Question

I have router RUTX11 with firmware RUTX_R_00.07.01.4.

I want to have acces to our device connected on LAN side over OpenVPN.

OpenVPN works.

I am not able to do any changes on open vpn server.

I try to add this setting to OpenVPN client configuration.

Remote network IP address: 172.30.51.0

Remote network netmask: 255.255.255.0

TraceRt ends at the tunnel address in the router.

C:\>tracert 172.30.51.1

Tracing route to 172.30.51.1 over a maximum of 30 hops

  1   124 ms    73 ms    68 ms  10.1.0.16

  2  10.1.0.16  reports: Destination protocol unreachable.

Trace complete.

Can you help me set up some rules on the router side so I can access our devices.

Answer 1

Hello,

Did you add a TLS client on the OpenVPN server side? By adding a TLS client, you will then be able to access the client router. More information you can find here: https://wiki.teltonika-networks.com/view/OpenVPN_configuration_examples#Clients_from_Server

Regards.

Comments

Yes, I add TLS client name on the OpenVPN server side.

We have server by Insys-icom and usualy use these routers.

We want to use teltonika routers in the future.

Answer 2

Hello, this is Martín, Tech Support Engineer for Teltonika Networks.

To allow access to the LAN devices, you need to add a route from the LAN network on the remote side to the remote side VPN IP address.

If I understand correctly, you are planning to ping the devices that are on the OpenVPN server's LAN side, and the other side has an IP Address of 10.1.0.18, and in its LAN side we have the network 172.30.51.0/24

For this, please open up the WebUI and go to Network > Routing and add a new Static IPV4 Route.

Add a new route with the following options:

• Target: 172.30.51.0
• IPV4-Netmask: 255.255.255.0
• IPV4-Gateway: 10.1.0.18

The logic of this setting is that we are informing the RUTX11 that the network (172.30.51.0/24) is accessible trough the OpenVPN Server's IP address 10.1.0.18.

This logic can work on the opposite way if you need to have the devices on the LAN network of the RUTX11 to be known and reachable by the server.

Instructions for routing can be found on the Wiki article here.

I remain attentive to any further comments.

Have a good day!

Comments

Hello Martín.

I try to make beater description.

I need to communicate with device on OpenVPN client RUTX11 LAN side.

In this description are new tunnel address, which I receive actually from OpenVPN server (deferent from first prevision description).

Now I can get from notebook trough server to router RUTX11 on its tunnel address 10.1.0.18 (red arrow)

I have got this setting on open VPN client RUTX11 on client configuration.

This is response for ping from notebook to RUTX11

C:\>ping 172.30.51.1

Pinging 172.30.51.1 with 32 bytes of data:

Reply from 10.1.0.18: Destination port unreachable.

Ping statistics for 172.30.51.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I am not able to get to RUTX11 LAN side.

I probably need to set some rules for NAT on RUTX11.

NAT from 172.30.51.0/24 to 192.168.50.0/24

Thank you for your help!

---

Hello, I am currently replicating this setup and I will update this answer once I have the confirmed instructions on how to configure the NAT settings for this device.

Best regards.

---

Hello, I have replicated this setup, however, some modifications were made in order to achieve correct connectivity.

The devices on the LAN network you described had two sets of IP addresses, which I imagine are the IP’s in the LAN network and their virtual IP addresses.

However, a more appropriate organization of this topology which allows access to the devices in the internal LAN behind the RUTX11, would be to use the LAN IP addresses of the devices and to allow them to be routed trough the VPN, so the devices which are using the VPN network can communicate to said LAN devices.

To do this, I will demonstrate the usage of an example topology, based on the design you posted.

For this to work, your VPN server must have a Route from the LAN Network IP to the RUTX11’s VPN IP address.

Then, it’s necessary to create a Route from the LAN network to the VPN Server, which in this case would be a Route between 192.168.50.0/24 to 10.1.0.1/24.

To configure said route, you can go to the RUTX11’s Web Interface, and open the Network>Routing>Static Routes, and then input the following:

• Target: 192.168.50.0
• IPV4-Netmask: 255.255.255.0
• IPV4-Gateway: 10.1.0.1
• Leave the other settings as default.

After that, please head to Network>Firewall>General Settings and edit the zone that goes from your VPN to the LAN by clicking on the pencil icon.

Then, under the Inter-Zone Forwarding click under the “Allow forward to destination zones”, and a drop-down menu will be shown. There, select LAN and finally click on Save & Apply.

This topology was tested on a RUTX11 running Firmware 07.01.4, and it allowed ping from the computer to the LAN devices. Please be aware that in order to see all the necessary configuration options you should enable Advanced Mode under the Mode settings on the top-right section of the WebUI

Best regards.

---

Hello Martin.

I still can't get (ping) to address 172.30.51.1.

This is route on server side

There are some details from Open VPN

serverUpdated,Tue Apr 26 08:52:35 2022

Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since

client51_Brentag,37.188.242.185:53524,1299867,1258928,Tue Apr 26 08:00:31 2022

ntb_bara,185.71.233.32:1194,7311514,9995955,Tue Apr 26 07:41:32 2022

ROUTING TABLE

Virtual Address,Common Name,Real Address,Last Ref

10.1.0.26,ntb_bara,185.71.233.32:1194,Tue Apr 26 08:52:35 2022

fd19:433a:30e5:1c2c::1005,ntb_bara,185.71.233.32:1194,Tue Apr 26 07:41:33 2022

172.30.51.0/24,client51_Brentag,37.188.242.185:53524,Tue Apr 26 08:00:32 2022

10.1.0.10,client51_Brentag,37.188.242.185:53524,Tue Apr 26 08:52:34 2022

fd19:433a:30e5:1c2c::1001,client51_Brentag,37.188.242.185:53524,Tue Apr 26 08:00:32 2022

GLOBAL STATS

Max bcast/mcast queue length,1

new static route

I allowed this zone

zone settings

Mode and fw version

Ping is without changing

C:\>ping 172.30.51.1

Pinging 172.30.51.1 with 32 bytes of data:

Reply from 10.1.0.10: Destination port unreachable.

Reply from 10.1.0.10: Destination port unreachable.

Reply from 10.1.0.10: Destination port unreachable.

Reply from 10.1.0.10: Destination port unreachable.

Ping statistics for 172.30.51.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Do you have some idea?

---

Hello, I have reviewed the configurations you provided, and there are differences with the test scenario I performed where I got ping.

I am attaching the following screenshots below:

This screenshot is for the Network > Firewall > General Settings, where I highlighted where your configuration needs to be changed from "Reject" to "Accept".

This second screenshot is for the OpenVPN zone settings.

Can you please perform the following changes to your configuration and confirm if the ping result changes?

Best regards.

---

Hello Martin.

I still can't get to the address 172.30.51.1.

I made your modification.

This is OpenVpn client settings

I restarted both device (server and client).

This is result of pings and tracert

C:\>ping 172.30.51.1

Pinging 172.30.51.1 with 32 bytes of data:

Request timed out.

Ping statistics for 172.30.51.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 10.1.0.10

Pinging 10.1.0.10 with 32 bytes of data:

Reply from 10.1.0.10: bytes=32 time=114ms TTL=64

Ping statistics for 10.1.0.10:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 90ms, Maximum = 168ms, Average = 124ms

C:\>tracert 172.30.51.1

Tracing route to 172.30.51.1 over a maximum of 30 hops

  1    56 ms    88 ms    74 ms  10.1.0.10

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

Should I send some other settings?

Thank you for your support.

---

Hello, how are the LAN devices configured? Which are their IP addresses, masks and gateways?

In the first diagram I see there are two sets of IP's for each client, which are 192.168.50.0/24 and 172.30.51.0/24.

How is this implemented?

Best regards.

---

The router's web line is as follows. From the wan side (noteboku) accessible via a tunnel at 172.30.51.1

device no.1 - IP: 192.168.50.90, mask: 255.255.255.0, gw: 192.168.50.1, I want access through tunnel at 172.30.51.90

device no.2 - IP: 192.168.50.91, mask: 255.255.255.0, gw: 192.168.50.1, I want access through tunnel at 172.30.51.91

device no.3 - IP: 192.168.50.95, mask: 255.255.255.0, gw: 192.168.50.1, I want access through tunnel at 172.30.51.95

device no.1 - IP: 192.168.50.110, mask: 255.255.255.0, gw: 192.168.50.1, I want access through tunnel at 172.30.51.110

We have folowing s network structure.

We have a lot of machine in our network conect to OpenVPN server.

In each machine is router and on its LAN side some clients.

We always have LAN range 192.168.50.0/24 on each machine.

LAN side device are acesiable over adrress 172.30.X.0/24 which is definete on OpenVPN server (see picture).

Thank you for your support.

---

Hello,

I have reviewed the information you have now provided, and I have a more clear idea of what you want to achieve.

First I may ask, why are two sets of IP addresses needed for each device? Can you please elaborate about why are the LAN and the VPN addresses needed for each device?

If I understood clearly, you want to have LAN IP's and VPN IP addresses simultaneously on your devices on the left. However, this is only possible if every of those devices is also client of the same VPN and it's running the OpenVPN client software and it is not recommended, as it uses more resources from the end devices, it impacts the network performance, and it can cause routing issues.

It's advised to have the regular LAN IP addresses and propagate routes between those LAN IP's and the VPN IP's, in order to allow communication to the rest of the network, and the answers above have been given with this in mind.

Best regards.

Answer 3

Do you have any ide how to do it?

Can you help me somebody, please.