Struggling with TRBO IP Site Connect over VPN

[Dax50]

Hey there,
I have a problem with the installation of a simple IPSC connection. The master repeater is a DR3000. The peer is a SLR5500. The connection runs over an OpenVPN server and 4G (Latency under 90ms) . Attached is a setup diagram.
I have programmed both repeaters and also set up port forwarding in both repeaters for ports 50000 to 50010.
The actual problem seems to be that the peer repeater is not registering properly with the master.
However, I can see the master from both networks (local at the master and local at the peer) with RDAC, but no peer.

Does anyone have any idea what the problem is?

 

[celltech25]

Never done it over open vpn. I'm assuming you don't have a static IP at the master since you are using the VPN to get a static?.

We typically run l2tp tunnel with eoip to keep all repeaters in the same subnet and it works great.

But without more info I would think your issue is one based around a firewall

 

[Firebuff880]

So the most common issue in this would likely be NAT maps between sites and between the IP Subnets of the end points.

Check out Wayne's Blog for some tips and his you tube channel for some how to videos.

DJ0WH

The all-things-MOTOTRBO blog by Wayne Holmes DJ0WH.

cwh050.blogspot.com

 

[a417]

Are you tied to using OpenVPN?

 

[Dax50]

Hey,

i‘m using openvpn, because my cellular isp usually only offer private IPs.

I use the provider mdex, which offer sim cards with integrated vpn and also a openvpn client for applications without cellular. I used this openvpn client for the Master. The peers uses sim cards with integrated VPN Connection.

I‘m Sure, that my NAT works.
Attached the Wireshark Logs.
On the left is my master recorded between router and repeater. The master has the 192.168.1.2 or the wan address 172.21.25.4.

On the right is the peer recorded between router and repeater. The peer has the internal IP 192.168.178.102 and the WAN IP 10.183.30.7.

Looks to me like the packets are going through with the correct ports.

 

[TampaTyron]

please post screenshots or send codeplugs for the repeaters, specifically the Link establishment portion of the codeplug. Are you pointing to the WAN IP? Are the repeaters on similar firmware? Are the master and peer UDP ports unique? Are the master and peer Radio IDs unique? TT

 

[Dax50]

Sure.
The Master has a static LAN address while the peer uses dhcp.
Attached the Screenshots.

 

[radionx]

BOTH endpoints seem to be CGNAT WAN if I am not mistaken.

172.21.25.4 and 10.183.30.7

 

[Dax50]

Both endpoints are in one VPN wan network

 

[lynchy135]

Am I reading it correctly that on the peer you have the Master IP as the WAN IP of the Cellular router? If you have a VPN, why are you using the WAN IPs as the Master? Can 192.168.178.102 get to 192.168.1.2 directly?

Additionally, is the VPN established? Some cellular networks don't let internal users talk to each other for security reasons. If that is the case you may need to VPN peer to a public server as the convergence point.

 

[Dax50]

Am I reading it correctly that on the peer you have the Master IP as the WAN IP of the Cellular router? If you have a VPN, why are you using the WAN IPs as the Master? Can 192.168.178.102 get to 192.168.1.2 directly?

Additionally, is the VPN established? Some cellular networks don't let internal users talk to each other for security reasons. If that is the case you may need to VPN peer to a public server as the convergence point.

Exactly. The Master WAN IP is on the Peer.
192.168.178.102 is the internal IP of the peer router. The Router is a vpn Client in the VPN WAN Network with the IP 10.183.30.7.

The Same is at the Master Site. 192.168.1.2 is the internal IP of the Master Router (Network between Master Router and Master Repeater). The Master Router also Act as a vpn Client with the vpn wan ip 172.21.25.4

VPN is established and i can ping 10.183.30.7 from the Master Router itself(172.21.25.4) and vice versa.

 

[lynchy135]

This is what I have in my mind. Can 192.168.178.102 get to 192.168.1.2 directly? If you have a VPN connecting the two networks you should have the two communicate with their internal IPs, not their WAN IPs.

 

[Dax50]

View attachment 139949

This is what I have in my mind. Can 192.168.178.102 get to 192.168.1.2 directly? If you have a VPN connecting the two networks you should have the two communicate with their internal IPs, not their WAN IPs.

The VPN is only on the WAN side, so i can't ping the internal IPs.
Maybe i need a L2TP VPN on the internal site. But I can't get the routing to work for L2TP Client to Internal LAN devices.

 

[belvdr]

The VPN is only on the WAN side, so i can't ping the internal IPs.
Maybe i need a L2TP VPN on the internal site. But I can't get the routing to work for L2TP Client to Internal LAN devices.

The VPN is on the WAN/public side, but that is what allows you to use the internal IPs, just like they are internal to one another, as long as the VPN is configured that way.

 

[lynchy135]

The VPN is on the WAN/public side, but that is what allows you to use the internal IPs, just like they are internal to one another, as long as the VPN is configured that way.

it sounds like you are missing VPN configuration or static routing. The only other thing I would try is Port Forwarding. This isn't nearly as secure as a VPN.

 

[a417]

it sounds like you are missing VPN configuration or static routing

I would love to see both routing tables. You're connecting the VPN, but the routing tables will let us know what's being told where stuff should go.

 

[Dax50]

I think VPN is not the best term. I'm using these SIM cards with static IP.

fixed.IP - feste private IP Adresse

Eine feste, private IP-Adresse eignet sich besonders für den direkten, verschlüsselten Web-Zugriff auf ein Endgerät aus der Ferne.

www.mdex.de

I think you can look at this as if there was no vpn.
I can reach both routers on the WAN side. This effectively creates a normal network.

Therefore I have set up port forwarding on both routers, which seems to work, see wireshark logs.

 

[Dax50]

I think the best way would be, to initialize a L2TP connection between the routers to share the same subnet. Encryption is ensure by the openvpn "WAN VPN".
I use Teltonika Routers and successfully initialize the L2TP connection between the two routers.
I used this manual: L2TP configuration examples - Teltonika Networks Wiki

If i undestand this correct, every L2TP client gets an IP address by the L2TP server. But how can i route an ethernet interface to the virtual L2TP subnet?

 

[lynchy135]

I see what it is. It looks like you’re using a cellular provided private network. I think using port forwarding should be fine, but you should verify with cell provider that it’s actually a private backbone that connects you’re two routers together.

 

[Dax50]

I see what it is. It looks like you’re using a cellular provided private network. I think using port forwarding should be fine, but you should verify with cell provider that it’s actually a private backbone that connects you’re two routers together.

The provider says it is a private network. Access from the Internet outside is direct not possible, but also not necessary.

I thought port forwarding is just fine, but it didn't work :-(