Hi,
So I’m migrating a prototype Node-red project I did on a beaglebone to a RIO 2 and I had everything built on a Digital Ocean OPEN VPN tcp client server with modbus yada yada. I just noticed that its not letting me import my .ovpn client config I generated without commenting out my dev tun and it wont let me set it as a TCP client. Is this something I can’t work around? Can I just run the vpn client directly through the shell like I did through the beagle bone and skip using the RIO UI? I saw other users using AWS vpn servers but them’s expensive and I already cloned my Digital Ocean server and I know it works perfectly fine. I recall having issues with the controller comm’s using UDP vpn’s not sure why I would be forced to use UDP for modbus TCP? What are my options here before going into a blackhole of config files?
Generally you don’t want to tunnel TCP inside TCP or the retransmits on dropped packets can get a bit harry since both the VPN packet AND the packets tunneled inside the VPN can get retransmitted causing network chaos.
I don’t know why the built in won’t allow tcp though. You can let it comment out the dev tun, as the RIO already knows which network interface it is using for vpn.
I haven’t tried messing about with OpenVPN on the RIO in shell, so I can’t answer that.
Are you able to set your vpn server up to listen on udp? Not sure why you had problems with that before.
Hi Philip,
I’m no vpn expert, I had originally struggled to get comms working on a very old piece of honeywell equipment and yea I don’t know why udp was unstable. I’am trying this with a newer Modbus device and I do have the ability to modify both the server and user config files to listen on udp (will have to reconfigure some stuff will try this tom). I think I will try your suggestion first and also out of curiosity try to run the client config from inside of shell and report back.
If you don’t send traffic over the tunnel frequently, it is possible for routers to orphan the connection, maybe that was happening when you were using UDP. There is a keepalive config option that you can place in your server config to help with this (it gets pushed to the clients).
Ok, so I rebuilt a server with Ubuntu 20.04, my VPN skills are super rusty. This is eerily what I remember happening when i tried udp before but maybe I have some routing problem. I can connect with the rio and a client and ping the rio. I’m using ipp persist and giving it .22 everytime. I copied my server config from my working version except im using port 1194 and UDP instead of TCP port 443. I built the server and a CA server separetly this time (that shouldnt matter as far as I know). I can’t load the groov ui or node red ui in the browser. On my tcp setup I can do pretty much anything I want which was the appeal (editing remote program etc). I know this may fall into openvpn forum territory but worth posting anyways.
I’m not doing anything fancy at all
VPN server
10.8.0.0 255.255.255.0
client-to-client
push “route 10.8.0.0 255.255.255.0”
(noticing these are reverting but still giving device correct ip)
My devices are on network 10.x.x.x
I’m assuming other people are able to access the rio and edit etc using a UDP openvpn connection. I tried disabling UFW on the server etc still nothing. I’m thinking my routing still jacked? I get the “connection is not private/proceed” prompt when I try to connect to .22 but won’t go anywhere from there. Any ideas? … In mean time going to re-review my working server.
Switched new server and clients back to tcp and it works fine with current settings GRRRRRRR >_<, I read on openvpn forum that for windows clients you have to put 4th octet 1 address away. I confirmed this works since I’m testing one of the clients on a windows 10 machine. Linux doesn’t care and neither does the rio, I don’t think my android phone cares either just my win10 machine. Now my curiosity hat is engaged and I’m wondering if this can work with udp at all since you brought up re-transmits and dropped packets (Ive literally never tried to do a UDP VPN). I do want to put this in a production environment. The old version was pretty good but always looking to improve. To answer your question, no I’m not currently using topology subnet but maybe I should since I’m controlling the clients. I’m reading the wiki…
Looks like you are right I should do
Server
server 10.8.0.0 255.255.255.0
ifconfig-push 10.8.0.22 255.255.255.0
I’ve always used topology subnet where ifconfig means ip and then subnet, if you are using net30 then each client is on it’s own little network, which I think is the default for legacy reasons.
Strange that tcp works and udp doesn’t though, I’ve never used openvpn as tcp.
Also if using client-to-client there shouldn’t be any firewall issues on the server side once the clients are connected since openvpn handles all routing traffic between clients. Without client-to-client then the server os is responsible for routing and firewall duties between clients.
Sure… I tried UDP on port 1194 and 443. Its hanging on the groov manager, I’m at least happy that tcp works but since you and ohers are telling me UDP should work I’d like to see that working as well. Must be missing something or have extra parameter? I thought that the ports shouldnt matter but grasping at straws.
Let me edit this, forum is mucking pounds etc
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-to-client
push “route 10.8.0.0 255.255.255.0”
client-config-dir /etc/openvpn/server/ccd
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 0
I’m away from the office now (still can ssh to server) will change server and comment out the push directives, yes I’m trying to connect to 10.8.0.22. Assuming this will land me on the groov login/manage page? 10.8.0.22/node-red would be node red I’m used to doine ip:1880 for NR and ip:1880/ui for dashboard. Ah i might have forgotten to change the notify, 1 for udp 0 for tcp.
Note:
If i take out redirect-gateway I can’t ping the rio
RIO Client
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3
Win Client
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3
Id be happy to look at your config, i must be missing something for this to function with udp and the rio.
I’m not seeing anything sticking out that is wrong with your OpenVPN config that would prevent traffic from routing. You mentioned you are getting the certificate security warning from the RIO, but nothing from there? Are you doing anything outside of OpenVPN that is unusual? Are you testing this with the RIO and your computer on separate networks?
It’s also strange that you have to send a gateway redirect - that makes me think there is something about your network configuration that we are missing.
I had a note on the remote-cer-tls, but I see you posted both client configs - so it doesn’t apply.
Ya the shell license I’m having separate issues with and I’m in communication with opto support. I’m testing this on a 4g router with my proto-typed setup, so yes different networks. I’m using tcp for now and circling back messing with the UDP. I don’t think I’m doing anything unusual. I’m polling modbus tcp in nod-red and just logging into the dashboard with a client. I’ve done all of this before with the beagle on my old tcp vpn just strange as you say udp should work and I tend to agree the routing should work but it wont load the ui on udp on 1194 or 443. Thanks for suggestions, maybe its dropping packets inside the 4g router or something it pretty much just times out.
edit:
Due diligence-
OpenVPN v2.0
4G router is @ 10.0.0.1 with DHCP .100 - .199
RIO is @ .175 using address reservation/mac - Assigned 10.8.0.22 on VPN subnet
MODBUS device is @ .2
Windows machine is on Corporate network 10.1.8.x - Assigned 10.8.0.8 on VPN subnet
OpenVPN server running Ubuntu 20.04 - UFW rules open port for SSH, and 1194/udp, 443/tcp,
Everything is communicating fine on the LAN and on the TCP VPN I can see the NR dashboard and the device data.
My only other guess is there is another OVPN setting for UDP that im missing becuase I’ve proven the connection works.
Ok I feel silly, was basing that off the config file. I ran apt-cache show openvpn and I’am on 2.4. Its a fresh install of 20.04 ubuntu with fresh ovpn updated so it should all be latest version of everything, good catch though if i was actually on 2.0 (like the config file says).
Is your 4G router using a 255.255.255.0 subnet for its 10.0.0.0 network? How about the corporate network? Just want to make sure there are no network overlaps.
I’m still not clear on why you need to push a redirect gateway option - that is making me thing something else is going on with your network.
