This is a question about whether to use Bridged or Routed OpenVPN setup, and how to set up the connection.
TLDR:
- One master site, multiple satelite sites. All sites are on the same
subnet.- If using Bridged mode, how to prevent unwanted traffic on the VPN (bandwidth/data use are limited).
- If using Routed mode, how to route individual IP addresses (not subnets) to specific VPN endpoints?
Background: the subject is a wastewater treatment plant with several (3+) remote pump stations. The main office runs our SCADA system and has multiple PLCs and workstations.
Each remote pump station has one or more PLCs/PanelView units, and currently all remote sites utilize 150MHz radio signals to send telemetry data back to the main location.
Due to poor signal quality and bandwidth limitations of the radios, we are hoping to switch all the sites to use 4G cellular data modems instead.
For security and simplicity, I think the best approach is to set up an OpenVPN-enabled router at each location (currently using Linksys E1200 running DD-WRT latest version) and configure them to connect to an OpenVPN server at the main office.
However, there is a problem: all the remote sites use the same subnet as the main site. This was set up by the vendor who installed the radios, apparently to "keep things simple" but it has been only headaches for us. We can't change the IP address mappings because we don't have the programming software for some of the devices, and also it would require reprogramming in each PLC. So we're stuck with all sites being on the same subnet. (192.168.100.x)
My question is: should I use Routing or Bridging mode for this setup?
If I use Bridging mode, I don't want the OpenVPN bridge to pass any superfluous traffic (broadcast, etc) because the cellular modems have limited monthly data transfer allowances.
If I use Routing mode, how can I force OpenVPN to only route the specific IP addresses that apply to remote sites?
For example:
Main site: uses 192.168.100.1 – 30, also 40+
Remote site 1: 192.168.100.32-37
Remote site 2: 192.168.1.31
Remote site 3: 192.168.100.110-120, 140
So we can't route based on subnet – but must route individual IPs to the various locations.
I would appreciate any advice for this setup.
I tried Routing mode using specified routes with 255.255.255.255 subnet mask but was unable to get traffic to pass between one site and the main location. The OpenVPN connection was established successfully but could not ping between them.
Best Answer
You need to use a bridged setup (unless you are able to manually modify the routing tables on all hosts/devices on the network).
In a normal setup an IP address destined in the same local subnet will not be routed via a default gateway because the address is directly reachable on the interface. ARP will be used to acquire the MAC address of the destination host and IP datagrams will be sent directly using ethernet frames with this MAC address to the destination on network layer 2.
This means that a routed OpenVPN setup will not work for your problem. The VPN gateway will not even "see" any traffic. It would only come into play if all the following conditions are met:
While blocking broadcasts is possible it will break a bridged network if all broadcasts are blocked, because a bridged network relies on broadcasts. On an ethernet network ARP is used to broadcast the MAC addresses of endpoints in the network.
To block certain broadcasts,
iptableswith modulesphysdevandpkttypecould be used.