Gateway network over VPN

Rodrigo_Bernardes · January 16, 2025, 8:07pm

Hi,

I need to configure a "Gateway Network" in an architecture like bellow

The problem is all my Edge Gateways are accessed by the Central Gateway over a VPN, where the Central Gateway can ping all Edge Servers, but the Edge Servers can´t ping the Central Gateway.

Is it possible to work this way, where only the Central Site can see the Edge Servers?

I didn´t try yet, but as I saw, I would need to configure an "Outgoing Connection" on each Edge Gateway and accept it on the Central Gateway, and this would only be possible if the Edge Gateways can see the Central Gateway on the network.

Kevin.Herron · January 16, 2025, 8:25pm

You should be fine, configure the connections as "outgoing" from the central server. You'll see them as "incoming" on the Edge servers.

There's little difference between the two other than who initiates the connection.

Rodrigo_Bernardes · January 21, 2025, 2:11pm

I created the "outgoing connection" in the "Central Gateway" and it worked, showing "connected". But after about 1 minute it shows "faulted". If I click "reset", the same thing occurs, showing connected and after failing.

I guess this is because my VPN scenario where the "Central Gateway" can ping the "Edge gateway" but the opposite is not true.
I'm checking to fix this with my VPN administrator, but I still don´t know if it will be allowed.

Anyone have other opinion?

pturmel · January 21, 2025, 2:45pm

No, outgoing connections do not require the other side be able to ping back. Are you sure your VPN supports websocket connections?

Rodrigo_Bernardes · January 21, 2025, 4:17pm

I'm not sure about the websocket, I'll confirm. But I can access the Edge Gateway perfectly with perspective sessions in a browser running in the same pc that would be Central Gateway.

pturmel · January 21, 2025, 4:27pm

It is the other direction for a websockets test, but I admit it would be strange to not be symmetrical support.

michael.flagler · January 21, 2025, 5:40pm

Looking at the logs, is there any information in them that is of any help?

Rodrigo_Bernardes · January 27, 2025, 7:08pm

Hi,

When I go in the Central Gateway, where I configured an "outgoing connection" I have this logs.
As you can see, at 15:14:43 the connection is "running" and just at 15:15:07 it´s faulted (that´s exactly the 30000ms timeout config).

When I go in the Edge Gateway, where I approved an "incoming connection" from the Central Gateway, I have this logs.
As you can see, at 15:14:34 the connection is running and websocket session established with the server, but at 15:15:04 it has ping failed.

Additional informations:
1 - The VPN I'm connecting is L3VPN (I don´t know if it would require L2VPN)

2 - The Central Gateway can ping the Edge Gateway and the opposite is not true.

3 - Just to be sure the configuration I'm doing is ok, I configured the same Gateway Network between this Central Gateway and a virtual machine running on it, and it worked normal.

Rodrigo_Bernardes · January 29, 2025, 6:26pm

Hello everyone,

Following with the same problem, some updates:

1 - I could connect L2VPN with the router where the Edge Gateway is, so now using local ip address both computer can ping each other (the Central Gateway and Edge Gateway). But surprisingly, this way the connection doesn´t work even for some seconds like before. So I keep trying with L3VPN access.

2 - Now I'm trying to check with our service support if there´s some rule on the Firewall blocking websockets.

3 - Our VPN administrator is a third company, so I still don´t know details about websockets on it. I know we use OpenVPN application.

pturmel · January 29, 2025, 6:37pm

I use OpenVPN extensively, and have not had problems.

michael.flagler · January 29, 2025, 9:25pm

Can you define what you mean by L2VPN and L3VPN? I guess I'm used to all VPNs essentially giving you a "virtual" network connection that, depending on the server side, can do routing if needed (L3 and very typical) or only allow same-subnet access only (this is rare in my experience). While I use almost Wireguard exclusively now, I've used OpenVPN quite a bit, and I don't see why it would have an issue with any of this.

Rodrigo_Bernardes · February 11, 2025, 2:07pm

Hi,

By L2VPN and L3VPN I mean layer 2 and layer 3.
I was wondering that as I only was able to connect over L3 before, this could be the problem, as the Edge Gateway wasn´t able to ping the Server.

So, after sometime , I connected over L2VPN, the server received an IP address in the same rate as the devices under the router on the remote site. This way the Edge Gateway (on the Linux iPC bellow) could ping the server in the ip 192.168.15.x4, so I tried to configure an outgoing connection in the Gateway, but that way was worst, the connection didn´t get successful even for some seconds like in the opposite way.

Bellow is the architecture

At the end, I still with the same problem, in the current scenario.
On the Server I have full Ignition installed and an outgoing connection to the ip 10.22.213.x2

Resetting the connection, it goes to running.

30 seconds after it fault.

Here bellow, the logs on the server

And just to remember, perspective clients works perfectly accessing the edge gateway in 10.22.213.x2 over the VPN. The problem is only with the Gateway Network resource.
Also as I told before, when I run the gateway in a linux virtual machine in the server, all works perfectly, I mean the configuration seems to be ok.

I still don´t have an answer from the IT department about (if the firewall could be blocking the websocket port or so on), my user doesn´t have administrative rights to check.

Well, I'm making a case study with one server and one site now, but once it´s proved it will be many remote sites. But this problem is making things very hard to move forward.

Rodrigo_Bernardes · March 10, 2025, 5:14pm

The problem was solved with the following solution