Orbi (RBK50) behind ISP router and VPN client address space issue (and workaround)

I have just replaced my Netgear R7000 Nighthawk router with a RBK50 and guess what ? It breaks my VPN ! A bit of research reveals that it is the same issue as the following thread.

 

https://community.netgear.com/t5/Orbi/VPN-works-but-public-IP-doesnt-seem-tunneled-through-RBK50/td-p/1389569

 

As I have found a workaround which will solve the issue, I would like to post it here so as to help anyone hitting this issue.

 

My setup is very similar to that previous thread above...  My RBK50 (firmware V2.2.1.210) is behind an ISP router and thus using a private address 192.168.2.100 on its Internet side interface, whereas my internal network using 192.168.1.x.  There is a DMZ entry in the ISP router for the RBK50 and thus any inbound traffic to the VPN port will hit the RBK50. DDNS is used on RBK50 and thus the generated client ovpn file correctly uses the DDNS domain name for the RBK50.

 

The issue is that VPN client (IOS/Android in TUN mode) is assigned an IP address from the 192.168.2.x address space when my internal network use 192.168.1.x. Thus it is in conflict with the RBK50 external address space and this break everything for the VPN client. Basically the VPN tunnel can be established but then the IOS/Android will not be able to talk to any internal/external host.

 

I am not sure if Netgear hardcode the VPN address space in this firmware or use the one 'just above' the internal network. Anyway, my old R7000 does not have this issue.

 

The workaround I use is simply reassigning the RBK50 external interface to use another address space (192.168.0.x for example).  On the IPS router I also configure the internal interface to use this address space and the corresponding DMZ host entry for the RBK50.  This way, even if VPN client get a IP address from the 192.168.2.x address there will not be any conflict and everything will work just fine.