I am looking for a solution to connect from a server to a Beckhoff PLC with an ADS protocol but I am not sure what will be the best solution. There is a possibility to make an SSH tunnel or use one of the VPN options in the RUT955 that I have installed on the PLC side.
For now, we have 1 system up and running but we are planning to use more systems in the future and I would like to have an easy and secure option to connect from one server to multiple PLCs. The situation is as follows:
- Linux server
- Connected to a router with a fixed IP
- Router RUT955
- Connection over 4G with a fixed IP
- PLC Beckhoff running Twincat 3 software working on the ADS protocol
Thank you for your response!
I am not very familiar with Beckhoff and their ADS protocol, but it seems like it is routable over layer 3 VPNs. Thus, you should be able to use pretty much any VPN that suits you. Generally, VPNs are more scalable and are easier to manage, especially if you have multiple PLCs. The two most popular VPNs are OpenVPN and IPSec, so I would suggest looking at those. We have various configuration examples available on our wiki. For example, you can find one for OpenVPN here.
You mentioned that you already have one system up and running. Is everything working properly with this system or are you having some issues?
Thank you for your fast reply. I will have a look into the different VPN solutions out there. Are there big differences between them? I saw on the settings page of the RUT955 that there are many options available.
Yes, one system is up and running at a local level, so the server and PLC are in the same public network with a RUT955 in between. That works great up to now, but we want to set the server in a server rack to control multiple PLCs. Therefore this question :).
There are indeed differences between VPNs and there is plenty of articles regarding those differences online. For your use case, I believe that any VPN will do. Generally, OpenVPN is one of the most popular ones because it supports many features, is robust, and is relatively easier to configure and maintain than IPSec, for example. Also, since you already have your own server, I would suggest trying OpenVPN.
Since you will add multiple clients, you can use TUN mode with TLS authentications (certificates). Those certificates can be generated on RUT955 itself and downloaded for other devices as well.
Try establishing an OpenVPN connection with one device and see if everything is working properly before adding other devices into your solution.
Great, I have now installed on the Linux server with Ubuntu 22 the OpenVPN server. I was looking at your example but that example uses two RUT routers. At the moment I only have one RUT router on the client side where the PLC is located. I also googled on other how-to’s but I can’t find one that only uses one RUT router and where the server is not located where the RUT router is. Is this possible? Or do I always need two RUT routers?
The configuration example uses two RUT devices for demonstration purposes. You can have an OpenVPN server running on Linux without issues. Just make sure that both devices are configured appropriately in terms of encryption, certificates, and other settings. Maybe the following example here would be a better example for your case? It shows an OpenVPN server in a virtual machine.
If you would like an easier (probably easiest) solution, you can take a look into RMS VPN. This would be the simplest option in terms of VPN configurations to access your PLC over internet. Also, with RMS VPN, there is no need for public IP addresses. If you are curious, you can watch our YouTube video here. Additional information about RMS can be found on our YouTube and our wiki here.
Thank you so much! I have the openVPN running and I can ping from the server side to the plc side and back. I have one last part that I can’t figure out. I also have at the PLC side a laptop connected with wire shark running but I can’t find any packets at the PLC side when I do this ping to the PLC side. How can I ping the PLC on the client side from the server side?
Some more info:
- Server side openVPN IP: 172.27.232.1
- Client side openVPN IP: 172.27.232.4
- Client side PLC local IP: 192.168.1.100
When it comes to LAN access:
If you want to access clients (RUT) LAN from the server, you need to add a route on the server. For this, you can have specific client configurations in client-config (CCD) directory that will match the client by its certificate (CN) and add a route to the specified network via that client. For example, if the clients certiface CN is client1, you can create a ‘client1’ file in client-config (CCD) directory and put a route to 192.168.1.0/24 network via this client. I suggest you take a look here.
If you want client (RUT) to be able to reach the LAN network of the server, you can add the 'push ‘route 192.168.10.0 255.255.255.0’ option to the servers config. This will tell the client that it can reach 192.168.10.0/24 network via OpenVPN server.
Also, make sure the firewall on RUT allows access from OpenVPN to LAN. For this, navigate to Network → Firewall and edit OpenVPN zone. There, under ‘inter-zone forwarding’, add LAN to ‘allow forward to destination zones’.
Good day. I changed the firewall settings in the RUT955 and looked at your proposed link. Thank you for the information. I get it bit by bit how a VPN works but I am still a bit lost on where to put in the route to reach to local network devices behind the RUT955. I want to reach the local network devices that are behind the RUT955 that have running OpenVPN clients from the server. The document shared is a bit old and uses a Linksys router to configure the route. I have added a picture below where I think I have to add the route to reach the local machine on the client side. Do you have an explanation of what I have to fill in there?
Firstly, the firmware on RUT955 is quite old. I would strongly suggest updating the firmware to the latest. Also, please update with ‘keep settings’ disabled as the difference between your current and the latest firmware is quite substantial. Firmware for RUT955 can be downloaded from here and uploaded in Services → Firmware → Update firmware.
If you want to reach RUT955s LAN from OpenVPN server, there is no need to add a route on RUT itself. The RUT is aware of its LAN network. You need to add the route on the OpenVPN server to this client, so that the server knows it can reach 192.168.1.0/24 via RUT955 over OpenVPN. In the article that I have linked, the relevant part start with “One of the great features of OpenVPN is the ability to “push” specific configurations…”. It shows how to create a client config file and uses
This topic was automatically closed after 15 days. New replies are no longer allowed.