Networking OpenWRT remote measurement nodes

Hello bodies,

I've been assigned a task to make a network of a ZBT-WE826T routers which use OpenWRT as firmware. They in turn connected to local PLC measurement system using LAN port. And OpenWRT router uses a SIM card to access to the internet. The PLC should be accessible remotely for settings and logging purposes. Project owner told me that OpenWRT routers should use VPN to connect to their network.

Can someone please let me know:

  1. What protocol should I use (may be more than one for different purposes)
  2. Should I use programming languages to write something on ZBT-WE826T
  3. Should I use bridge mode, NAT mode, or other modes and on which ethernet device
  4. Is there any sample work or a tutorial to follow

For what...VPN?

Simply...any one that is compatible with the remote end.

(I'd use Wireguard personally if it was compatible with routers/equipment where you will connect to them. In version 21 the protocol is built into the kernel.)

To write what?

Depends on how this PLC connects to a network...but since you have a router...and a cell SIM...you have to do some kinda NAT anyway...even if it's at the remote end regarding setup of all the VPN tunnels...or you can setup routes to them at the remote end via those VPN tunnels without NAT.

Regarding which Ethernet device...OpenWrt sets up a LAN and WAN by default...so I'd assume you want to plug the PLC into LAN...and setup the WAN for the cell connection...correct?

To hook up industrial devices in a private network you create via VPN tunels...likely not.

There are tutorials to setup one point-to-point...and to perhaps make sure you're routing properly across multiple tunnels.

It seems like you want to plug devices into a router...then setup WAN...then setup VPN...not sure what would be too difficult here...this is quite normal. I hope the best for your setup.

  • Who?
  • Did they offer you help to setup your devices?
  • Then don't you think it's wise to ask them about protocols, programming, connections, NAT, etc.?

How does that Wiki to install this software help the OP connect PLCs to someone's network via OpenWrt devices on mobile?

Hi lleachii,

Thank you for your reply. This is a left over project and my friend ask me to help them to make it up and running. The person who did this kind of works has left and gave no data back to company :|. So I wanted to help them and this way I can learn more about Linux networking and other things :). The Project owner wants a zero touch device in customer location. So I should do the job in a way that actions could be done remotely.
The connection is like this:
PLC ETH <-----> LAN1 | ModemRouter | SIM <----> Internet

1 Like

Yes Wireguard is what to use here. I assume there is also an OpenWrt router at the office, and that it has a publicly reachable IP on the WAN side.

The WE826 at each customer location will initiate a separate VPN tunnel to the office router. So inside the office router you have a network of the remote locations:
192.168.200.1 -- the VPN server of the office router
192.168.200.2 -- router at customer A
192.168.200.3 -- router at customer B
etc.
These .200 IP's will be (psuedo) WAN in the customer routers. As there is only one PLC machine at each customer location, you can simply forward the ports relevant for PLC control from the VPN to the machine's LAN IP on the WE826. At the office you would access 192.168.200.2 as customer A's machine, etc.

2 Likes

Hi MK24. Thank you for your reply. DId I draw it well. I recap if I'm not wrong:
Customer side (WE826T):

  • 1 x WAN public IP (assigned by SIM provider)
  • 1 x Bridged private IP which is assigned by VPN client service
  • 1 x Private IP as router to LANs
  • 1(+) x Port forwarding policy to expose PLC ethernet TCP port(s) to VPN network

Customer side (PLC):

  • 1 x assigned IP statically

Head quarter:

  • Technicians should use VPN client to connect to OpenWRT mesh network
  • They can use customer vs wireGuard IP to connect the specific WE826T and exposed port(s)

Yes that will work. If it is difficult or unwanted to run the Wireguard server inside the office, which requires having a public IP (or a forward from one) on the office router, you could rent a VPS and run the Wireguard server off-site. Then the office PC(s) would also make Wireguard tunnels using Windows client software. They should be configured so that Wireguard is not the default route to the Internet, only a second LAN, but that is beyond this forum.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.