Describe the bug
If two or more VPN locations use the same IP network address, a conflict arises if the corresponding tunnels are connected simultaneously
To Reproduce
Steps to reproduce the behavior:
Create two VPN locations
Assign (unique) gateway IP addresses but on the same network
Connect a Defguard client to both locations at the same time (nothing stops you from doing so)
In the best case only 1 tunnel will work. Conflicts may also arise in the assignment of IP addresses to the clients
Expected behavior/enhancement
Defguard considers every VPN location as a completely independent realm, where no coordination in the assignment of IP addresses is attempted, and under the silent assumption that locations using the same VPN IP netmask are not to be connected to simultaneously. This can be a valid use case, but the situation where several VPN locations could be sharing the same VPN IP network are valid (and very useful), too.
For instance, I frequently use Wireguard to set up a pattern manually where:
VPN servers (gateways) at different locations use IP addresses from the same network
client define a single Wireguard interface, with all the gateways as peers on this single interface. The "allowedIPs" field is used to define static routing
In this way, the client can access several parts of a distributed infrastructure by using a single wireguard interface, which simplifies management and reduces the number of addresses/networks to handle.
This use case could be easily supported by Defguard if:
we would detect when the same VPN IP network is entered for different locations
we would then allow an option to "group" those locations together and treat them as a single tunnel connecting every client to different endpoint.
The client would then have an option to connect to the whole "location group" with a single action (bringing up a single wireguard interface), entering MFA information only once, and so on.
I hope my description is clear enough; please feel free to contact me in case additional information is needed (also on matrix: @dbutti:matrix.neaweb.ch)
Describe the bug If two or more VPN locations use the same IP network address, a conflict arises if the corresponding tunnels are connected simultaneously
To Reproduce Steps to reproduce the behavior:
Expected behavior/enhancement Defguard considers every VPN location as a completely independent realm, where no coordination in the assignment of IP addresses is attempted, and under the silent assumption that locations using the same VPN IP netmask are not to be connected to simultaneously. This can be a valid use case, but the situation where several VPN locations could be sharing the same VPN IP network are valid (and very useful), too.
For instance, I frequently use Wireguard to set up a pattern manually where:
In this way, the client can access several parts of a distributed infrastructure by using a single wireguard interface, which simplifies management and reduces the number of addresses/networks to handle.
This use case could be easily supported by Defguard if:
I hope my description is clear enough; please feel free to contact me in case additional information is needed (also on matrix: @dbutti:matrix.neaweb.ch)
Version information