I’m reconjuguring our network and looking for some help choosing an address range, because we’ve had problems in the past.
We need to have VPNs working from large organisations on 10.x.x.x, home users on 192.168.x.x and potentially anything in between.
What would be the best range to go for to maximise compatibility, or is there a better way to handle this?
You will never be able to avoid collisions when working with clients / customers etc.
Look into CG-NAT / RFC 6598.
Time to look into IPv6 unique local addresses. Or the CGNAT range 100.64.0.0/10
i run our VPN with different /24s inside a supernet range of 172.30.0.0/16
3rd octet is different per dept and allows carving and access to be more defined on users/dept needs
A better way to handle this? IPv6 
Especially between organizations, so funny to see mergers & acquisitions still getting caught up in IPv4 range conflicts in this day and age.
If this is basic remote access vpn with a vpn client, most firewalls would have you configure a single subnet for the remote vpn users. You can assign an unused subnet from your internal address schema.
The user client would get an ip from this range and all traffic between the client and your network will use this ip.
You shouldn’t need to worry about the remote user LAN ip unless you are doing site to site vpn.
What is your question?
Vpn tunnels you in to whichever concentrator you decide which has a DHCP pool attached.
Compatibility isn’t the problem.
or is there a better way to handle this?
IPv6.
I’m reconjuguring our network and looking for some help choosing an address range
Pick an appropriate unused /64 from your IPv6 allocation and don’t reuse it anywhere else. ULA could be used if you don’t want to funnel Internet traffic up the VPN.
We need to have VPNs working from large organisations on 10.x.x.x, home users on 192.168.x.x and potentially anything in between.
If you must have IPv4 support over the VPN (and can’t get by with DNS64 and NAT64), then 172.16/12 might be your friend here.
172.16.0.0/12 is the least used segment I’ve seen. The most used in that segment is the bottom and top ranges. I think it comes down to people find it harder to type, so they avoid using it.
I would avoid anything in 192.168. On 10, the most common for home routers is 10.0.0.0/24 and 10.0.1.0/24. That leaves a lot of options there to avoid 99% of potential overlaps.
172.16 is pretty rare to ever see as default on any home router, so work within this space, but I would not use 172.16.1.0/24 or 172.16.31.0/24 because human nature will find those to be the most commonly used if someone were to manually pick that for home use.
There are some reserved ranges outside from the typical rfc1918
cgnat 100.64.0.0/10
Link-local aka APIPA: 169.254.0.0/16
Reserved: 198.18.0.0/15
Those could be in use, but are quite more obscure so the risk of collision is greatly reduced. There are a few more/24, Lookup “Ip reserved address” for the whole list.
EDIT: stricking apipa.
Can’t you just use some DOD-assigned address space like Hamachi did?
On the other hand, collisions are a non-issue if your VPN is configured a certain way in regards to routing. Though that depends heavily whether you need to have your clients access things in the LAN they’re physically connected to or not.
Or the CGNAT range 100.64.0.0/10
Be warned that this can cause issues with mobile devices and laptops with mobile data cards…
With the exhaustion of IPv4 addresses globally, this is not a good idea as many ISP’s use 100.64/10 space for CGNAT as it was intended to be used.
Don’t use the CGNAT range. There’s better alternatives.
And now you conflict with my home network. That’s MY ADDRESS SPACE!!!
/s (the second half, anyways)
Because often, these organisations have ‘experts’ who insists IPv6 is a deprecated technology - Even though factually, the IETF have stopped development work on IPv4, years ago, and they now exclusively only develop IPv6.
I’m not sure I understand. Perhaps I don’t know enough.
If I have a VPN client with, say, a LAN IP of 10.0.x.x, tunnelled to my network which also uses 10.0.x.x, how can the client machine know which network it’s supposed to be taking to? How can it handle two geographically separate servers with the same address?
Thanks, just wondering isn’t 172.16.x.x used by things like BT business broadband?