WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Devices unreachable in VPN-Hub & quick connect

0 votes
231 views 2 comments
by anonymous

Hello!
I'm having issues with connecting to the devices via a VPN-Hub or even VPN quick connect. The VPN hub worked fine and stable for many months, but a few weeks ago became flaky with dozens of attempts needed to even receive one ping from a device behind it.
Right now it completely stopped working.
For test purposes I set up a quick-connect VPN to demonstrate the issue:
1.create a new Endpoint in VPN quick connect

2. Scan the devices - every device is correctly detected select the raspberry pi!

3. The VPN quick-connect setup now looks like this

4.When clicking "create" everything is correctly generated and the deactivated endpoint looks like this:

5. Now start the Endpoint (all works flawlessly)

6. Everything looks good now and the Raspberry Pi is listed correctly

7. Download the .ovpn config file
8. Try the Telonika RMS VPN Tool: After a few minutes we can connect to the VPN hub and the Route is correctly listed. A bit of traffic is also visible

9. Try pinging the route from windows terminal -> connection times out!
10. Let's try this with the OpenVPN GUI on windows instead (this never connects due to these errors):
11. Let's try it on Ubuntu 22.04 -> it looks like the connection works fine here!

user@ububox:/tmp/rms$ sudo openvpn --config xxx.xxx@xx.de-test-quick-connect.ovpn
2023-05-10 18:48:14 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-05-10 18:48:14 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-10 18:48:14 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-05-10 18:48:14 TCP/UDP: Preserving recently used remote address: [AF_INET]3.69.106.81:35892
2023-05-10 18:48:14 UDP link local: (not bound)
2023-05-10 18:48:14 UDP link remote: [AF_INET]3.69.106.81:35892
2023-05-10 18:48:14 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2023-05-10 18:48:14 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-05-10 18:48:14 [teltonika-vpn-8RAoxkOlPnFSbJU6] Peer Connection Initiated with [AF_INET]3.69.106.81:35892
2023-05-10 18:48:14 TUN/TAP device tun8RAoxkO opened
2023-05-10 18:48:14 net_iface_mtu_set: mtu 1500 for tun8RAoxkO
2023-05-10 18:48:14 net_iface_up: set tun8RAoxkO up
2023-05-10 18:48:14 net_addr_ptp_v4_add: 192.168.255.6 peer 192.168.255.5 dev tun8RAoxkO
2023-05-10 18:48:14 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-05-10 18:48:14 Initialization Sequence Completed

12. let's try pinging here as well -> also no success

user@ububox:/tmp/rms$ ping 192.168.1.183
PING 192.168.1.183 (192.168.1.183) 56(84) bytes of data.
^C
--- 192.168.1.183 ping statistics ---
1033 packets transmitted, 0 received, 100% packet loss, time 1058466ms

13. And yes I checked the device is online via the remote CLI

I tried different devices which I know all were reachable previously

Has anyone any idea what's wrong here? It worked so well and I did many successful deploys with Ansible with the VPN-Hubs we have, which remained completely unchanged - everything was stable and quick.
I also checked the credits

  • 16 credits left
  • remaining data 3839.37 MB
  • data usage is currently 1.35 GB where we have 3 GB available

The RMS, CLI, remote Web-UI and everything else also works flawlessly!
The firmware version is the latest (RUT9_R_00.07.04.2) I don't want to try to rollback to an older version, since all configuration might be lost doing this.

We have one other setup using a VPN-hub which is connected permanently for data transmission. I am scared to even touch this as it might also randomly stop working which would eventually cause a production outage for us.

I'm desperate to hear your thoughts on this and maybe someone from Teltonika can have a detailed look. I'm happy to provide more details (company id etc. pp)  - please reach out to me - I hope I didn't already leak too many details!
Cheers, Jonas

(I wasn't able to add images in-line since the bytes probably count as characters? so the max length was exceeded)

1 Answer

0 votes
by anonymous

Hello,

Could you please clafiry the following:

  • Firstly, can you please check whether LAN forwarding is enabled in the RMS VPN Hub -> routes settings?
  • Secondly, is a default gateway configured on the Raspberry Pi, and if so, is it pointing towards the RUT950?
  • Thirdly, is the RUT950 the gateway router in your network topology?
  • Lastly, how is the Raspberry Pi connected to the RUT950?

Additionally, could you please attach a troubleshoot file from RUT950? You can attach it by editing your question. Troubleshoot file can be downloaded from System -> Administration -> Troubleshoot. The attached files are only visible to Teltonika moderators.

Kind Regards,

Andzej

by anonymous

Hi Andzej,
thanks for your quick response!

  • LAN forwarding was not enabled, enabling it however did not change anything. It was previously also not enabled and it worked fine. How would this work with quick connect?
  • The default gateway of the Raspberry Pi seems to be configured correctly:

default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.183 metric 202
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.183 metric 202

  • I am not sure about the gateway router though, there used to be a network topology option, but that has unfortunately been removed with the latest firmware version. How can I verify this now?
  • The Raspberry Pi is connected to the router via LAN (image attached)
  • I have attached the tarball to my original question

by anonymous

Hi,

It appears that the RMS firewall zone forwarding is currently set to REJECT. 

Basically, if you enable the allow LAN forwarding setting on the RMS VPN Hub, it changes the RMS firewall zone on the device to allow traffic forwarding from the RMS VPN to the LAN. 

Could you please navigate to the Network -> Firewall section and set the forward option to ACCEPT for the RMS zone. Also, click on edit and make sure that LAN is added in both, Allow forward to destination and Allow forward from source zones.

Let me know if this helps!


Kind Regards,

Andzej