Teltonika RUTxx VPN Server - VPN client public IP access

David_Herman_EBIA · April 7, 2026, 5:46am

Hello, I would like to ask for help.
we are building a network of RUTxx routers, the plan is this:
one powerful router will be a VPN server with a public IP address, for now via a mobile operator - now speed is important for us.
Then we have other RUTs at clients, we want to have them permanently connected to the VPN router via the Internet. I have already set this up somehow, I am just solving it so that I as a client can see all the routers of other clients, but the other clients can only see the server - but this probably won’t be completely complicated.
Now I am more concerned with this question:

I have an HMI panel connected to the RUT at the Client and I want to communicate via MQTT through it, the customer who provides me with the server wants one IP address from which we will access it, in order to avoid and reduce some risks.
Is it possible to set up somehow that the Client RUT will access the remote MQTT server via the VPN Server and therefore its public IP?

Thank you very much for your help
David

David_Herman_EBIA · April 10, 2026, 7:50am

Does anyone have any tips please?

Vilius · April 10, 2026, 8:57am

Greetings, @David_Herman_EBIA ,

Thank you for reaching out!

To make sure we provide you with the most accurate guidance for routing your MQTT traffic through the VPN server’s public IP, we have a few quick questions before proceeding:

Which VPN protocol are you currently using between the server and client routers? (OpenVPN, WireGuard, IPsec, or other?)
Which specific RUT models are being used as the VPN server and as the client routers?
What firmware version are the routers running?
Is the MQTT traffic originating from the HMI panel on the client’s LAN, or from the RUT router itself?
Does the VPN server router have a static public IP from the mobile operator, or is it dynamic?
Is NAT masquerading currently enabled on the VPN server’s WAN or VPN interface?

Once we have these details, we’ll be able to provide you with the instructions to get everything working as expected.

Best regards,
V.

David_Herman_EBIA · April 10, 2026, 1:06pm

thank you a lot for your reply.

Here are answer:

Which VPN protocol are you currently using between the server and client routers? (OpenVPN, WireGuard, IPsec, or other?) - OpenVPN
Which specific RUT models are being used as the VPN server and as the client routers? - **we use now for testing RUT901 (**I plan to use more powerful ones in the future.)
What firmware version are the routers running? - Server VPN RUT9M_R_00.07.22, Client RUT9M_R_00.07.21.3
Is the MQTT traffic originating from the HMI panel on the client’s LAN, or from the RUT router itself? HMI is in LAN
Does the VPN server router have a static public IP from the mobile operator, or is it dynamic? Static IP
Is NAT masquerading currently enabled on the VPN server’s WAN or VPN interface? I don’t know exactly what you mean, but I didn’t set anything regarding this.

Vilius · April 13, 2026, 5:40am

Hi David,

I hope you’re doing well,

There are two things to configure, both on the server router:

Tell the client to route its traffic through the VPN

Go to Services → VPN → OpenVPN and edit your server instance. Find the Push option field and add the following:

redirect-gateway def1
dhcp-option DNS 8.8.8.8

The first line is what redirects the client’s default internet route into the tunnel. The DNS line is there so the client can still resolve hostnames once its traffic is going through the server. Save & Apply, then restart the OpenVPN instance so the client picks up the new settings.

For more information, please refer to this wiki article:

Allow the server to forward that traffic out to the internet

This is the part that hasn’t been configured yet, and without it the traffic will arrive at the server but go nowhere. Go to Network → Firewall → Zones, find the vpn zone, click Edit, and under “Allow forward to destination zones” tick wan, enable masquerading on the VPN zone and click Save & Apply.

That’s what allows the server’s NAT to take the client’s traffic and send it out through the mobile WAN interface under the server’s public IP.

To confirm it’s working, connect a device to the client router’s LAN and check its public IP at https://www.whatismyip.com - it should now show the server’s static IP. If you only have CLI access, running curl ifconfig.me on the client router will do the same job.

On your second question about client isolation - by default, OpenVPN on RutOS does not allow clients to reach each other, so you may already be fine there. Just make sure Client to Client is not enabled in the server configuration. You can double-check by trying to ping from one client LAN to another - if it doesn’t respond, isolation is working as expected.

For more information, please refer to this wiki article:

Both firmware versions you’re running (RUT9M_R_00.07.22 on the server and RUT9M_R_00.07.21.3 on the client) are current, so no updates needed on that front.

Let us know how the IP check goes after applying the changes. If something doesn’t look right, share a screenshot of the Push options field and the Firewall Zones page.

Best regards,
V.