A VRF-Isolated VPN Architecture for On-Subnet Remote Access​ in Segmented Public-Address Campus Networks

Campus networks that obtained large IPv4 allocations before address exhaustion often still operate entirely in globally routable public address space, without NAT, partitioning users into per-unit subnets segmented by 802.1Q VLANs. When such a campus closes unsolicited inbound reachability towards user hosts, in line with attack-surface-reduction obligations such as the NIS2 Directive, an authenticated VPN becomes the only path by which remote users re-enter their own subnets. The conventional design — a dedicated VPN range routed towards the production network — makes the remote client a visitor adjacent to its home subnet, outside the addressing, filtering and reachability semantics that the per-unit address plan deliberately preserves. This document presents an architecture that places the remote client inside its own home subnet — with an address drawn from that subnet, under its gateway and policies, reachable by on-subnet peers as though locally attached — while all sessions enter through a single public VPN endpoint on a shared concentrator. The construction composes established mechanisms: SQL-backed RADIUS pools that bind per-subnet address assignment to authenticated identity; per-session tunnel interfaces bound into per-subnet VRFs that prevent inter-subnet transit; and bounded proxy-ARP that makes remote clients resolvable on their home segments. The methodology is vendor-neutral and validated in a production deployment at a multi-institute research campus across heterogeneous tunnelling protocols. Security properties, limitations and extensions towards high availability and dual-stack operation are discussed.