VPN Tunnel IP Range to CIDR
Convert VPN tunnel and client pool IP ranges to CIDR notation. Configure split-tunnel VPN with proper CIDR routes for corporate resources.
Detailed Explanation
VPN IP Range Configuration
VPN tunnels require CIDR notation for routing configuration. Whether you're setting up a site-to-site VPN or a remote access VPN with a client address pool, converting IP ranges to CIDR is essential.
Site-to-Site VPN Example
Office A Network: 10.1.0.0 - 10.1.255.255
CIDR: 10.1.0.0/16
Office B Network: 10.2.0.0 - 10.2.255.255
CIDR: 10.2.0.0/16
Each site's VPN gateway advertises its local CIDR block to the remote peer.
Client VPN Pool
Client Pool: 10.100.0.0 - 10.100.0.127
CIDR: 10.100.0.0/25 (128 addresses)
A /25 gives 128 addresses for VPN clients. For a larger team:
Client Pool: 10.100.0.0 - 10.100.3.255
CIDR: 10.100.0.0/22 (1,024 addresses)
Split Tunnel Configuration
Split tunneling routes only corporate traffic through the VPN. You specify which CIDR blocks should go through the tunnel:
# Corporate resources (through VPN)
10.0.0.0/8 # All private networks
172.16.0.0/12 # Docker and internal services
# Public internet (direct, bypasses VPN)
0.0.0.0/0 # Everything else
AWS VPN Configuration
AWS Site-to-Site VPN requires:
- Local CIDR: Your on-premises range
- Remote CIDR: The AWS VPC CIDR
- VPN tunnel inside CIDR: e.g., 169.254.10.0/30 (4 IPs for the tunnel endpoints)
Common VPN Pool Sizes
| Prefix | Addresses | Use Case |
|---|---|---|
| /30 | 4 | Point-to-point tunnel |
| /28 | 16 | Small team |
| /25 | 128 | Medium office |
| /24 | 256 | Large office |
| /22 | 1,024 | Enterprise |
Use Case
A network engineer is configuring an AWS Client VPN endpoint. The HR team needs access to an internal application on 10.50.0.0 - 10.50.15.255. They convert this to 10.50.0.0/20 and add it as an authorization rule for the VPN route.