Apparently there is no way to get requested data back to the OPC DA client from the server when using OPC DA over a VPN connection. This is because OPC DA is designed using Microsoft's Component Object Model (COM) and uses Distributed COM (DCOM) for remote connectivity. When a connection is established to a remote server, and data requests are made by the client, the server will send callbacks to the IP address that made the connection. When connected to a VPN, it will broker a local IP address on that network. In conclusion a machine running a OPC DA client using a VPN tunnel to connect to a remote OPC DA server is able to discover the server but not to run it.
My question is: there is a way to use a different tunneling mechanism compatible with the OPC DA protocol?
Alternatively there is a way to route all callbacks to the client from the server to the IP of the PC with the OPC DA server instead of the brokered IP?
I think you'd be better off putting an OPC-UA tunneler on the machine with the DA server and then connecting over the VPN using OPC-UA.
Are you sure that the VPN is the problem? If you are able to "discover" the server, but can't launch it that means your dcom settings are incorrect.
Create a new local user account on the client and the server (same name and password). On the server change the dcom settings for the opc server:
Run dcomcnfg
Find you opc server, select properties.
On the security tab add the new account everywhere (you may try to skip this, sometimes not needed)
On the identity tab, select "this user", fill the new account
On the client, log in with the new account, connect the VPN.
The above dcom settings is the easiest to maintain/set up/debug for remote connections. Any other combination (interactive user/launching user/domain account etc.) is a pain and in 99% time won't work. If you need to use domain users (not recommended at all!), you need to connect the VPN before login in the client (good luck with this)
This is a few years later, but in case anyone unearths this:
Use a tap-interface VPN, rather than a tunnel. In other words, use a layer-2 VPN which behaves like an Ethernet interface on the remote LAN. You (the VPN client) are given an IP address on the remote network that is connected directly to your machine. It behaves exactly as though there is a very long Ethernet cable from your machine to the site. For all practical purposes, you become local to the OPC server.
or...
As suggested by #KevinHeron above, use an OPC Gateway. Prosys OPC make one and have a diagram of your situation on their product page: https://www.prosysopc.com/products/opc-ua-gateway/
Related
What I'm trying to achieve is:
Connect to a VPN as client and route all my internal network's traffic over the VPN.
Run a VPN server, so that people from outside can connect to my internal network and get routed over the a.m. VPN client.
I'm trying to achieve that with a router running dd-wrt (netgear D6200), and / or a raspberry pi.
Can someone tell me if this can be achieved, and if, direct me to what would be a possible solution?
(I'm not looking for a tutorial, just a direction)
Thanks!
This thread probably does not belong here.
Consider using OpenWRT instead of dd-wrt. OpenWRT gives you a usable build system and easier to customize and build. I am not advocating OpenWRT. This can be a stop gap measure.
You can setup a OpenVPN server and OpenVPN client using the standard
documentation available on OpenWRT Wiki and also OpenVPN site.
Add to OpenVPN server.conf the following directive redirect-gateway def1. This will push the default gateway to clients connecting to OpenVPN server. Further, make sure you are using a unique network IP pool for VPN clients and does not clash with the remove VPN server.
Make sure you are masquerading the VPN traffic (Clients of local VPN server) before forwarding to remove VPN server. This can be tricky as this interface does not exist at boot time. It needs to be configured using up and down scripts
Make sure you are allowing traffic (clients of local VPN Server) on VPN interface to be forwarded in your firewall rules
Before setting up the OpenVPN server, make sure
The remove VPN server is pushing the default gateway to your VPN
client
You have setup the firewall correctly
You are able to reach the cloud through the Remote VPN Server. Checking with some site like www.whatismyip.com will help
Yes this is possible with dd-wrt on Netgear.
There is no need of Raspberry (unless you meant to run the remote VPN server on it).
Configure and run VPN server on dd-wrt - and try connectivity by connecting clients. Both tun/tap should work in general (with VPN client running). I tested with tun.
Configure and run VPN client on dd-wrt and try connecting to your VPN server. By default, the router should start directing all traffic (for its own LAN clients) via the VPN server.
So far so good.
The problem comes when you want dd-wrt's VPN clients (and not just LAN clients) to take the same route. With a VPN client running on dd-wrt, dd-wrt's own VPN clients will not be able to connect to the VPN server running on dd-wrt as such. To make it work, see below.
This is only possible via PBR - i.e. you run VPN client on dd-wrt, but take the router itself off this client, and route only specific clients through this VPN client running on dd-wrt.
With some tweaks using subnet masks, it is possible to include all your LAN and VPN IPs in the PBR policy so that everything (except the router itself) routes through the remote VPN server.
The key is to include dd-wrt's VPN clients' virtual IPs in the PBR. While configuring VPN server on dd-wrt, there is a field for specifying the clients' network and netmask.
If you use this network IP and netmask in client process's PBR policy, your (dd-wrt's) VPN clients will be able to connect to the VPN server running on dd-wrt, and will in turn be routed through the remote VPN server to which dd-wrt is connected as a client.
I am Connected to our VPN and I would like to RDP to a Server that is on the network that is currently connected to a different VPN. What do we need to do? If I RDP to a different server and then RDP from that server to the one connected to a different VPN, it works. I just can't directly. Is there something that we need to set up on that server, my computer or the network?
Actually you can be connected to other remote server as well with your machine as VPN client so now will be vpn client to two different vpn server
for doing this you need to perform following steps
1.Create a new client1.conf file for the new remote server
2.copy the content of already present client.conf to client1.conf file
3.now change the value of ca, cert and keys in client1.conf file to the respective values as per to those needed to connect other remote server
4.establish vpn connection with other remote server as follows
openvpn client1.conf
The command used above are for linux to establish vpn using openvpn, For windows, please find same command for windows from openvpn site might be client1.conf in linux corresponds to client1.opvf or something... However this would be the step to be performed in general
I would like to create a local wireless without internet.
I would like to have the possibility to connect 50 clients and access to a website using a domain name.
That means, I need a DNS and DHCP.
I sreach on internet an I found a way to achieve that but not totally and i am not sure if it will work and if it is the best way to achieve that.
I can maybe have a mini PC (server) with ad hoc network and have the client to connect on the server but:
Will it be possible on a connection to assign a ip to the client and set a DNS server ip on the client as the same ip of the server.
I found mini PCs but how can I know if the PC will handle a lot of client ? Which network card to choose ?
I think also that a router and configure DHCP on it to distribute the IPs but I would like to have one box ready object as a mini PC.
I need an advice on the best way to go with what i want to achieve and materials i need to buy and good references.
For a linux domain controler you will need to install bind to host your own DNS. It's a little involved to set up, but necessary if your network doesn't have a DNS server. If you're using a windows domain controller you will need a server OS (expensive). If you only have 50 clients the DNS resources needed will be small and you could run bind from any old box, even a Raspberry Pi. You will also need a host machine for the "website" a.k.a. an intranet. This can be the same machine as your DNS server, but can be any computer on the network. When all is done you will have your router configured with the IP of your local DNS server. The DNS server will point your local domain to whatever box hosts the intranet website.
I need to build some software infrastructure to manage computers which are connected to the internet using a 3G modem (about 30-40 clients).
The scenario that I came up with for project needs:
Client established internet connection (this is made on OS startup - no user action needed)
Client make connection to some server in internet (I named it "PROXY" - maybe there is a better name)
From now client is connected to PROXY server and it is listening for connections on some port (static or dynamic port?)
The same is true for all other machines.
What I need:
When I connect to PROXY server I want to see list of all connected clients to it (optionaly time of connection, client IP etc)
I can make connection to any clients but not P2P I want to connect using PROXY server (some kind of tunneling?)
Access to client should be impossible without PROXY server.
Example:
Client connect to internet using 3G modem - received IP: 149.10.20.30
Client connect to PROXY (79.10.11.12)
I connect to PROXY (terminal / VNC / putty / whatever). I can list connected clients (ex. using some command: $ show_connected_clients). And I see list: IP / MAC or other informations.
From my computer (or PROXY server if this is simpler) I can make connection to client (terminal / VNC / RDP whatever) using for this PROXY server.
$ connect_to 149.10.20.30 using 79.10.11.12
Is such a thing is to realize with the help of the built-in OS services? Or maybe I need to use some commercial software or write my own application?
Writing this from scratch is possible but I do not want to reinvent the wheel.
Some advice? Thanks in advance for any help.
PS. Clients OS (probably all) is Linux. PROXY server OS - I can make decision by my own.
I've decide to use VPN. Perfect in its simplicity. If someone is interested.
Client connects to VPN. Gets IP from VPN network
VPN server on PROXY server
My machine connects to VPN
On PROXY server I can list connected clientes to VPN
Using (ex RDP) I can connect to any client by VPN network
I think I can configure client to deny connection from other network then VPN. If so, I have everything I need.
Simple :)
I am working on a program related to network, and there's a situation that the client has to connect to a server which is inside a LAN.
As I know, when establishing a TCP connection, the port the server is listening on has to be accessable to the client. If the server is inside a LAN, port accesses are blocked by the router. One solution I know is to use UPnP to perform a port mapping on the router. However, in some cases, the router does not support UPnP, are there other solutions?
IM applications came up into my mind. Many IM applications have the functionality that users can send files to each other, whatever the network environment is, as long as you can access to the internet. I don't think a public server is used as a file data exchanger between the two, the connection has to be a direct one. How do they actually do to enable the client to connect to a "hidden" server?
Typically such programs try a series of steps:
A connect directly to B
B connect directly to A
A tries to connect to a firewall (uPnP) forwarded port to B
B tries to connect to a firewall (uPnP) forwarded port to A
A and B both connect to a central server and exchange data through that
The last step is obviously the least preferred because the provider has to have sufficient resources to manage all simultaneous transfers. Rate-limiting is common.
Since IM has central management anyway, it's not too difficult to coordinate all this.
If uPnP or an open port can't be done at one end or the other then the only option left would seem to be passing it via a server in the middle