• Català
• Castellano

Connection with PLC's

This manual is applicable to IsardVDI installations of version 14.47.1 or later.

---

Physical assembly

For this scenario we will have these devices:

• PLC
• PC gateway
• Virtual machine.

Logical assembly

Before proceeding to the creation of a Remote VPN, it is important to know that you will not be able to have several repeated or overlapping Extra Networks in the same installation (on the same IsardVDI server).

• We create a Remote VPN:

• Select Add new and it will ask you for a name for the VPN and an optional network. In this case we will call it plc-test and the network we will use will be 192.168.203.0/24 (or the one of your preference).

• Once created, modify the permissions by selecting the icon that is indicated in the image to be able to assign the groups or users who will have access to the remote VPN.

• And download the VPN's .conf file.

---

Setting up external devices

PLC

We set up a static IP:

• IP: 192.168.203.2
• Network Mask: 255.255.255.0
• Gateway: 192.168.203.1

Gateway

We set up a static IP:

• IP: 192.168.203.1
• Network Mask: 255.255.255.0
• Gateway: 192.168.203.1

We download the configuration file of the remote VPN we have created and use it to connect via WireGuard. (WG User Guide ignore user's personal VPN: or )

• Linux:

  sudo apt install wireguard
  sudo mv /dowloand/path/isard-vpn.conf /etc/wireguard
  wg-quick up isard-vpn
  

• Windows:

  

  

  

  

In order for the PLC's LAN network to be able to establish a connection with the remote VPN network located in IsardVDI, we have to do the following:

• The machine must have internet access.

• We added the following commands replacing the "interface plc" and the "interface-vpn" ('isard-vpn' in this demo), with the one you have in your case.

  # We allow return communication from the plc, as it does not have the routes
  sudo iptables -t nat -A POSTROUTING -o interficie plc -j MASQUERADE
  sudo iptables -t nat -A POSTROUTING -o isard-vpn -j MASQUERADE
  sudo iptables -A FORWARD -i isard-vpn -o interficie plc -j ACCEPT
  sudo iptables -A FORWARD -i interficie plc -o isard-vpn -j ACCEPT
  
  # We install the package that will make the settings save permanently.
  sudo apt install iptables-persistent
  
  # If this is your first time downloading it, a message will appear to confirm that we want to save the existing rules permanently.
  

---

Stage with individual desk

Outline

In this scenario, a single virtual desktop will be connected directly to the PLC network.

Guide

VIRTUAL MACHINE CONFIGURATION

We enable the Wireguard VPN interface in the VM edition.

Once inside the virtual machine, we allow traffic to the internet, uncommenting the following parameters in the /etc/sysctl.conf file, and apply the changes:

# You can use the editor of your choice
sudo nano /etc/sysctl.conf

# We discuss these options:
#net.ipv4.ip_forward=1
#net.ipv6.conf.all.forwarding=1

# We apply changes
sudo sysctl -p

We check the name of the Wireguard VPN interface that is located in enp2s0 (default) with the command:

nmcli connection

So that you can know the route you have to follow permanently when you ask for the PLC network, 192.168.203.0/24, we add the following command in which you have to replace "{Wired\ connection\ 2}" with the name of the WireGuardVPN interface that we have checked with the previous command (counterbars are used to mark the spaces in the interface name).

nmcli connection modify {Wired\ connection\ 2} +ipv4.routes "192.168.203.0/24 10.2.0.1"

Attention. The system must be restarted.

For the test run, we will ping from the PLC to the desktop and vice versa.

ping 192.168.203.2 # From the virtual desktop

---

Scenario with group of desktops.

Outline

In this scenario, we will communicate to several virtual desktops through another one that will act as a gateway. The latter is configured the same as the except that, in this case, we must add a LAN network that will connect with the other desktops.

Requirements before proceeding

• We need to have an interface to be able to connect all the machines in the group that we want to have access to each other (including the desktop that will act as a gateway).

• It will have to be OpenVSwitch, as they are the ones that allow the largest number of connected users (up to 4000). In this case, we add a maximum of 50 connections to perform the test.

• We give permission to users who are going to use it.

Guide

Ubuntu Gateway Configuration

As we can see in this example, we will follow the steps of the , but we will pretend that we have a group that will connect through the newly created interface (plc-test).

We added the interface we created and this is what the gateway desktop should look like.

Once inside the virtual machine, we allow traffic to the internet, uncommenting the following parameters in the /etc/sysctl.conf file, and apply the changes:

# You can use the editor of your choice
sudo nano /etc/sysctl.conf

# We discuss these options:
#net.ipv4.ip_forward=1
#net.ipv6.conf.all.forwarding=1

# We apply changes
sudo sysctl -p

In order for this machine, which will act as a gateway, to communicate with the group of desktops, we will configure an IP of the same LAN network in the new interface added (enp3s0 => plc-test).

We set up a static IP:

• IP: 192.168.10.1
• Network Mask: 255.255.255.0
• Gateway: 192.168.10.1

We check the name of the WireguardVPN interface found in enp2s0 with the command:

nmcli connection

So that you can know the route to follow permanently when you ask for the PLC network, 192.168.203.0/24, we add the following command in which "{Wired\ connection\ 2}" has to be replaced by the name of the wireguard interface that we have checked with the previous command (counterbars are used to mark that there are spaces in the name of the interface).

nmcli connection modify {Wired\ connection\ 2} +ipv4.routes "192.168.203.0/24 10.2.0.1"

Attention. The system must be restarted.

For the test run, we will ping from the PLC to the desktop and vice versa.

ping 192.168.203.2# From the virtual desktop

We added rules to allow traffic between the WireguardVPN interface and the LAN (plc-test) with the following commands:

sudo iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
sudo iptables -A FORWARD -i enp3s0 -o enp2s0 -j ACCEPT
sudo iptables -A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT

# We install the package that will make the settings save permanently.
sudo apt install iptables-persistent

# If this is your first time downloading it, a message will appear to confirm that we want to save the existing rules permanently.

---

Alpine Gateway Configuration (another alternative)

We add the interface we've created and this is what the virtual desktop should look like.

We configured the WireGuard interface with static routes to the PLC network. /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet dhcp
    up ip route add 10.0.0.0/16 via 10.2.0.1 dev eth1
    up ip route add 192.168.203.0/24 via 10.2.0.1 dev eth1
auto eth2
iface eth2 inet static
    address 192.168.10.1
    netmask 255.255.255.0

We restart the network.

Alpine:~# /etc/init.d/networking restart

We add the MASQUERADE.

sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
sudo iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT

And to make the previous command permanent, we will perform the following:

• Create a file with the saved rules.

  iptables-save > /etc/iptables/rules.v4
  

• We create a script to load the saved rules.

  nano /etc/local.d/iptables.start
  

  #!/bin/sh
  iptables-restore < /etc/iptables/rules.v4
  

• And we change the properties by making the executable file and enable it.

  sudo chmod +x /etc/local.d/iptables.start
  sudo rc-update add local default
  

Desktop pool configuration.

We will have only 2 interfaces in each virtual machine of the group, the private and the public to go out to the internet.

To communicate with the desktop that will act as a gateway through the new interface added, we will configure an IP from the same network (enp2s0). The LAN network we chose was 192.168.10.0/24, and the IP 192.168.10.1 for the desktop that acts as the Gateway, therefore, we will assign this desktop to 192.168.10.5, for example.

We set up a static IP:

• IP: 192.168.10.5
• Network Mask: 255.255.255.0
• Gateway: 192.168.10.1

We check what the common interface called "test-plc" that is hosted on the port enp2s0 is called with the command:

nnmcli connection

The result of this looks like this (the name of the interfaces varies):

(In our case it's called Wired Connection 2. Counter bars are used to mark spaces in the name of the interface).

In order for the group of virtual desktops to reach the LAN network of the PLCs, permanently, we will have to assign different routes. We will guide all the routes through the IP of the interface of the internal network gateway which, in this scenario, is IP 192.168.10.1.

• We communicate the student with the VPN network (10.2.0.0/16) that uses the desktop gateway, through the IP gateway of the internal network that connects the gateway with the students (192.168.10.1) => 10.2.0.0/16.

  nmcli connection modify Wired\ connection\ 2 +ipv4.routes "10.2.0.0/16 192.168.10.1"
  

• Then we connect to the VPN network (10.0.0.0/16) between the physical gateway and the IsardVDI router (WireGuardVPN) => 10.0.0.0/16

  nmcli connection modify Wired\ connection\ 2 +ipv4.routes "10.0.0.0/16 192.168.10.1"
  

• And finally, the route to the PLC network => 192.168.203.0/24

  nmcli connection modify Wired\ connection\ 2 +ipv4.routes "192.168.203.0/24 192.168.10.1"
  

Or we can add it manually in the configuration file of the interface we are interested in, located in the folder /etc/NetworkManager/system-connetions:

---

Last update: March 5, 2025