Forums

Resolved
1 votes
Hello all,
We have a software to communicate with a CNC Machine on a specific port. Everything works fine when computer and machine are on the same LAN. We're trying now to communicate through a VPN connection but it failes. We can ping the machine but not communicate with it.
So we tried to change our openvpn config in bridging mode but it seems to be too difficult. The idea was trying to attrib to the openvpn client an adress from our dhcp server and not a 10.0.0x address. or maybe to forware the packets using an internal address ? But I've no idea how to configure that...
if someone has an idea :)
In OpenVPN
Friday, March 08 2019, 11:05 AM
Share this post:
Responses (8)
  • Accepted Answer

    Tuesday, March 12 2019, 07:03 AM - #Permalink
    Resolved
    0 votes
    Hello Nick,
    Yes, the situation is the one you discribed. We tried your suggestion
    IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE 
    and it works like a charm ! Wonderful.
    Thanks very very much Nick :D
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 11 2019, 11:17 AM - #Permalink
    Resolved
    0 votes
    I may be missing something here and I was thinking a different network layout. Are you going Windows <-OpenVPN-> ClearOS <-> ClearOS LAN <-> CNC Machine? If that is the case, try the following iptables rule from the command line:
    iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    or in a Custom Firewall rule:
    $IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 11 2019, 10:53 AM - #Permalink
    Resolved
    0 votes
    Hello Nick,
    Yes the CNC machine is inside a LAN with internal IP address. We make a vpn connexion from the outside to our network. The client is under windows and makes a vpn connexion to the clearos server.
    The idea is replacing the dhcp from the openvpn server by the one of the lan. In this way, the client would receive a local lan ip address instead of the 10.0.0x address. Then, when connecting to the CNC machine, it will be allowed because coming from the same subnet,
    To do that, I need to change the behaviour of the openvpn server from nat to bridge mode ..that I can tell the openvpn server to attrib our lan ip addresses but as the system is in production mode, I wouldn't like to break something :)
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 11 2019, 08:50 AM - #Permalink
    Resolved
    0 votes
    So, the CNC machine is not running OpenVPN, but is LAN connected? If it is running OpenVPN itself, can you ask the suppliers what configs they expect? If you are doing OpenVPN to another machine, don't you want to have a Server <-> Server VPN rather than Client <-> Server?

    I am not sure how your doc would help too much. The remote machine will still have its own IP plus an IP it receives from ClearOS via the TAP interface unless you make ClearOS an IP on the CNC machine's LAN. Is that what you're thinking of doing?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 11 2019, 08:26 AM - #Permalink
    Resolved
    0 votes
    ok thanks Nick but on the machine side, it's a special system fro CNC machines with no firewall and impossible to manage anything from it. So the main idea would be that the client side of the vpn receives an IP from our main dhcp server to be on the same subnet.
    I found a post here but i dont know if I can apply it on my cos system ..
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 11 2019, 08:21 AM - #Permalink
    Resolved
    0 votes
    Can you check the Windows firewall (assuming Windows). Perhaps temporarily add a rule to allow all in from 10.8.0.x and your ClearOS LAN subnet if you can't identify which service you need to add the rule to. Many Windows firewall rules only allow traffic from their own LAN subnet.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 11 2019, 07:59 AM - #Permalink
    Resolved
    0 votes
    Hello Nick and thanks for your answer. So I added the option to my openvnp config (client side) but this didn't solve the problem. It seems that the machine receives the request from the IP 10.0.0.x and, according to the fact it's not in the same subnet than itself (192.168.100.x), refuse to answer... but I can ping it !
    Thanks for your help
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 08 2019, 05:03 PM - #Permalink
    Resolved
    0 votes
    Have you thought about pushing all the remote device's traffic through the VPN? Add the following to the ovpn file:
    redirect-gateway def1 bypass-dhcp
    The reply is currently minimized Show
Your Reply