So we're using SoftEther VPN for our small network. We want to make sure when a client connects to the the VPN that it's assigned a local IP in the same subnet LAN so it can connect to mapped/shared drives, printers etc. on the LAN.

There are two ways to go about this it seems. One of them is with a bridge which is the recommended way. If the computer running the server is connected to the router directly, you can create a bridge so that computer is assigned a LAN IP just as if it were on the same network.

The way our office is though, we CAN'T have a computer next to the router. This leaves option 2 of SecureNAT. This also works in SoftEther VPN and allows complete network access, even if the machine running the server isn't near the router but is on the WiFi instead. That said, there are warnings on the SecureNAT that say if it's not properly configured it leaves the whole network at risk.

I'm not seeing how this is some sort of "major network risk"? I guess that's what I'm missing here? How is this anymore of a risk than using the bridge, and is this anything I should be concerned about and does it really matter for a very small network like ours? I get that it allows access behind router without port forwarding, but as long as the authentication certificate is only used by a couple authorized users, what's the risk?

Thanks for the help guys!