ECOM and ECOM100 over OpenVPN

[Dave]

This is more VPN than PLC, but I think answers will benefit all following here.

Goal: To network two sites so remote PLCs can be accessed locally over an OpenVPN link.

The Network:
- Site A: XP Pro Laptop behind router (laptop=192.168.1.0/24)
- Site B: XP Pro PC behind router with 2 NICs, NIC1=LAN (192.168.2.0/24), NIC2=PLC (10.10.10.0/24)
  There are 2 DL06s on PLC LAN, ECOM equiped at 10.10.10.10, ECOM100 equiped at 10.10.10.11

So Far:
- OpenVPN between laptop and PC working (scripts below)
- EnabledIPForwarding on PC and laptop (regedit below)

The Rub:
- The laptop can ping the ECOM but not the ECOM100

DirectSoft5 on the laptop goes online with the remote ECOM connected PLC but not with the ECOM100. Neither can the Cmore programming software connect with the panel at 10.10.10.12. Only the ECOM can be remotely accessed.

I've been working through the routing to make this happen. Seeing some devices but not the rest has me stuck. I figured it would be all or none. There's a networking fault somewhere, I'm just not sure where.

This is a quick overview of the effort, post your questions and I'll fill in the blanks. All comments welcome.

Dave.

PC OpenVPN Script
  # server.ovpn
  server 172.17.2.0 255.255.255.0
  push "route 10.10.10.0 255.255.255.0"
  push "route 192.168.2.0 255.255.255.0"
  port 1194
  proto   udp
  dev tun
  cipher AES-256-CBC
  comp-lzo
  cert server.crt
  key server.key
  dh dh1024.pem
  ca ca.crt
  tls-auth ta.key 0
  max-clients 10
  client-to-client
  keepalive 10 120
  persist-key
  persist-tun
  status openvpn-status.log
  verb 3

  # Not used as they force ALL traffic through the VPN
  # push "redirect-gateway"
  # push "dhcp-option DNS 172.17.2.1"

Laptop OpenVPN Script
  # client.ovpn
  client
  cert dave.crt
  key dave.key
  ca ca.crt
  tls-auth ta.key 1
  remote abc.dyndns.org 1194
  dev tun
  proto   udp
  resolv-retry infinite
  nobind
  persist-key
  persist-tun
  cipher AES-256-CBC
  ns-cert-type server
  comp-lzo
  route-method exe
  route-delay 2
  verb 3

XP RegEdits
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
  "IPEnableRouter"=dword:00000001

[MikeS]

what values were entered for the subnet mask and gateway on the ecom100?

[Dave]

Doh!!!

PC=10.10.10.50/255.255.255.0
PLC HUB=10.l0.10.1

before:
ECOM100 on 10.10.10.11/255.255.255.0 gateway 0.0.0.0
CMORE on 10.10.10.12/255.255.255.0 gateway 10.10.10.1

after:
ECOM100 on 10.10.10.11/255.255.255.0 gateway 10.10.10.50 (PC)
CMORE on 10.10.10.12/255.255.255.0 gateway 10.10.10.50 (PC)

Mission Accomplished

Laptop programming over the VPN! No constantly transferring from laptop to PC to PLC. Directly program the remote PLC/Cmore from the laptop over the VPN.

I suppose pointing the gateway at the PC will have negative effects, eg: no outbound PLC/Cmore connections unless PC is running. Moving OpenVPN to an properly configured OpenWRT router and pointing the gateway there would fix that problem.

Thanks!

Final note to others, port 1194 must be forwarded to PC on the remote's internet connected router. The DynDNS.org updater runs on the remote PC keeping abc.dyndns.org current with any dynamically assigned ISP address changes. The updater could instead be run on the remote's ISP connected router, eg: with OpenVPN on an OpenWRT based router.

PS: Lookout also works over the VPN!