Dejan/TeamviewerVpn-s7SiemensPLC-guide
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Add readme.md

Browse source
This commit is contained in:
Dejan 2026-02-16 19:31:23 +00:00
commit ba8b3e88b5
1 changed files with 926 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

926
readme.md Normal file
View file

@ -0,0 +1,926 @@
# TeamViewer VPN Configuration Guide
## Remote Access to Siemens S7-1200 PLC via TeamViewer VPN
This guide explains how to configure TeamViewer VPN to remotely access industrial PLCs (specifically Siemens S7-1200) that are on a remote local network.
---
## ⚠️ Important Notes
- **TeamViewer VPN requires TeamViewer License** (Premium, Corporate, or Tensor)
- **Free version does NOT support VPN feature**
- This guide assumes you have a valid TeamViewer license
- PLC programming requires TIA Portal or STEP 7
- Industrial network security best practices should be followed
---
## Network Topology
```
Your Computer (Engineer/Programmer)
↓ (Internet)
TeamViewer VPN Connection
↓ (Virtual VPN Tunnel)
Remote Gateway PC (with TeamViewer)
↓ (Local Network: 192.168.10.0/24)
Siemens S7-1200 PLC (192.168.10.100)
```
---
## Prerequisites
### Software Requirements
**On Your Computer (Client):**
- TeamViewer (Full version with VPN license)
- TIA Portal V16/V17/V18 or STEP 7
- Windows 10/11 or Linux with Wine (for TIA Portal)
**On Remote Gateway PC:**
- TeamViewer (Full version with VPN license)
- Windows 7 or later / Linux
- Access to 192.168.10.0/24 network where PLC is located
- **Must be always running and connected to internet**
### Network Requirements
- Remote PC must have network access to PLC network (192.168.10.0/24)
- PLC must be reachable from remote gateway PC
- Firewall rules allowing TeamViewer VPN traffic
- Static IP recommended for PLC (e.g., 192.168.10.100)
---
## Information to Collect
Before starting, gather this information:
### Remote Gateway PC Information:
- TeamViewer ID: `_________________`
- Computer Name: `_________________`
- Local IP Address: `_________________` (e.g., 192.168.10.50)
- Network Interface connected to PLC network: `_________________` (e.g., eth0, Ethernet)
- Gateway/Router IP: `_________________` (e.g., 192.168.10.1)
### PLC Network Information:
- PLC Network Subnet: `_________________` (e.g., 192.168.10.0/24)
- PLC IP Address: `_________________` (e.g., 192.168.10.100)
- PLC Subnet Mask: `_________________` (e.g., 255.255.255.0)
- Other devices on network: `_________________`
### TeamViewer VPN Information:
- Your VPN IP (assigned by TeamViewer): `_________________` (e.g., 7.x.x.x)
- Remote PC VPN IP (assigned by TeamViewer): `_________________` (e.g., 7.x.x.x)
---
## Step-by-Step Configuration
## Part 1: Remote Gateway PC Setup
### STEP 1: Install TeamViewer on Remote Gateway PC
**For Windows:**
1. Download TeamViewer from https://www.teamviewer.com
2. Install with "Install to access this computer remotely" option
3. Set up unattended access with password
4. Configure to start with Windows
**For Linux (Debian/Ubuntu):**
```bash
# Download TeamViewer
wget https://download.teamviewer.com/download/linux/teamviewer_amd64.deb
# Install
sudo dpkg -i teamviewer_amd64.deb
sudo apt-get install -f
# Start TeamViewer
teamviewer
# Enable daemon for unattended access
sudo teamviewer daemon enable
```
**For Linux (CentOS/RHEL):**
```bash
# Download TeamViewer
wget https://download.teamviewer.com/download/linux/teamviewer.x86_64.rpm
# Install
sudo yum install ./teamviewer.x86_64.rpm
# Start TeamViewer
teamviewer
```
---
### STEP 2: Configure TeamViewer for Unattended Access
1. Open TeamViewer
2. Go to **Extras** → **Options**
3. **General Tab:**
- Set TeamViewer to start with system
- Enable "Start TeamViewer with Windows/System"
4. **Security Tab:**
- Set a strong password for unattended access
- Configure "Random password" to "Disabled" (use permanent password)
5. **Remote Control Tab:**
- Disable "Confirm all" if needed for automation
6. Note the **TeamViewer ID** - you'll need this to connect
---
### STEP 3: Verify Network Access to PLC
**On Remote Gateway PC:**
**Windows:**
```cmd
# Test ping to PLC
ping 192.168.10.100
# Check network configuration
ipconfig /all
# Test connection to PLC port (usually 102 for S7 comm)
# Install telnet first if not available
telnet 192.168.10.100 102
```
**Linux:**
```bash
# Test ping to PLC
ping -c 4 192.168.10.100
# Check network configuration
ip addr show
ip route show
# Test connection to PLC port
nc -zv 192.168.10.100 102
# or
telnet 192.168.10.100 102
```
**Checkpoint:** Gateway PC must be able to ping and reach PLC before continuing
---
### STEP 4: Enable IP Forwarding (Linux Gateway Only)
**Skip this step if using Windows as gateway**
**For Linux Gateway:**
```bash
# Check current setting
cat /proc/sys/net/ipv4/ip_forward
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
# Make permanent
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
# Apply changes
sudo sysctl -p
```
---
### STEP 5: Configure Firewall (Linux Gateway Only)
**For Linux Gateway with iptables:**
```bash
# Allow forwarding from TeamViewer VPN to local network
# Get TeamViewer VPN interface name first
ip addr show | grep -A 2 "^[0-9].*teamviewer"
# Usually it's something like: teamviewer0 or tap0
# Replace <TV_INTERFACE> with actual interface name
# Replace <LOCAL_INTERFACE> with interface connected to PLC network (e.g., eth0)
# Allow forwarding
sudo iptables -A FORWARD -i <TV_INTERFACE> -o <LOCAL_INTERFACE> -j ACCEPT
sudo iptables -A FORWARD -i <LOCAL_INTERFACE> -o <TV_INTERFACE> -m state --state RELATED,ESTABLISHED -j ACCEPT
# Example:
sudo iptables -A FORWARD -i teamviewer0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o teamviewer0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
```
**For Linux Gateway with firewalld:**
```bash
# Add TeamViewer interface to trusted zone
sudo firewall-cmd --zone=trusted --add-interface=teamviewer0 --permanent
# Allow forwarding
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload
```
---
## Part 2: Your Computer (Client) Setup
### STEP 6: Install TeamViewer on Your Computer
1. Download and install TeamViewer from https://www.teamviewer.com
2. Log in with your TeamViewer account (required for VPN)
3. Ensure you have VPN feature enabled (check your license)
---
### STEP 7: Establish TeamViewer VPN Connection
1. Open TeamViewer
2. Enter the **Remote Gateway PC's TeamViewer ID**
3. Instead of clicking "Remote Control", click the **dropdown arrow** next to it
4. Select **"VPN"** from the dropdown menu
5. Enter the unattended access password
6. Wait for VPN connection to establish
**What happens:**
- TeamViewer creates a virtual network adapter on both computers
- Both computers get IPs in the 7.x.x.x range (e.g., 7.x.x.1 and 7.x.x.2)
- A point-to-point VPN tunnel is created
---
### STEP 8: Identify TeamViewer VPN IP Addresses
**On Your Computer:**
**Windows:**
```cmd
ipconfig /all
# Look for "TeamViewer VPN Adapter"
# Note the IPv4 Address (e.g., 7.254.0.1)
```
**Linux:**
```bash
ip addr show | grep -A 5 teamviewer
# Note the inet address
```
**Record:**
- Your VPN IP: `_________________`
- Remote PC VPN IP: `_________________` (usually your IP ± 1)
✅ **Test VPN Connection:**
```bash
# Ping remote gateway PC via VPN
ping <REMOTE_VPN_IP>
```
---
### STEP 9: Add Static Route to PLC Network
You need to tell your computer that to reach 192.168.10.0/24, it should route through the TeamViewer VPN.
**On Your Computer (Windows):**
```cmd
# Add route to PLC network via TeamViewer VPN
# Template:
route ADD <PLC_NETWORK> MASK <SUBNET_MASK> <REMOTE_VPN_IP>
# Example:
route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2
# Make permanent (add -p flag):
route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p
# Verify route
route PRINT
```
**On Your Computer (Linux):**
```bash
# Add route to PLC network via TeamViewer VPN
# Template:
sudo ip route add <PLC_NETWORK>/<CIDR> via <REMOTE_VPN_IP>
# Example:
sudo ip route add 192.168.10.0/24 via 7.254.0.2
# Verify route
ip route show | grep 192.168.10
```
---
### STEP 10: Configure Static Route on Remote Gateway PC (Windows Only)
**If Remote Gateway is Windows:**
The remote PC needs to know that traffic destined for your VPN IP should go through the TeamViewer VPN interface.
```cmd
# Usually not needed if TeamViewer handles routing automatically
# But if you have issues, add this route:
# Get your VPN IP (e.g., 7.254.0.1)
# Add route on remote PC:
route ADD 7.254.0.0 MASK 255.255.0.0 <TEAMVIEWER_GATEWAY> IF <INTERFACE_INDEX>
# Check with:
route PRINT
```
**Most times this is automatic**, so skip if you can ping the PLC from your computer.
---
### STEP 11: Test Connectivity to PLC
**From Your Computer:**
**Test 1: Ping the PLC**
```bash
ping 192.168.10.100
```
**Test 2: Check route**
```cmd
# Windows
tracert 192.168.10.100
# Linux
traceroute 192.168.10.100
```
Expected path:
```
1. Your computer (local)
2. Remote VPN IP (e.g., 7.254.0.2)
3. PLC (192.168.10.100)
```
**Test 3: Test S7 Communication Port**
```bash
# Windows (if telnet enabled)
telnet 192.168.10.100 102
# Linux
nc -zv 192.168.10.100 102
```
**Checkpoint:** Should be able to ping and reach port 102 on PLC
---
## Part 3: TIA Portal / STEP 7 Configuration
### STEP 12: Configure TIA Portal for Remote PLC Access
1. **Open TIA Portal**
2. **Open your project** or create new one
3. **Add new device** or go to existing PLC configuration
4. **Configure PLC Connection:**
- Go to **Online & Diagnostics** or **Online Access**
- Click **"Accessible Devices"** → **"Update accessible devices"**
- Set **PG/PC Interface**: Choose the network adapter
- **Important:** Select your **main network adapter** (not TeamViewer VPN adapter)
5. **Add PLC Manually if not auto-detected:**
- Right-click on network → **Add new subnet**
- Set subnet: `PN/IE_1` (or similar)
- Add PLC with IP: `192.168.10.100`
- Set interface: `PN/IE` with IP `192.168.10.100`
6. **Go Online with PLC:**
- Select your PLC in project tree
- Click **"Go Online"** button
- If connection dialog appears, verify IP `192.168.10.100`
- Click **Connect**
### Alternative: Use NetPro (STEP 7 Classic)
1. Open NetPro
2. Configure PG/PC Interface
3. Set route to PLC: `192.168.10.100`
4. Test connection
---
## Part 4: Automation & Scripts
For easier setup, use the provided configuration scripts.
### Windows Automation Script
See: `teamviewer-vpn-setup-windows.bat`
### Linux Automation Script
See: `teamviewer-vpn-setup-linux.sh`
---
## Troubleshooting Guide
### Issue 1: Cannot Connect TeamViewer VPN
**Symptoms:**
- VPN option grayed out
- "VPN not available" error
**Solutions:**
1. Verify TeamViewer license includes VPN feature
2. Log in to TeamViewer account on both computers
3. Update TeamViewer to latest version
4. Check firewall isn't blocking TeamViewer (port 5938)
5. Try restarting TeamViewer service:
```cmd
# Windows
net stop TeamViewer
net start TeamViewer
```
---
### Issue 2: VPN Connects but Cannot Ping Remote PC
**Symptoms:**
- VPN status shows "Connected"
- Cannot ping remote VPN IP (e.g., 7.254.0.2)
**Solutions:**
1. **Check VPN adapter status:**
```cmd
# Windows
ipconfig /all
# Look for TeamViewer VPN adapter - should show IP 7.x.x.x
```
2. **Check Windows Firewall on remote PC:**
```cmd
# Temporarily disable to test
netsh advfirewall set allprofiles state off
# If this fixes it, create rules:
netsh advfirewall firewall add rule name="TeamViewer VPN" dir=in action=allow protocol=any remoteip=7.0.0.0/8
# Re-enable firewall
netsh advfirewall set allprofiles state on
```
3. **Restart network adapter:**
- Network Connections → Disable/Enable TeamViewer VPN adapter
---
### Issue 3: Can Ping Remote PC but Cannot Reach PLC
**Symptoms:**
- Can ping remote VPN IP (7.254.0.2)
- Cannot ping PLC (192.168.10.100)
**Solutions:**
1. **Verify route is configured:**
```cmd
# Windows
route PRINT | findstr 192.168.10
# Linux
ip route show | grep 192.168.10
```
2. **Test from remote gateway PC:**
- Connect via TeamViewer Remote Control to gateway PC
- Try pinging PLC from there: `ping 192.168.10.100`
- If this fails, problem is in local network, not VPN
3. **Check IP forwarding on Linux gateway:**
```bash
cat /proc/sys/net/ipv4/ip_forward
# Should return 1
```
4. **Check firewall on gateway PC** (see Step 5)
5. **Verify PLC is actually at that IP:**
- Use PLC web server (if enabled): http://192.168.10.100
- Check PLC front panel/display for IP address
- Use TIA Portal hardware detection
---
### Issue 4: TIA Portal Cannot Find PLC
**Symptoms:**
- Can ping PLC (192.168.10.100)
- TIA Portal shows "No accessible devices found"
- Communication test fails
**Solutions:**
1. **Check TIA Portal Network Settings:**
- File → Settings → PG/PC Interface
- Make sure correct adapter is selected
- Try selecting "PN/IE" interface
2. **Use correct subnet mask in TIA Portal:**
- PLC properties → PROFINET Interface
- Ensure subnet matches: 192.168.10.0/24
3. **Disable Windows Firewall temporarily:**
```cmd
netsh advfirewall set allprofiles state off
```
If this works, add specific rules for TIA Portal
4. **Check PLC CPU is in RUN or STOP mode:**
- Some operations require STOP mode
- Check LED indicators on PLC
5. **Verify PLC protection level:**
- Protection level 3 blocks write access
- Password may be required
6. **Try Online → Accessible Devices → Update**
- Click "Update Accessible Devices"
- Wait 30-60 seconds for scan
7. **Add PLC manually in TIA Portal:**
- Don't rely on auto-detection
- Manually specify IP: 192.168.10.100
---
### Issue 5: Connection Drops Frequently
**Symptoms:**
- VPN disconnects randomly
- Connection unstable
**Solutions:**
1. **Check internet stability on both ends:**
- Run speed test
- Check for packet loss: `ping -t 8.8.8.8`
2. **Adjust TeamViewer settings:**
- Extras → Options → Advanced
- Disable "Optimize quality"
- Set connection quality to "Low quality"
3. **Use TeamViewer Wake-on-LAN:**
- Set up WoL for remote PC
- Configure in TeamViewer options
4. **Keep remote PC from sleeping:**
```cmd
# Windows - Disable sleep
powercfg -change -standby-timeout-ac 0
powercfg -change -hibernate-timeout-ac 0
```
---
### Issue 6: Slow PLC Communication
**Symptoms:**
- Connection works but very slow
- Uploads/downloads take forever
- TIA Portal timeouts
**Solutions:**
1. **Reduce communication load:**
- Close unnecessary programs on both PCs
- Disable cloud sync, updates during work
2. **Increase TIA Portal timeout:**
- Options → Settings → Communication
- Increase timeout values
3. **Check TeamViewer quality settings:**
- Reduce quality when VPN is active
- Close remote control sessions when using VPN
4. **Use wired connection on both ends:**
- WiFi can cause latency issues
---
### Issue 7: Linux-Specific Issues
**TeamViewer doesn't start:**
```bash
# Check service status
sudo systemctl status teamviewerd
# Restart service
sudo systemctl restart teamviewerd
# Check logs
journalctl -u teamviewerd -n 50
```
**VPN adapter not created:**
```bash
# Check loaded kernel modules
lsmod | grep tun
# Load tun module if missing
sudo modprobe tun
# Make permanent
echo "tun" | sudo tee -a /etc/modules
```
---
## Quick Reference Commands
### Windows Commands
```cmd
REM View all network routes
route PRINT
REM Add route to PLC network
route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p
REM Remove route
route DELETE 192.168.10.0
REM View network adapters
ipconfig /all
REM Test PLC connectivity
ping 192.168.10.100
telnet 192.168.10.100 102
REM Restart TeamViewer service
net stop TeamViewer
net start TeamViewer
```
### Linux Commands
```bash
# View all network routes
ip route show
# Add route to PLC network
sudo ip route add 192.168.10.0/24 via 7.254.0.2
# Remove route
sudo ip route del 192.168.10.0/24
# View network adapters
ip addr show
# Test PLC connectivity
ping 192.168.10.100
nc -zv 192.168.10.100 102
# Restart TeamViewer service
sudo systemctl restart teamviewerd
```
---
## Security Considerations
### Best Practices
1. **Use Strong Passwords:**
- Set complex TeamViewer password (15+ characters)
- Enable two-factor authentication on TeamViewer account
2. **Limit Access:**
- Only allow VPN connections from known TeamViewer IDs
- Use TeamViewer Management Console for access control
3. **PLC Security:**
- Set PLC protection level appropriately
- Use password protection on PLC
- Enable access control lists if PLC supports it
4. **Network Segmentation:**
- Keep PLC network separate from office network
- Use VLAN if possible
- Gateway PC should only have access to PLC network
5. **Logging:**
- Enable TeamViewer connection logging
- Monitor who connects and when
- Keep audit trail of PLC changes
6. **Regular Updates:**
- Keep TeamViewer updated
- Update PLC firmware when security patches available
- Keep Windows/Linux updated on gateway PC
7. **Backup:**
- Regular PLC program backups
- Version control for PLC code
- Document all changes
---
## Advanced Configuration
### Multiple PLCs on Same Network
If you have multiple PLCs on 192.168.10.0/24:
```
PLC1: 192.168.10.100
PLC2: 192.168.10.101
PLC3: 192.168.10.102
```
**No additional routing needed** - the single route covers entire subnet:
```cmd
route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p
```
### Multiple Remote Sites
For accessing PLCs at different sites:
**Site A:** 192.168.10.0/24 (Gateway TeamViewer ID: 123456789)
**Site B:** 192.168.20.0/24 (Gateway TeamViewer ID: 987654321)
**Solution:**
1. Connect VPN to Site A → Add route for 192.168.10.0/24
2. Disconnect VPN
3. Connect VPN to Site B → Add route for 192.168.20.0/24
4. Use script to automate route changes (see provided scripts)
### Permanent vs. Temporary Routes
**Temporary Route (lost on reboot):**
```cmd
route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2
```
**Permanent Route (Windows):**
```cmd
route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p
```
**Permanent Route (Linux):**
Add to `/etc/network/interfaces` or create systemd service
---
## Performance Optimization
### Recommended Settings
**TeamViewer Settings:**
- Quality: Medium (for VPN mode)
- Display: 16-bit colors
- Disable wallpaper/animations
- Close remote control when using VPN only
**TIA Portal Settings:**
- Communication timeout: 10000ms (10 seconds)
- Disable automatic compile
- Work offline, upload/download when ready
**Network Recommendations:**
- Minimum 5 Mbps upload/download on both ends
- Latency < 100ms preferred
- Wired connection recommended
- Close bandwidth-heavy applications
---
## Alternatives to TeamViewer VPN
If TeamViewer VPN doesn't meet your needs:
1. **ZeroTier** (covered in separate guide)
- More flexible routing
- Free tier available
- Mesh network topology
2. **OpenVPN**
- Full VPN solution
- Requires server setup
- More complex configuration
3. **WireGuard**
- Modern, fast VPN
- Simple configuration
- Requires server
4. **Tailscale**
- Built on WireGuard
- Easy mesh network
- Free tier available
5. **Direct PLC Remote Access** (Siemens specific)
- TeleService
- Siemens Cloud Connect
- Industrial VPN routers (e.g., mGuard)
---
## Appendix A: Port Reference
| Device/Service | Port | Protocol | Purpose |
|----------------|------|----------|---------|
| TeamViewer | 5938 | TCP | Primary connection |
| S7-1200 PLC | 102 | TCP | ISO-on-TCP (S7 Communication) |
| S7-1200 PLC | 80 | TCP | HTTP (Web Server) |
| S7-1200 PLC | 443 | TCP | HTTPS (Secure Web Server) |
| PROFINET | 34962-34964 | UDP | Real-time communication |
| TIA Portal | Various | TCP/UDP | Project transfer |
---
## Appendix B: Common S7-1200 IP Configurations
| Parameter | Typical Value | Notes |
|-----------|---------------|-------|
| IP Address | 192.168.0.1 - 192.168.0.254 | Factory default varies by CPU |
| Subnet Mask | 255.255.255.0 | /24 network |
| Gateway | 192.168.0.1 | Usually router IP |
| DHCP | Disabled | Static IP recommended |
**To find PLC IP:**
1. Check PLC display (if HMI attached)
2. Use TIA Portal "Accessible Devices" scan
3. Check DHCP server lease table
4. Connect via USB and read configuration
---
## Appendix C: TIA Portal Version Compatibility
| TIA Portal Version | S7-1200 CPU Support | Notes |
|-------------------|---------------------|-------|
| V11 | V1.x, V2.x | Older |
| V12 | V1.x, V2.x, V3.x | |
| V13 SP1+ | V1.x - V4.x | |
| V14 | V1.x - V4.x | |
| V15 | V1.x - V4.x | |
| V16 | V1.x - V4.x | Recommended |
| V17 | V1.x - V4.5 | Latest features |
| V18 | V1.x - V4.6 | Current |
---
## Post-Configuration Checklist
- [ ] TeamViewer installed on both computers
- [ ] TeamViewer license verified (VPN feature enabled)
- [ ] Unattended access configured on remote gateway PC
- [ ] VPN connection established successfully
- [ ] VPN IP addresses identified
- [ ] Static route added to PLC network
- [ ] Can ping remote VPN IP from your computer
- [ ] Can ping PLC IP from your computer
- [ ] IP forwarding enabled (Linux gateway)
- [ ] Firewall rules configured (Linux gateway)
- [ ] TIA Portal can detect/connect to PLC
- [ ] Successfully uploaded/downloaded PLC program
- [ ] Routes made persistent (optional but recommended)
- [ ] Connection documented for future use
- [ ] Backup of PLC program created
---
## Support Resources
**TeamViewer:**
- Official Documentation: https://www.teamviewer.com/en/documents/
- VPN Guide: https://community.teamviewer.com/
**Siemens:**
- TIA Portal Documentation: https://support.industry.siemens.com/
- S7-1200 Manual: Search for "S7-1200 System Manual"
- Siemens Forum: https://support.industry.siemens.com/tf/ww/en/
**Community:**
- PLCTalk Forum: https://www.plctalk.net/
- Reddit r/PLC: https://www.reddit.com/r/PLC/
---
**Document Version:** 1.0
**Last Updated:** February 16, 2026
**Tested With:** TeamViewer 15, TIA Portal V17, S7-1214C DC/DC/DC