[21-01-2021] | Client VPN and External Networks

I was provided a router that accessed an external network, and was told the accepted solution was to either have it handle all DHCP on their provided subnet, or set a static route on every computer that needed to access it.

I like to stay away from unique configuration of endpoints and resubnetting an entire network isn't feasible. It is also preferable to expose this network to all sites, as well as client VPN, so remote users can access it.

IPs are example IPs and instructions are written for no particular networking equipment so as to maintain anonymity of all devices involved.

Network diagram

The Solution

From start to finish, a user connecting over Meraki client VPN needs to be able to see the outside company's network, which I am unable to configure. For this configuration we will assume:

Default gateway configuration

Static routes are added on the default gateway ( as follows:

The second route is used so I can ping the provided router to ensure it's up, if the external network stops responding. The route is then added to be included in the site to site VPN.

Intermediary router configuration

The route table of the intermediary router is as follows:

The rules filter from most specific to least specific.

Rule 1 ensures all traffic not matching any other rule is passed to the provided router.

Rule 2 ensures any traffic from a site to site VPN address will use as the gateway for its return path. Otherwise, it gets forwarded to where it dies.

Rule 3 and 4 ensure any traffic from the 2 specified client VPN subnets use as the gateway for their return path. Functionally the same as rule 2.