gateway ip?
First, don’t connect to your home network from work, most companies have policy against that and you can be kicked out with a unhealthy fine or lawsuit in your ass.
secondly it will depend on VPN and OS, normally VPN will WIN.
It depends on how it’s setup, but usually the VPN routes will take prescience and the rest of the local LAN will be inaccessible. You can set host routes manually if there are no IP for IP conflicts.
“Route print” on Windows will show you which route is the least expensive. Direct attached routes are usually sorted from fastest to slowest and VPNs inherit the speed of their parent interface.you can manually set an interfaces cost as well with some hackery.
This is the same type of question/problem that might crop up when two companies merge and they happen to use the same RFC1918 addressing schemes which cause conflicts. As an interim fix one might implement Bi-Directional (Two-way) NAT to get the network up immediately, while you work on readdressing the network as your long term solution cause two-way NAT is a pain to deal with.
Assuming your home’s vpn server is on a public routable ip address and is reachable from your work.
Providing your VPN client (wireguard) is configured to drop all existing connections when started, then your VPN client is now connected to your home network and will not see nor know about any of your work private ip address … you are virtually sitting at home, from a network perspective.
Therefore, after VPNing to home, when you connect to 192.168.1.20, you would connect to your home’s ip rather than works.
Where did you determine OPs gateway is 192.168.1.1? Based on the scant network topology info provided, it could be 192.168.34.173 if he has a 192.168.0.0/16 network.
The OP is asking if they have something on the IP 192.168.1.20 that they access on their local network, and then use VPN to connect to another network that uses the same 192.168.1.0/24 (presumably /24) range would they be routed to their network’s 192.168.1.20 url/server/whatever or to the url/server/whatever on the VPN’s 192.168.1.20’s IP.
Where is 192.168.2.0/24 in your reply coming from? I don’t see that in the OP’s initial question or in /u/S7ageNinja post either?