WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Configure RUT955 as OpenVPN client for administrative purposes only

0 votes
512 views 0 comments
by anonymous
Hi,

I have the following situation: an already existing OpenVPN server hosted on a cloud server is used to remotely administer (SSH/SCP) embedded devices that are connected to the Internet via RUT955 routers (as an ethernet client, when the routers usually also offer an unrelated wifi hotspot).

Since the mobile data offers connectivity via CGNAT, if some change needs to be done in the router's WebUI or SSH remotely, I usually do a SSH session via the VPN to the end device and open a tunnel/port forward to the router's HTTPS or SSH port. However, this involves extra steps, is not possible if the end device malfunctions and also drops the connection if the RUT955 LAN services restart.

In order to improve the workflow, I looked at the option of joining the RUT955s directly to the VPN for administrative purposes (being able to remotely access the WebUI and SSH for configuration changes and updates). It is seemingly pretty easy to push the ovpn profile to the routers as described in https://wiki.teltonika-networks.com/view/OpenVPN_configuration_examples.

However what I want to know for sure is if this will route any traffic through the VPN by default. I would like to only use this connection to remotely administer the router, not to give clients of the router access to the services exposed by other clients inside the „destination” VPN network or route any internet traffic through this interface.

It is my understanding that without manually adding any routes, the result will be what I desire - the router connects to the OpenVPN server and gets an IP as the other clients of this server which I can use to remotely administer it but the "downstream" clients of the RUT955 do not get a route towards the VPN for Internet or "local" connection.

Does my plan seem correct, is there any other aspect I should pay attention to when applying this type of configuration?

Thank you very much in advance!

1 Answer

0 votes
by anonymous

Hello, a lot will depend on how your OpenVPN server is configured. If the server specifies that all traffic from the device should go through the tunnel (VPN), then it will be so. And vice versa accordingly.

Here is my situation:

On the OpenVPN server, it is configured that all traffic from the client must go through the tunnel. Routing table on the router before setting up OpenVPN

root@Teltonika-RUT200:~# route -e

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

default         *               0.0.0.0         U         0 0          0 wwan0

default         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0

10.87.48.97     *               255.255.255.255 UH        0 0          0 wwan0

192.168.1.0     *               255.255.255.0   U         0 0          0 wlan0

192.168.2.0     *               255.255.255.0   U         0 0          0 br-lan

In the first line, we see that all traffic goes through WirelessWAN (wwan).

After adding the configuration file (settings) OpenVPN. In the routing table, the route through the tunnel appears first. As well as additional routes for accessing VPN clients and the server. If we delete the first route, we will get access to all VPN clients and the server, but Internet access will be, as before, directly through WWAN.

root@Teltonika-RUT200:~# route -e

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

default         192.168.225.1   128.0.0.0       UG        0 0          0 tun_c_new

default         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0

128.0.0.0       192.168.225.1   128.0.0.0       UG        0 0          0 tun_c_new

192.168.1.0     *               255.255.255.0   U         0 0          0 wlan0

192.168.2.0     *               255.255.255.0   U         0 0          0 br-lan

192.168.225.0   *               255.255.255.0   U         0 0          0 tun_c_new

194.87.109.147  192.168.1.1     255.255.255.255 UGH       0 0          0 wlan0

commands to display the routing table:

route -e is more readable, or ip route is slightly less convenient. 

root@Teltonika-RUT200:~# ip route

0.0.0.0/1 via 192.168.225.1 dev tun_c_new

default via 192.168.1.1 dev wlan0 proto static src 192.168.1.150 metric 3

128.0.0.0/1 via 192.168.225.1 dev tun_c_new

192.168.1.0/24 dev wlan0 proto static scope link metric 3

192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1

192.168.225.0/24 dev tun_c_new proto kernel scope link src 192.168.225.37

194.87.109.147 via 192.168.1.1 dev wlan0

Remove unnecessary route ip route del 0.0.0.0/1 via 192.168.225.1 dev tun_c_new

Best regards, Anton