From 1017b729ccc6daed57446e54db95ad785aa149fc Mon Sep 17 00:00:00 2001 From: "Boris Stoyanov - a.k.a Bobby" Date: Tue, 3 Jun 2025 15:06:25 +0300 Subject: [PATCH 1/2] Update remote_access_vpn.rst --- .../adminguide/networking/remote_access_vpn.rst | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/source/adminguide/networking/remote_access_vpn.rst b/source/adminguide/networking/remote_access_vpn.rst index ffa45823e9..77513baf90 100644 --- a/source/adminguide/networking/remote_access_vpn.rst +++ b/source/adminguide/networking/remote_access_vpn.rst @@ -156,4 +156,19 @@ Now, you need to add the VPN users. #. Click Add. -#. Repeat the same steps to add the VPN users. \ No newline at end of file +#. Repeat the same steps to add the VPN users. + +Limitations of Remote Access VPN +-------------------------------- + +CloudStack's Remote Access VPN feature (L2TP over IPsec with pre-shared key) is subject to certain limitations: + +- **Single connection per source IP/CIDR:** + Due to the use of StrongSwan in the virtual router implementation, CloudStack does not support multiple simultaneous VPN connections originating from the same source public IP or NAT'ed subnet. + This means that if multiple users are behind the same NAT (e.g., office network or shared IP), only one of them can connect at a time. Additional connection attempts will fail until the first session is disconnected. + +- **No support for overlapping CIDRs or NAT before VPN:** + Remote Access VPN does not provide NAT traversal or address translation features to handle overlapping subnets between the client and the VPC. + +**Recommendation:** +If your environment requires multiple concurrent VPN connections from the same location (NAT or IP), consider deploying a dedicated VPN appliance (e.g., OpenVPN or pfSense) inside the VPC to support advanced use cases. From b1b8297a220964738433e2a3749c4641b89709f1 Mon Sep 17 00:00:00 2001 From: "Boris Stoyanov - a.k.a Bobby" Date: Thu, 5 Jun 2025 15:37:10 +0300 Subject: [PATCH 2/2] Update source/adminguide/networking/remote_access_vpn.rst Co-authored-by: dahn --- source/adminguide/networking/remote_access_vpn.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/networking/remote_access_vpn.rst b/source/adminguide/networking/remote_access_vpn.rst index 77513baf90..e87c399a5e 100644 --- a/source/adminguide/networking/remote_access_vpn.rst +++ b/source/adminguide/networking/remote_access_vpn.rst @@ -167,7 +167,7 @@ CloudStack's Remote Access VPN feature (L2TP over IPsec with pre-shared key) is Due to the use of StrongSwan in the virtual router implementation, CloudStack does not support multiple simultaneous VPN connections originating from the same source public IP or NAT'ed subnet. This means that if multiple users are behind the same NAT (e.g., office network or shared IP), only one of them can connect at a time. Additional connection attempts will fail until the first session is disconnected. -- **No support for overlapping CIDRs or NAT before VPN:** +- **No support for overlapping subnets by the VPN:** Remote Access VPN does not provide NAT traversal or address translation features to handle overlapping subnets between the client and the VPC. **Recommendation:**