PLC Remote Access with OpenVPN Client and multiple PLCs Sharing same IPs/Subnets

Hey Everyone, I hope someone can help me. I have softether running on windows server on a VPS. I have successfully setup up server and clients and can connect via PC and the 4G LTE Routers (Teltonika RUT240 ) and can access siemens s7-1200 PLC. I have a NAT setup on VPN server with 192.168.5.1 and have given PLC static IP of 192.168.5.10 and Have set static IP on TAP Interface on PC with 192.168.5.15 and have Installed virtual ethernet adapter (microsoft loopback) and assigned a satic IP of 192.168.5.20 and bridged the connections in softether server to the virtual hub. This now gives me access from server to PLC ( I can ping PLC from Server and Engineering PC ) I can connect to the PLC from PC fine.

The Problem I now have Is I have a lot of PLCs at remote sites already set up and they all have the same subnets and they can not be changed (connected to other devices in the network I have no control over) I have thought about setting up individual NATs on the routers I will be installing but it seems the OpenVPN TAP client in the router is bridged to the local lan and can't be altered.

The other issue I see is the SCADA software running on the server needs to access these PLC ( I set the PLC IP address in the software for which one they connect to) I now have an issue as they all have same IP so I was possibly thinking about setting PLC IP in the software as the NAT ip set on the Router and then create static route to the PLC on the router.

If I need to access PLC network from Engineering PC I will just connect to server and set the TAP IP to the NAT the PLC is on and may need to cascade the connection to that particular virtual VPN Hub.

I'm also having trouble setting up NAT and removing Tap fro Eth, I was thinking of creating VLAN with IP of 192.168.100.25 and bridge the Tap0 to that interface and then route that subnet to the local lan subnet or something along those lines, Is this achievable or a better more simple way to do this?

I will link a diagram for a better understanding

If anyone has any better ideas or ways of achieving this would be great

layout.jpg2100×1500 184 KB

Change TAP to TUN.
Use subnet topology.

Where is OpenWrt involved here? RUT240 doesn't seem to be supported.

They state it is openwrt with there own gui rutOS, if I SSH into it all the navigation and file locations are same as openwrt

If I change to Tun it won't connect at all so I'm stuck with Tap

SENT CONTROL [*******.softether.net]: 'PUSH_REQUEST' (status=1)

[20824]: AUTH: Received control message: AUTH_FAILED

[20824]: TCP/UDP: Closing socket

[20824]: SIGTERM[soft,auth-failure] received, process exiting

Just seems odd that it will connect with tap but not tun and on windows pc it connects to both fine with same configuration

It is a bit of a long shot to get some help here, as we don't know exactly what alterations have they done in their image.
Anyway your problem is more of designing the network, rather than configuration. But post here your configuration to have a look.
Use preformatted text </> when you paste.
uci show network; uci show dhcp; uci show firewall; uci show openvpn; cat /etc/openvpn/*

This is not normal.
You should resolve this issue instead of creating another one.

Follow the official how-tos and use the recommended software:

• OpenVPN: server + client
• WireGuard: server + client

If the issue persists, collect comprehensive diagnostics.

I hope this all looks normal and not altered to much. I have gone back to 192.168.2.1 for my testing, but devices installed will be on 192.168.5.1 subnet

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.lan=interface
network.lan.ifname='eth0 tap0'
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.2.1'
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth1'
network.wan.enabled='1'
network.wan2=interface
network.wan2.metric='10'
network.wan2.ifname='wwan0'
network.wan2.proto='none'
network.wan3=interface
network.wan3.proto='dhcp'
network.wan3.ifname='wlan0'
network.wan3.enabled='0'
network.wan3.disabled='1'
network.wan3.metric='20'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0 1 2 3 4'
network.@route[0]=route
network.@route[0].interface='wan'
network.@route[0].table='wan'
network.@route[0].target='0.0.0.0'
network.@route[0].netmask='0.0.0.0'
network.@route[1]=route
network.@route[1].interface='wan2'
network.@route[1].table='wan2'
network.@route[1].target='0.0.0.0'
network.@route[1].netmask='0.0.0.0'
network.@route[2]=route
network.@route[2].interface='wan3'
network.@route[2].table='wan3'
network.@route[2].target='0.0.0.0'
network.@route[2].netmask='0.0.0.0'
network.ppp=interface
network.ppp.enabled='1'
network.ppp.backup='1'
network.ppp.metric='10'
network.ppp.ifname='wwan0'
network.ppp.auth_mode='none'
network.ppp.proto='qmi2'
network.ppp.device='/dev/cdc-wdm0'
network.ppp.dialnumber='*99#'
network.ppp.pppd_options='noipdefault'
network.ppp.pdptype='1'
network.ppp.mtu='1500'
network.ppp.service='lte-only'
network.ppp.method='nat'
network.stabridge=interface
network.PLC=interface
network.PLC._name='PLC'
network.PLC.proto='l2tp'
network.PLC.buffering='1'
network.PLC.checkup_interval='20'
network.PLC.server='demo.mrea.co.nz'
network.PLC.username='PLC'
network.PLC.password='303mreleaut'
network.PLC.defaultroute='0'
network.PLC.enabled='0'
network.PLC.disabled='1'
network.PLCTest=interface
network.PLCTest.proto='pptp'
network.PLCTest._name='PLCTest'
network.PLCTest.buffering='1'
network.PLCTest.defaultroute='0'
network.PLCTest.client_to_client='1'
network.PLCTest.server='demo.mrea.co.nz'
network.PLCTest.username='PLC'
network.PLCTest.password='303mreleaut'
network.PLCTest.enabled='0'
network.PLCTest.disabled='1'

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].dhcpscript='/usr/sbin/dhcpinfo.sh'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.time='12'
dhcp.lan.letter='h'
dhcp.lan.ignore='0'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.dhcp_relay=dhcp
dhcp.dhcp_relay.enabled='0'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan ppp'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='vpn'
firewall.@zone[2].device='tun+ gre+'
firewall.l2tp_zone=zone
firewall.l2tp_zone.name='l2tp'
firewall.l2tp_zone.input='ACCEPT'
firewall.l2tp_zone.output='ACCEPT'
firewall.l2tp_zone.forward='REJECT'
firewall.l2tp_zone.masq='1'
firewall.l2tp_zone.network='l2tp'
firewall.l2tp_zone.device='l2tp+ xl2tp+'
firewall.pptp_zone=zone
firewall.pptp_zone.name='pptp'
firewall.pptp_zone.input='ACCEPT'
firewall.pptp_zone.output='ACCEPT'
firewall.pptp_zone.forward='REJECT'
firewall.pptp_zone.masq='1'
firewall.pptp_zone.network='pptp'
firewall.pptp_zone.device='pptp+'
firewall.gre_zone=zone
firewall.gre_zone.name='gre'
firewall.gre_zone.input='ACCEPT'
firewall.gre_zone.output='ACCEPT'
firewall.gre_zone.forward='REJECT'
firewall.gre_zone.masq='1'
firewall.gre_zone.network='gre'
firewall.gre_zone.device='gre+'
firewall.@zone[6]=zone
firewall.@zone[6].name='hotspot'
firewall.@zone[6].input='REJECT'
firewall.@zone[6].output='ACCEPT'
firewall.@zone[6].forward='REJECT'
firewall.@zone[6].device='tun0 tun1 tun2 tun3'
firewall.sstp=zone
firewall.sstp.name='sstp'
firewall.sstp.input='REJECT'
firewall.sstp.output='ACCEPT'
firewall.sstp.forward='REJECT'
firewall.sstp.device='sstp-+'
firewall.sstp.masq='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Relay'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='67'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].enabled='0'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-vpn-traffic'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='wan'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].dest_port='1194'
firewall.@rule[3].proto='tcp udp'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='vpn'
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='l2tp'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='pptp'
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='gre'
firewall.@forwarding[3].dest='lan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='wan'
firewall.@forwarding[4].src='hotspot'
firewall.custom=include
firewall.custom.path='/etc/firewall.user'
firewall.@include[1]=include
firewall.@include[1].path='/tmp/privoxy/firewall'
firewall.@include[1].enabled='1'
firewall.@include[1].reload='1'
firewall.@include[2]=include
firewall.@include[2].enabled='1'
firewall.@include[2].reload='1'
firewall.@include[2].path='/etc/logtrigger/fwblock_wrapper.sh'
firewall.@include[3]=include
firewall.@include[3].path='/etc/add-firewall-rule.sh'
firewall.@include[4]=include
firewall.@include[4].path='/etc/add-rs-rule.sh'
firewall.@include[4].reload='1'
firewall.@include[5]=include
firewall.@include[5].path='/etc/add-port-rule.sh'
firewall.@include[5].reload='1'
firewall.pbridge=include
firewall.pbridge.enabled='0'
firewall.pbridge.reload='1'
firewall.pbridge.path='/tmp/tmp_file/pbridge_firewall.sh'
firewall.ipsec=include
firewall.ipsec.reload='1'
firewall.ipsec.path='/tmp/ipsec/firewall.sh'
firewall.ipsec.enabled='1'
firewall.Hotspot_input=rule
firewall.Hotspot_input.enabled='0'
firewall.Hotspot_input.target='ACCEPT'
firewall.Hotspot_input.name='Hotspot_input'
firewall.Hotspot_input.src='hotspot'
firewall.Hotspot_input.dest_port='53 67-68 444 81 1812 1813 3991 3990'
firewall.@rule[5]=rule
firewall.@rule[5].dest_port='22'
firewall.@rule[5].proto='tcp udp'
firewall.@rule[5].name='Enable_SSH_WAN'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].src='wan'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].dest_port='4200-4220'
firewall.@rule[6].proto='tcp udp'
firewall.@rule[6].name='Enable_CLI_WAN'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].src='wan'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].dest_port='80'
firewall.@rule[7].proto='tcp udp'
firewall.@rule[7].name='Enable_HTTP_WAN'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].src='wan'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].dest_port='443'
firewall.@rule[8].proto='tcp udp'
firewall.@rule[8].name='Enable_HTTPS_WAN'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].src='wan'
firewall.@rule[8].enabled='0'
firewall.@rule[9]=rule
firewall.@rule[9].name='Block_DNS_forwarding'
firewall.@rule[9].src='*'
firewall.@rule[9].dest='wan'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='53'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='1812 1813'
firewall.@rule[10].proto='tcp udp'
firewall.@rule[10].name='Enable_Radius_WAN'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].enabled='0'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-DHCPv6'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src_ip='fe80::/10'
firewall.@rule[11].src_port='547'
firewall.@rule[11].dest_ip='fe80::/10'
firewall.@rule[11].dest_port='546'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].name='Allow-ICMPv6-Input'
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='icmp'
firewall.@rule[12].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[12].limit='1000/sec'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[13]=rule
firewall.@rule[13].name='Allow-ICMPv6-Forward'
firewall.@rule[13].src='wan'
firewall.@rule[13].dest='*'
firewall.@rule[13].proto='icmp'
firewall.@rule[13].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[13].limit='1000/sec'
firewall.@rule[13].family='ipv6'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[14]=rule
firewall.@rule[14].name='Allow-pptpd-on-1723'
firewall.@rule[14]._name='pptpd'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].proto='tcp'
firewall.@rule[14].dest_port='1723'
firewall.@rule[14].family='ipv4'
firewall.@rule[14].src='wan'
firewall.@rule[14].enabled='0'
firewall.@rule[15]=rule
firewall.@rule[15].name='Allow-pptpd-gre-output-connections'
firewall.@rule[15]._name='pptpd'
firewall.@rule[15].dest='wan'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].enabled='0'
firewall.@rule[15].proto='gre'
firewall.@rule[15].family='ipv4'
firewall.@rule[16]=rule
firewall.@rule[16].name='Allow-pptpd-gre-input-connections'
firewall.@rule[16]._name='pptpd'
firewall.@rule[16].src='wan'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].enabled='0'
firewall.@rule[16].proto='gre'
firewall.@rule[16].family='ipv4'
firewall.IPsecESP=rule
firewall.IPsecESP.src='wan'
firewall.IPsecESP.name='Allow-IPsec-ESP'
firewall.IPsecESP.target='ACCEPT'
firewall.IPsecESP.proto='esp'
firewall.IPsecESP.enabled='0'
firewall.IPsecNAT=rule
firewall.IPsecNAT.dest_port='4500'
firewall.IPsecNAT.src='wan'
firewall.IPsecNAT.name='Allow-IPsec-NAT-T'
firewall.IPsecNAT.target='ACCEPT'
firewall.IPsecNAT.proto='udp'
firewall.IPsecNAT.enabled='0'
firewall.IPsecIKE=rule
firewall.IPsecIKE.dest_port='500'
firewall.IPsecIKE.src='wan'
firewall.IPsecIKE.name='Allow-IPsec-IKE'
firewall.IPsecIKE.target='ACCEPT'
firewall.IPsecIKE.proto='udp'
firewall.IPsecIKE.enabled='0'
firewall.E_SSH_W_P=redirect
firewall.E_SSH_W_P.enabled='0'
firewall.E_SSH_W_P.target='DNAT'
firewall.E_SSH_W_P.src='wan'
firewall.E_SSH_W_P.dest='lan'
firewall.E_SSH_W_P.proto='tcp'
firewall.E_SSH_W_P.name='Enable_SSH_WAN_PASSTHROUGH'
firewall.E_SSH_W_P.dest_ip='127.0.0.1'
firewall.E_SSH_W_P.reflection='0'
firewall.E_SSH_W_P.src_dport='22'
firewall.E_HTTP_W_P=redirect
firewall.E_HTTP_W_P.enabled='0'
firewall.E_HTTP_W_P.target='DNAT'
firewall.E_HTTP_W_P.src='wan'
firewall.E_HTTP_W_P.dest='lan'
firewall.E_HTTP_W_P.proto='tcp'
firewall.E_HTTP_W_P.name='Enable_HTTP_WAN_PASSTHROUGH'
firewall.E_HTTP_W_P.dest_ip='127.0.0.1'
firewall.E_HTTP_W_P.reflection='0'
firewall.E_HTTP_W_P.src_dport='80'
firewall.E_HTTPS_W_P=redirect
firewall.E_HTTPS_W_P.enabled='0'
firewall.E_HTTPS_W_P.target='DNAT'
firewall.E_HTTPS_W_P.src='wan'
firewall.E_HTTPS_W_P.dest='lan'
firewall.E_HTTPS_W_P.proto='tcp'
firewall.E_HTTPS_W_P.name='Enable_HTTPS_WAN_PASSTHROUGH'
firewall.E_HTTPS_W_P.dest_ip='127.0.0.1'
firewall.E_HTTPS_W_P.reflection='0'
firewall.E_HTTPS_W_P.src_dport='443'
firewall.E_CLI_W_P=redirect
firewall.E_CLI_W_P.enabled='0'
firewall.E_CLI_W_P.target='DNAT'
firewall.E_CLI_W_P.src='wan'
firewall.E_CLI_W_P.dest='lan'
firewall.E_CLI_W_P.proto='tcp'
firewall.E_CLI_W_P.name='Enable_CLI_WAN_PASSTHROUGH'
firewall.E_CLI_W_P.dest_ip='127.0.0.1'
firewall.E_CLI_W_P.reflection='0'
firewall.E_CLI_W_P.src_dport='4200-4220'
firewall.A_PASSTH_T=rule
firewall.A_PASSTH_T.target='ACCEPT'
firewall.A_PASSTH_T.src='wan'
firewall.A_PASSTH_T.dest='lan'
firewall.A_PASSTH_T.name='Allow-passthrough-traffic'
firewall.A_PASSTH_T.proto='all'
firewall.A_PASSTH_T.enabled='0'
firewall.A_OSPFIGP=rule
firewall.A_OSPFIGP.enabled='0'
firewall.A_OSPFIGP.target='ACCEPT'
firewall.A_OSPFIGP.src='wan'
firewall.A_OSPFIGP.name='Allow-OSPFIGP-WAN-traffic'
firewall.A_OSPFIGP.proto='89'
firewall.REDIR_DNS=redirect
firewall.REDIR_DNS.enabled='0'
firewall.REDIR_DNS.target='DNAT'
firewall.REDIR_DNS.src='lan'
firewall.REDIR_DNS.dest='lan'
firewall.REDIR_DNS.proto='tcp udp'
firewall.REDIR_DNS.name='Redirect_DNS'
firewall.REDIR_DNS.dest_ip='192.168.1.1'
firewall.REDIR_DNS.src_dport='53'
firewall.REDIR_DNS.dest_port='53'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.DMZ=redirect
firewall.DMZ.src='wan'
firewall.DMZ.name='DMZ'
firewall.DMZ.proto='all'
firewall.DMZ.enabled='0'

openvpn.webui=webui
openvpn.webui._auth='tls'
openvpn.636C69656E745F504C43=openvpn
openvpn.636C69656E745F504C43.persist_key='1'
openvpn.636C69656E745F504C43.persist_tun='1'
openvpn.636C69656E745F504C43.port='1194'
openvpn.636C69656E745F504C43.proto='udp'
openvpn.636C69656E745F504C43.name_is_hexed='1'
openvpn.636C69656E745F504C43.verb='5'
openvpn.636C69656E745F504C43.nobind='1'
openvpn.636C69656E745F504C43.cipher='AES-128-CBC'
openvpn.636C69656E745F504C43._auth='tls/pass'
openvpn.636C69656E745F504C43.remote='my.server.IP.Here/DNS'
openvpn.636C69656E745F504C43.resolv_retry='infinite'
openvpn.636C69656E745F504C43.auth='sha1'
openvpn.636C69656E745F504C43._tls_auth='1'
openvpn.636C69656E745F504C43.ca='/lib/uci/upload/cbid.openvpn.636C69656E745F504C43.ca'
openvpn.636C69656E745F504C43.cert='/lib/uci/upload/cbid.openvpn.636C69656E745F504C43.cert'
openvpn.636C69656E745F504C43.key='/lib/uci/upload/cbid.openvpn.636C69656E745F504C43.key'
openvpn.636C69656E745F504C43.keepalive='10 120'
openvpn.636C69656E745F504C43._tls_cipher='all'
openvpn.636C69656E745F504C43.auth_key_direction='1'
openvpn.636C69656E745F504C43.client='1'
openvpn.636C69656E745F504C43.auth_user_pass='/etc/openvpn/auth_636C69656E745F504C43'
openvpn.636C69656E745F504C43.dev='tap'

#!/bin/sh

CONFIG=$config

log(){
        logger -t "openvpn-$1" "$2"
}

if [ -n $CONFIG ]; then
  AUTH_FILE=`echo $config | sed 's/openvpn-//g' | sed 's/.conf//g'`
  AUTH_FILE_PATH=/etc/openvpn/auth_$AUTH_FILE

  userpass=`cat $1`
  username=`echo $userpass | awk '{print $1}'`
  password=`echo $userpass | awk '{print $2}'`
  localuserpass=`cat $AUTH_FILE_PATH`
  localusername=`echo $localuserpass | awk '{print $1}'`
  localpassword=`echo $localuserpass | awk '{print $2}'`

  if [ "$username" = "$localusername" -a "$password" = "$localpassword" ]
  then
        log $AUTH_FILE "OpenVPN authentication successfull: $username"
        exit 0
  fi

  log $AUTH_FILE "OpenVPN authentication failed"
  exit 1
fi

return 1
User here *******
Pass Here ********
cat: can't open '/etc/openvpn/ccd': No such file or directory
-----BEGIN CERTIFICATE-----

I have been through the documentation a lot and rechecked all client configurations and can't find any issues and debug log doesn't help much unfortunately

It's much harder to set up a service and perform troubleshooting relying on unverified documentation, rather than using a tested and working approach.
In addition your configuration contains so many modifications that it might be faster to back up, reset and start from scratch, than wasting time trying to isolate the cause of the issue.

I'm happy to start from scratch again, have already done this a few times. I have done a hard reset on the router multiple times and still no luck connecting via Tun, I have a feeling it may be a bug in the firmware as I can't see anything wrong with client configuration. I have you got any ideas on what to do if I start from scratch again? Or is OpenVPN not a good solution for what i'm doing?

Honestly I don't think it is a matter of restarting from scratch or rebooting.
You are trying to solve a problem consisting of terrible planning, a SoftEther VPN server, some openwrt-based routers and OpenVPN in wrong mode, in a forum dedicated to something close to one of the elements of the problem... These solutions should be designed end to end by some integrator, with equipment tested for interoperability.

Try with Wireguard. At least it supports only routed mode, so you can't go wrong with that.

I have successfully created vlan eth0.1 and bridged tap0 to that instead of local lan. The vlan shares same ip as server virtual lan/nat, server ip 192.168.3.12 engineering pc 192.168.3.15 and rut240 vlan 192.168.3.3 and I can ping between all 3 from each point perfectly fine. So all I need to figure out now is how to create NAT or Bridge the eth0.1 to eth0 (vlan to lan) in the rut240 and this should then allow access to anything on the local lan hopefully.

<Engineering PC 192.168.3.15>----------------<Server VLAN 192.168.3.12>------------<RUT240 192.168.3.3>-------------<PLC 192.168.2.5>

So I just need to gain access to the PLC now, I did create some static routes and ended up locking myself out of router and had to do hard reset so I either got it wrong or not the way to do it.

If all these sites weren't existing already I would just have every device on it's own subnet and would not be an issue, but that can't be done. There are other devices out there such as eWON and few others that use OpenVPN for remote access to PLC etc and they don't have issues with subnets etc so it must be possible to achieve, i'm just not very experienced with networking and vpns etc

Most likely, there's no one who can help you troubleshoot SoftEther VPN.
And using TAP, you are looking for even more troubles, which you can simply avoid with TUN.
So, it would be much easier if you use the official OpenVPN or WireGuard client and server software.

All I have to do now is get access from the RUT240(openwrt) routers vlan to the local lan... surely this is achievable? Been looking at wireguard and looks like it's udp and layer 2 just like the openvpn tap which is layer 2. I can't find any examples of wireguard client to client.

<client-----<Server-----<client

but it may just work without additional configuration. The problem is if I try to use wireguard the rut240 does'nt natively support it so would have to install and use it in the background of the router. Are there any other options such as software-defined networks that work with openwrt?

How will Tun be less trouble? You have to set up static routes on all clients and push routes from server etc where the Tap just seems to work. I don't have any issues with SoftEther to trouble shoot, that's working just fine. Windows can connect to softether in tun or tap with same configurations I have on rut240, so much be a bug or something wrong with the rut240 to not connect in tun. I even tried another server I have that's openvpn via pfsense and everything connects to that fine except tun on the rut240... I had raspberry pi connect fine to both server in tun and tap so I have nailed it down to an issue with the rut240. I would have thought what i'm doing isn't super complicated but is out of scope for what most people use VPNs for. Thanks for all your help so far

I don't quite follow the terminology "natively" and "background", but all VPN instances run as a service, or in the background if you prefer. Only if you are troubleshooting something you run the server in the foreground.

Keyword is "seems", otherwise we wouldn't be arguing now.
In your case you need broadcast domain segregation. You can achieve that with tun protocol. Tap creates a broader broadcast domain. As simple as that.

Most likely you've been looking at the wrong place. Wireguard is L3 and we have many topics here covering that. For example.

I have been having a good look in to wireguard and have set it up on my windows server vps and just win 10 pc and access to local networks pretty quick and easy. The one problem I see is you can not have multiple servers running at the same time, when you activate second server it drops the running one. I would need server per device with it's own tunnel and that way I can connect engineering pc to which ever server the end device/plc I need connecting to at the time. I don't think I could have all peers connecting to the one server, all the peers would have the same allowed IP address since all the PLC have same IP and then there would be no way for the engineering pc to know which PLC is which unless i'm missing something.

First of all you can have as many instances as your physical server can handle. You obviously need to have a dedicated IP/port for each instance.
Second, the tunnel will be setup from the 4g routers, where there is NAT applied, and they have different IPs from what I see in the diagram. So I don't see the issue there.