Site-to-site VPN with industrial equipment (without DHCP)

Installing and Using OpenWrt
1

Hello, I've been using a site-to-site VPN with multiple mobile clients for some time now. All my configuration is explained in detail here: https://forum.openwrt.org/t/setting-up-openvpn-server-on-a-openwrt-router-with-integrated-cellular-modem/40955/19

It works great with any PC or mobile phone (pretty much everything that use DHCP to get its IP), but I'm having troubles with some industrial equipment like PLC's or HMI's which use a static IP address. I can connect to the PLC locally or ping it using its local router trough a remote terminal, but I'm unable to ping it from a remote PC. I'm not sure if it's because the PLC doesn't allow IP forwarding (shouldn't matter since VPN connect trough a local IP address?), VPN won't route to the PLC when there's no active DHCP lease on its local network or something else.

Obviously I'm not an expert, so if you think I should read about a particular subject, please let me know.

1 Like
2

Verify that the default gateway and routes on the industrial equipment are configured the same way as on the other LAN clients.
If possible, make sure the firewall on the industrial equipment does not limit admin access to local subnet.
Otherwise, set up a SNAT rule to masquerade your IP on the VPN gateway and specify the option dest_ip to limit the rule scope.

3

Verify that the default gateway and routes on the industrial equipment are configured the same way as on the other LAN clients.

This part is OK

If possible, make sure the firewall on the industrial equipment does not limit admin access to local subnet.

As far as I understand the datasheet, it seems that it does limit access to local subnet and I don't think I can do something about it.

Otherwise, set up a SNAT rule to masquerade your IP on the VPN gateway and specify the option dest_ip to limit the rule scope.

I've been reading the wiki page and researching, unfortunately I'm still not sure on how to do this.
So far I would put something like that in /etc/config/firewall on the mobile router (it connects to the VPN as a client)

config redirect
   option src_dip (some LAN address?)
   option dest 'lan'
   option dest_ip (LAN address of the PLC)
   option proto 'all'
   option target 'SNAT'

I saw a problem which won't help diagnostic... PING won't work, I am able to remotely connect to a PC which has a VNC or FTP server, but I'm not able to remotely ping the same PC. I'm pretty sure it's firewall related. I feel like I'm doing quite advanced stuff, but I don't know the base working principle, so if you are aware of some webpage which could help me understand what I'm doing, it would be great!

Firewall config on Router with the VPN server:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option device 'tun0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'vpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

Firewall config on mobile router with the VPN client (same for all of them):


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option device 'tun0'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'MOBILE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device ''

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'
1 Like
4

SNAT works the same way, the difference is that masquerading is useful for dynamic IPs.
Also, in your case it should hide a private subnet behind the private IP of the VPN gateway.

It is restricted to local subnet by default on Windows hosts.

Yes, LAN IP of the VPN gateway.

An alternative way is just to enable selective masquerading for the LAN zone:

uci set firewall.@zone[0].masq="1"
uci set firewall.@zone[0].masq_dest="industrial_equipment_ip/32"
uci commit firewall
/etc/init.d/firewall restart

This should be the device on the same LAN as the industrial equipment.

5

I tried the alternative way and it worked, thanks! It even got rid of the PING problem, but only for the industrial equipment (obviously).

1 Like
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.