USG20W-VPN using SSL_VPN connection can't connect to internal network 192.168.1.x

krlee52
krlee52 Posts: 4
First Comment
edited April 2021 in Security

Hello all,

Long time since I ventured into this space so pardon my ignorance. My question is: The internal office network I want the remote users to access is a 192,168.1.x network. I can set up the SSL_VPN group to use the .1 subnet and it works fine because my remote subnet at home is 192.168.40.x and not 192.168.1.x However most home users do use the .1 subnet and then it is not possible for them to connect. What I would like to do is to somehow change the SSL_VPN subnet to 192.168.2.x (or anything else) and then route those requests to the .1 subnet. Is there a way to do that? I would hate to have to redo the whole office networking to accommodate a couple of remote users. Thanks for any suggestions.

All Replies

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @krlee52

    You can follow the guideline to build up SSL VPN:

    https://support.zyxel.eu/hc/en-us/articles/360001390774-How-to-create-an-SSL-VPN-Tunnel-via-SecuExtender-software-

    On USG20W-VPN the Lan2 default subnet is 192.168.2.X.

    When setup the IP range settings on SSL VPN, make sure to define a range that is not conflicting with any existing or known subnet on your USG.

  • Hi, Thank you for the reply. I apologize for not explaining myself well, but I now actually have two problems. I am hoping it is something simple I am not understanding. To be sure I had done the basics correctly I followed the guide in the link exactly. The only differentiation is that my lan1_subnet is 192.168.1.0. and it appears in the ping window of the guide that the LAN1_Subnet is set to 192.168.10.0. So here are the questions I have.

    My remote subnet is 192.168.40.0. When I am connected through SecuExtender it connects fine, the only difference being I do not use the :8443. I can ping 192.168.1.1 on the host network - that is the ZyWall. I can ping the server also. I cannot ping any other device on the network.

    My original question was if this can work if the remote clinet also had a 192.168.1.0 subnet, as most home users do, as well as the ZyWall having that subnet. I was hoping there was a configuration option there was a configuration option that would make that work. I did not want to have to reconfigure the office network. At thispoint however I am willing to do so if I can make this work in any way whatsoever :-)

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @krlee52,

    I think you can manipulate the routing priority on the VPN client.

    So that the traffic to the same 192.168.1.0/24 will go to VPN interface first than local.

    And on USG VPN policy select remote server address object (max. 8 entries) instead of a full 192.168.1.0/24 subnet.


    Here is my Windows 10 as example,

    1. Click Windows Key + X
    2. On the left hand side menu, select "Network Connections"
    3. On the right hand side windows, scroll down to "Change your network settings" section, click "Change adapter options"
    4. Double click on the network interface icon "TAP-Windows Adapter V9 for Zyxel SecuExtender"
    5. Go to IPv4 and click properties.
    6. Then click Advance,
    • Disable "Automatic metric" and key-in "1" into Interface metric


Security Highlight