I have been experiencing this problem more and more, as the proliferation of non-routable ip networks increases. Basically, I am at an airport, hotel, customer site, or other location and they happen to be using the same ip address range as we do at the corporate offices.
For example:
Corporate uses 10.1.x.x network range (mail server is at 10.1.1.5 as an example)
The location that I am getting network from uses either 10.x.x.x or maybe just 10.1.1.x… but either way, the problem is the same.
The VPN connects successfully however after that all traffic for the mail server (as an example) is not routed thru the VPN since it matches the local network and doesn’t forward it thru the tunnel.
Possible solutions:
1) Setup a secondary VPN server on a different ip network and over-lay for example a 192.168.x.x range over the 10.1.x.x range (but all servers would need an address on both networks, hard to maintain)… and the user would need to change the “mail server” in their client to use the other VPN connection.
2) Attempt to get a “routable” ip address from the location you are at… this may be viable if you are using a cable-modem or DSL from a provider and will be doing this all the time. However, the typical hotspot isn’t going to be willing to accomodate you and may not even have a clue when you ask.
3) Try another VPN solution…. PPTP or IPSEC or OpenVPN… but they all are routed and expect that you will not have matching networks.
4) Final solution, and one that I have working as a “demo” but am not really happy with the administration overhead of the solution…. is to use SSH tunneling to get to specific servers. This is fast and works pretty well… but then mail clients/etc need to be configured to use localhost:port with special ports for each service…. and they need to have a putty ssh window open to the ssh-server (minor I know). But if you configure the mail client to use this as their mail server… then even when they are in the building they would need to download all their emails thru this ssh tunnel (not ideal).
I am still searching for the best practice for this issue… and I have to imagine that we are not the only company running into this issue. However, this isn’t something that google has turned up any great ideas for. Please post a comment with your suggestions or send me an email with your solution to this problem.
Leave a Reply