Remote site access via rCell (VPN)

Home Forums General Remote site access via rCell (VPN)

Tagged: 

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • April 30, 2018 at 11:52 am #23319
    William Wicker
    Participant

    I have an rCell (Verizon network) that I am trying to configure to allow me remote access to some equipment in the field. On paper, this seems easy. In real life, not so much.

    I was able to get the rCell to allow connected devices to see out into the internet. This was easy, and could be handy for Joe Programmer while he’s out in the field, but is not what I really need.

    I am able to get the rCell to show up on DeviceHQ.

    What I need is for Joe Programmer to be able to open up his laptop at his house and connect via cloud magic to our field device.

    Complicating factor: Our field device is really a (small) network of devices. A single machine chassis will have more than one network-connected device for Joe P. to talk to.

    I think a VPN is the correct answer here. IPSec appears to be a non-starter because it requires fixed IP addresses on each end, which I can’t really supply. (The rCell IP changes at every reboot, and possibly more often than that.) That leads me to OpenVPN.

    I could configure the rCell OpenVPN connection as a peer-to-peer client, link it to an OpenVPN instance at the home office. If I could get this to work, it would be mostly-OK. This would in theory allow Joe P. to get to stuff in the field as long as he’s in the office.

    But I’d really like Joe P. to be able to get to our stuff in the field when he’s on the road as well. This suggests that I would be happier with my rCell configured as an OpenVPN server that Joe P. could “dial in” to wherever he might be by firing up an OpenVPN client and connecting to the rCell. (Let’s leave IP dynamics aside for the moment — Add hand-waving about DDNS or some such thing.)

    My problem: I can’t figure out how to get this to work!

    Questions:
    * When I configure the rCell OpenVPN server, am I configuring it as a remote access server, or am I configuring it as a peer-to-peer server?
    * What steps do I need to take to make this work? I don’t need “click here, then there” instructions, but something only slighly higher-level would be welcome.

    What I think I need to do:
    * Set up the rCell as an OpenVPN server (TLS, certificates, etc.)
    * Tell the rCell to push out the local subnet that it is DHCP’ing
    * Create a firewall rule to allow entry to packets sourced from the cellular modem on port 1194 (OpenVPN)
    * Do I also need to create port forwarding rules for whatever ports the programming software uses?
    * Do I need to create outbound firewall rules also? (Manual says default outbound is pass all.)
    * Save and reboot
    * Something else? Because the steps above don’t work!

    Other crazy stuff I’ve tried:
    * Enable HTTPS and HTTP access via WAN (is this the same as Cellular? Or is it wi-fi only? (No wi-fi on my rCell))
    * Added firewall rules to allow HTTP and HTTPS traffic in.
    * (Reboot to make these changes take effect)
    * Tried to get to the management web interface from my desktop.
    * Failed. No contact. No pings either. (Also tried enabling WAN ICMP)
    * Disabled HTTPS and HTTP (and ICMP) via WAN, just to be safe.

    Now what?

    May 3, 2018 at 6:59 pm #23363
    William Wicker
    Participant

    I have a partial solution. It turns out you need a Verizon data plan with a fixed / public IP to be able to see the rCell from outside. (Bring money!)

    So now I have initiated contact from the outside to the rCell. I have a known-working communications link. That’s good!

    Work on the OpenVPN configuration continues.

    Now I have additional questions:

    The manual seems to suggest that if I want to expose other devices on the rCell end of my VPN link I need to configure a VPN server (with a push route) AND a VPN client on the rCell. Surely this is not correct! Can anyone confirm or deny this?

    May 8, 2018 at 9:40 am #23400
    William Wicker
    Participant

    And now I have a more complete solution. Things I did that ended up working:
    * Change my Verizon plan to allow a fixed/public IP
    * Add a single firewall rule: Allow incoming packets with a source port of 1194 (VPN)
    * Use the “Custom” OpenVPN tunnel configuration
    ** I started this configuration from a throwaway “Server” OpenVPN configuration — used “Preview” to get the config file.
    * Add a line in the custom config file to enable logging. (Custom OpenVPN configs don’t automatically get logging, but I didn’t know this until later.)
    * Added a missing close quote in the push “route xxx.xxx.etc.etc” of my custom configuration (This is a fatal error! It will kill your OpenVPN dead!)
    ** Since I didn’t have logging turned on at the time, I discovered I had a problem via SSH: ps -A listed OpenVPN as <defunct>
    ** This in turn prompted me to figure out how to turn on logging.
    ** And to figure out how to get to the log (which, for “custom” configs, is not displayed in the web admin console.)
    ** The rest was reasonably straightforward, pretty much in line with my original expectations.

    Stuff I did NOT need to do:
    * I did NOT need to configure both a VPN server AND a client on the rCell. (I did, of course, have to configure a client on my office computer.)
    * Set up port forwarding in the firewall. (The push “route xxxx” was sufficient)
    * Set up outbound firewall rules by hand.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.