# TeamViewer VPN Configuration Guide ## Remote Access to Siemens S7-1200 PLC via TeamViewer VPN This guide explains how to configure TeamViewer VPN to remotely access industrial PLCs (specifically Siemens S7-1200) that are on a remote local network. --- ## ⚠️ Important Notes - **TeamViewer VPN requires TeamViewer License** (Premium, Corporate, or Tensor) - **Free version does NOT support VPN feature** - This guide assumes you have a valid TeamViewer license - PLC programming requires TIA Portal or STEP 7 - Industrial network security best practices should be followed --- ## Network Topology ``` Your Computer (Engineer/Programmer) ↓ (Internet) TeamViewer VPN Connection ↓ (Virtual VPN Tunnel) Remote Gateway PC (with TeamViewer) ↓ (Local Network: 192.168.10.0/24) Siemens S7-1200 PLC (192.168.10.100) ``` --- ## Prerequisites ### Software Requirements **On Your Computer (Client):** - TeamViewer (Full version with VPN license) - TIA Portal V16/V17/V18 or STEP 7 - Windows 10/11 or Linux with Wine (for TIA Portal) **On Remote Gateway PC:** - TeamViewer (Full version with VPN license) - Windows 7 or later / Linux - Access to 192.168.10.0/24 network where PLC is located - **Must be always running and connected to internet** ### Network Requirements - Remote PC must have network access to PLC network (192.168.10.0/24) - PLC must be reachable from remote gateway PC - Firewall rules allowing TeamViewer VPN traffic - Static IP recommended for PLC (e.g., 192.168.10.100) --- ## Information to Collect Before starting, gather this information: ### Remote Gateway PC Information: - TeamViewer ID: `_________________` - Computer Name: `_________________` - Local IP Address: `_________________` (e.g., 192.168.10.50) - Network Interface connected to PLC network: `_________________` (e.g., eth0, Ethernet) - Gateway/Router IP: `_________________` (e.g., 192.168.10.1) ### PLC Network Information: - PLC Network Subnet: `_________________` (e.g., 192.168.10.0/24) - PLC IP Address: `_________________` (e.g., 192.168.10.100) - PLC Subnet Mask: `_________________` (e.g., 255.255.255.0) - Other devices on network: `_________________` ### TeamViewer VPN Information: - Your VPN IP (assigned by TeamViewer): `_________________` (e.g., 7.x.x.x) - Remote PC VPN IP (assigned by TeamViewer): `_________________` (e.g., 7.x.x.x) --- ## Step-by-Step Configuration ## Part 1: Remote Gateway PC Setup ### STEP 1: Install TeamViewer on Remote Gateway PC **For Windows:** 1. Download TeamViewer from https://www.teamviewer.com 2. Install with "Install to access this computer remotely" option 3. Set up unattended access with password 4. Configure to start with Windows **For Linux (Debian/Ubuntu):** ```bash # Download TeamViewer wget https://download.teamviewer.com/download/linux/teamviewer_amd64.deb # Install sudo dpkg -i teamviewer_amd64.deb sudo apt-get install -f # Start TeamViewer teamviewer # Enable daemon for unattended access sudo teamviewer daemon enable ``` **For Linux (CentOS/RHEL):** ```bash # Download TeamViewer wget https://download.teamviewer.com/download/linux/teamviewer.x86_64.rpm # Install sudo yum install ./teamviewer.x86_64.rpm # Start TeamViewer teamviewer ``` --- ### STEP 2: Configure TeamViewer for Unattended Access 1. Open TeamViewer 2. Go to **Extras** → **Options** 3. **General Tab:** - Set TeamViewer to start with system - Enable "Start TeamViewer with Windows/System" 4. **Security Tab:** - Set a strong password for unattended access - Configure "Random password" to "Disabled" (use permanent password) 5. **Remote Control Tab:** - Disable "Confirm all" if needed for automation 6. Note the **TeamViewer ID** - you'll need this to connect --- ### STEP 3: Verify Network Access to PLC **On Remote Gateway PC:** **Windows:** ```cmd # Test ping to PLC ping 192.168.10.100 # Check network configuration ipconfig /all # Test connection to PLC port (usually 102 for S7 comm) # Install telnet first if not available telnet 192.168.10.100 102 ``` **Linux:** ```bash # Test ping to PLC ping -c 4 192.168.10.100 # Check network configuration ip addr show ip route show # Test connection to PLC port nc -zv 192.168.10.100 102 # or telnet 192.168.10.100 102 ``` ✅ **Checkpoint:** Gateway PC must be able to ping and reach PLC before continuing --- ### STEP 4: Enable IP Forwarding (Linux Gateway Only) **Skip this step if using Windows as gateway** **For Linux Gateway:** ```bash # Check current setting cat /proc/sys/net/ipv4/ip_forward # Enable IP forwarding sudo sysctl -w net.ipv4.ip_forward=1 # Make permanent echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf # Apply changes sudo sysctl -p ``` --- ### STEP 5: Configure Firewall (Linux Gateway Only) **For Linux Gateway with iptables:** ```bash # Allow forwarding from TeamViewer VPN to local network # Get TeamViewer VPN interface name first ip addr show | grep -A 2 "^[0-9].*teamviewer" # Usually it's something like: teamviewer0 or tap0 # Replace with actual interface name # Replace with interface connected to PLC network (e.g., eth0) # Allow forwarding sudo iptables -A FORWARD -i -o -j ACCEPT sudo iptables -A FORWARD -i -o -m state --state RELATED,ESTABLISHED -j ACCEPT # Example: sudo iptables -A FORWARD -i teamviewer0 -o eth0 -j ACCEPT sudo iptables -A FORWARD -i eth0 -o teamviewer0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Save rules sudo iptables-save | sudo tee /etc/iptables/rules.v4 ``` **For Linux Gateway with firewalld:** ```bash # Add TeamViewer interface to trusted zone sudo firewall-cmd --zone=trusted --add-interface=teamviewer0 --permanent # Allow forwarding sudo firewall-cmd --permanent --add-masquerade sudo firewall-cmd --reload ``` --- ## Part 2: Your Computer (Client) Setup ### STEP 6: Install TeamViewer on Your Computer 1. Download and install TeamViewer from https://www.teamviewer.com 2. Log in with your TeamViewer account (required for VPN) 3. Ensure you have VPN feature enabled (check your license) --- ### STEP 7: Establish TeamViewer VPN Connection 1. Open TeamViewer 2. Enter the **Remote Gateway PC's TeamViewer ID** 3. Instead of clicking "Remote Control", click the **dropdown arrow** next to it 4. Select **"VPN"** from the dropdown menu 5. Enter the unattended access password 6. Wait for VPN connection to establish **What happens:** - TeamViewer creates a virtual network adapter on both computers - Both computers get IPs in the 7.x.x.x range (e.g., 7.x.x.1 and 7.x.x.2) - A point-to-point VPN tunnel is created --- ### STEP 8: Identify TeamViewer VPN IP Addresses **On Your Computer:** **Windows:** ```cmd ipconfig /all # Look for "TeamViewer VPN Adapter" # Note the IPv4 Address (e.g., 7.254.0.1) ``` **Linux:** ```bash ip addr show | grep -A 5 teamviewer # Note the inet address ``` **Record:** - Your VPN IP: `_________________` - Remote PC VPN IP: `_________________` (usually your IP ± 1) ✅ **Test VPN Connection:** ```bash # Ping remote gateway PC via VPN ping ``` --- ### STEP 9: Add Static Route to PLC Network You need to tell your computer that to reach 192.168.10.0/24, it should route through the TeamViewer VPN. **On Your Computer (Windows):** ```cmd # Add route to PLC network via TeamViewer VPN # Template: route ADD MASK # Example: route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 # Make permanent (add -p flag): route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p # Verify route route PRINT ``` **On Your Computer (Linux):** ```bash # Add route to PLC network via TeamViewer VPN # Template: sudo ip route add / via # Example: sudo ip route add 192.168.10.0/24 via 7.254.0.2 # Verify route ip route show | grep 192.168.10 ``` --- ### STEP 10: Configure Static Route on Remote Gateway PC (Windows Only) **If Remote Gateway is Windows:** The remote PC needs to know that traffic destined for your VPN IP should go through the TeamViewer VPN interface. ```cmd # Usually not needed if TeamViewer handles routing automatically # But if you have issues, add this route: # Get your VPN IP (e.g., 7.254.0.1) # Add route on remote PC: route ADD 7.254.0.0 MASK 255.255.0.0 IF # Check with: route PRINT ``` **Most times this is automatic**, so skip if you can ping the PLC from your computer. --- ### STEP 11: Test Connectivity to PLC **From Your Computer:** **Test 1: Ping the PLC** ```bash ping 192.168.10.100 ``` **Test 2: Check route** ```cmd # Windows tracert 192.168.10.100 # Linux traceroute 192.168.10.100 ``` Expected path: ``` 1. Your computer (local) 2. Remote VPN IP (e.g., 7.254.0.2) 3. PLC (192.168.10.100) ``` **Test 3: Test S7 Communication Port** ```bash # Windows (if telnet enabled) telnet 192.168.10.100 102 # Linux nc -zv 192.168.10.100 102 ``` ✅ **Checkpoint:** Should be able to ping and reach port 102 on PLC --- ## Part 3: TIA Portal / STEP 7 Configuration ### STEP 12: Configure TIA Portal for Remote PLC Access 1. **Open TIA Portal** 2. **Open your project** or create new one 3. **Add new device** or go to existing PLC configuration 4. **Configure PLC Connection:** - Go to **Online & Diagnostics** or **Online Access** - Click **"Accessible Devices"** → **"Update accessible devices"** - Set **PG/PC Interface**: Choose the network adapter - **Important:** Select your **main network adapter** (not TeamViewer VPN adapter) 5. **Add PLC Manually if not auto-detected:** - Right-click on network → **Add new subnet** - Set subnet: `PN/IE_1` (or similar) - Add PLC with IP: `192.168.10.100` - Set interface: `PN/IE` with IP `192.168.10.100` 6. **Go Online with PLC:** - Select your PLC in project tree - Click **"Go Online"** button - If connection dialog appears, verify IP `192.168.10.100` - Click **Connect** ### Alternative: Use NetPro (STEP 7 Classic) 1. Open NetPro 2. Configure PG/PC Interface 3. Set route to PLC: `192.168.10.100` 4. Test connection --- ## Part 4: Automation & Scripts For easier setup, use the provided configuration scripts. ### Windows Automation Script See: `teamviewer-vpn-setup-windows.bat` ### Linux Automation Script See: `teamviewer-vpn-setup-linux.sh` --- ## Troubleshooting Guide ### Issue 1: Cannot Connect TeamViewer VPN **Symptoms:** - VPN option grayed out - "VPN not available" error **Solutions:** 1. Verify TeamViewer license includes VPN feature 2. Log in to TeamViewer account on both computers 3. Update TeamViewer to latest version 4. Check firewall isn't blocking TeamViewer (port 5938) 5. Try restarting TeamViewer service: ```cmd # Windows net stop TeamViewer net start TeamViewer ``` --- ### Issue 2: VPN Connects but Cannot Ping Remote PC **Symptoms:** - VPN status shows "Connected" - Cannot ping remote VPN IP (e.g., 7.254.0.2) **Solutions:** 1. **Check VPN adapter status:** ```cmd # Windows ipconfig /all # Look for TeamViewer VPN adapter - should show IP 7.x.x.x ``` 2. **Check Windows Firewall on remote PC:** ```cmd # Temporarily disable to test netsh advfirewall set allprofiles state off # If this fixes it, create rules: netsh advfirewall firewall add rule name="TeamViewer VPN" dir=in action=allow protocol=any remoteip=7.0.0.0/8 # Re-enable firewall netsh advfirewall set allprofiles state on ``` 3. **Restart network adapter:** - Network Connections → Disable/Enable TeamViewer VPN adapter --- ### Issue 3: Can Ping Remote PC but Cannot Reach PLC **Symptoms:** - Can ping remote VPN IP (7.254.0.2) - Cannot ping PLC (192.168.10.100) **Solutions:** 1. **Verify route is configured:** ```cmd # Windows route PRINT | findstr 192.168.10 # Linux ip route show | grep 192.168.10 ``` 2. **Test from remote gateway PC:** - Connect via TeamViewer Remote Control to gateway PC - Try pinging PLC from there: `ping 192.168.10.100` - If this fails, problem is in local network, not VPN 3. **Check IP forwarding on Linux gateway:** ```bash cat /proc/sys/net/ipv4/ip_forward # Should return 1 ``` 4. **Check firewall on gateway PC** (see Step 5) 5. **Verify PLC is actually at that IP:** - Use PLC web server (if enabled): http://192.168.10.100 - Check PLC front panel/display for IP address - Use TIA Portal hardware detection --- ### Issue 4: TIA Portal Cannot Find PLC **Symptoms:** - Can ping PLC (192.168.10.100) - TIA Portal shows "No accessible devices found" - Communication test fails **Solutions:** 1. **Check TIA Portal Network Settings:** - File → Settings → PG/PC Interface - Make sure correct adapter is selected - Try selecting "PN/IE" interface 2. **Use correct subnet mask in TIA Portal:** - PLC properties → PROFINET Interface - Ensure subnet matches: 192.168.10.0/24 3. **Disable Windows Firewall temporarily:** ```cmd netsh advfirewall set allprofiles state off ``` If this works, add specific rules for TIA Portal 4. **Check PLC CPU is in RUN or STOP mode:** - Some operations require STOP mode - Check LED indicators on PLC 5. **Verify PLC protection level:** - Protection level 3 blocks write access - Password may be required 6. **Try Online → Accessible Devices → Update** - Click "Update Accessible Devices" - Wait 30-60 seconds for scan 7. **Add PLC manually in TIA Portal:** - Don't rely on auto-detection - Manually specify IP: 192.168.10.100 --- ### Issue 5: Connection Drops Frequently **Symptoms:** - VPN disconnects randomly - Connection unstable **Solutions:** 1. **Check internet stability on both ends:** - Run speed test - Check for packet loss: `ping -t 8.8.8.8` 2. **Adjust TeamViewer settings:** - Extras → Options → Advanced - Disable "Optimize quality" - Set connection quality to "Low quality" 3. **Use TeamViewer Wake-on-LAN:** - Set up WoL for remote PC - Configure in TeamViewer options 4. **Keep remote PC from sleeping:** ```cmd # Windows - Disable sleep powercfg -change -standby-timeout-ac 0 powercfg -change -hibernate-timeout-ac 0 ``` --- ### Issue 6: Slow PLC Communication **Symptoms:** - Connection works but very slow - Uploads/downloads take forever - TIA Portal timeouts **Solutions:** 1. **Reduce communication load:** - Close unnecessary programs on both PCs - Disable cloud sync, updates during work 2. **Increase TIA Portal timeout:** - Options → Settings → Communication - Increase timeout values 3. **Check TeamViewer quality settings:** - Reduce quality when VPN is active - Close remote control sessions when using VPN 4. **Use wired connection on both ends:** - WiFi can cause latency issues --- ### Issue 7: Linux-Specific Issues **TeamViewer doesn't start:** ```bash # Check service status sudo systemctl status teamviewerd # Restart service sudo systemctl restart teamviewerd # Check logs journalctl -u teamviewerd -n 50 ``` **VPN adapter not created:** ```bash # Check loaded kernel modules lsmod | grep tun # Load tun module if missing sudo modprobe tun # Make permanent echo "tun" | sudo tee -a /etc/modules ``` --- ## Quick Reference Commands ### Windows Commands ```cmd REM View all network routes route PRINT REM Add route to PLC network route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p REM Remove route route DELETE 192.168.10.0 REM View network adapters ipconfig /all REM Test PLC connectivity ping 192.168.10.100 telnet 192.168.10.100 102 REM Restart TeamViewer service net stop TeamViewer net start TeamViewer ``` ### Linux Commands ```bash # View all network routes ip route show # Add route to PLC network sudo ip route add 192.168.10.0/24 via 7.254.0.2 # Remove route sudo ip route del 192.168.10.0/24 # View network adapters ip addr show # Test PLC connectivity ping 192.168.10.100 nc -zv 192.168.10.100 102 # Restart TeamViewer service sudo systemctl restart teamviewerd ``` --- ## Security Considerations ### Best Practices 1. **Use Strong Passwords:** - Set complex TeamViewer password (15+ characters) - Enable two-factor authentication on TeamViewer account 2. **Limit Access:** - Only allow VPN connections from known TeamViewer IDs - Use TeamViewer Management Console for access control 3. **PLC Security:** - Set PLC protection level appropriately - Use password protection on PLC - Enable access control lists if PLC supports it 4. **Network Segmentation:** - Keep PLC network separate from office network - Use VLAN if possible - Gateway PC should only have access to PLC network 5. **Logging:** - Enable TeamViewer connection logging - Monitor who connects and when - Keep audit trail of PLC changes 6. **Regular Updates:** - Keep TeamViewer updated - Update PLC firmware when security patches available - Keep Windows/Linux updated on gateway PC 7. **Backup:** - Regular PLC program backups - Version control for PLC code - Document all changes --- ## Advanced Configuration ### Multiple PLCs on Same Network If you have multiple PLCs on 192.168.10.0/24: ``` PLC1: 192.168.10.100 PLC2: 192.168.10.101 PLC3: 192.168.10.102 ``` **No additional routing needed** - the single route covers entire subnet: ```cmd route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p ``` ### Multiple Remote Sites For accessing PLCs at different sites: **Site A:** 192.168.10.0/24 (Gateway TeamViewer ID: 123456789) **Site B:** 192.168.20.0/24 (Gateway TeamViewer ID: 987654321) **Solution:** 1. Connect VPN to Site A → Add route for 192.168.10.0/24 2. Disconnect VPN 3. Connect VPN to Site B → Add route for 192.168.20.0/24 4. Use script to automate route changes (see provided scripts) ### Permanent vs. Temporary Routes **Temporary Route (lost on reboot):** ```cmd route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 ``` **Permanent Route (Windows):** ```cmd route ADD 192.168.10.0 MASK 255.255.255.0 7.254.0.2 -p ``` **Permanent Route (Linux):** Add to `/etc/network/interfaces` or create systemd service --- ## Performance Optimization ### Recommended Settings **TeamViewer Settings:** - Quality: Medium (for VPN mode) - Display: 16-bit colors - Disable wallpaper/animations - Close remote control when using VPN only **TIA Portal Settings:** - Communication timeout: 10000ms (10 seconds) - Disable automatic compile - Work offline, upload/download when ready **Network Recommendations:** - Minimum 5 Mbps upload/download on both ends - Latency < 100ms preferred - Wired connection recommended - Close bandwidth-heavy applications --- ## Alternatives to TeamViewer VPN If TeamViewer VPN doesn't meet your needs: 1. **ZeroTier** (covered in separate guide) - More flexible routing - Free tier available - Mesh network topology 2. **OpenVPN** - Full VPN solution - Requires server setup - More complex configuration 3. **WireGuard** - Modern, fast VPN - Simple configuration - Requires server 4. **Tailscale** - Built on WireGuard - Easy mesh network - Free tier available 5. **Direct PLC Remote Access** (Siemens specific) - TeleService - Siemens Cloud Connect - Industrial VPN routers (e.g., mGuard) --- ## Appendix A: Port Reference | Device/Service | Port | Protocol | Purpose | |----------------|------|----------|---------| | TeamViewer | 5938 | TCP | Primary connection | | S7-1200 PLC | 102 | TCP | ISO-on-TCP (S7 Communication) | | S7-1200 PLC | 80 | TCP | HTTP (Web Server) | | S7-1200 PLC | 443 | TCP | HTTPS (Secure Web Server) | | PROFINET | 34962-34964 | UDP | Real-time communication | | TIA Portal | Various | TCP/UDP | Project transfer | --- ## Appendix B: Common S7-1200 IP Configurations | Parameter | Typical Value | Notes | |-----------|---------------|-------| | IP Address | 192.168.0.1 - 192.168.0.254 | Factory default varies by CPU | | Subnet Mask | 255.255.255.0 | /24 network | | Gateway | 192.168.0.1 | Usually router IP | | DHCP | Disabled | Static IP recommended | **To find PLC IP:** 1. Check PLC display (if HMI attached) 2. Use TIA Portal "Accessible Devices" scan 3. Check DHCP server lease table 4. Connect via USB and read configuration --- ## Appendix C: TIA Portal Version Compatibility | TIA Portal Version | S7-1200 CPU Support | Notes | |-------------------|---------------------|-------| | V11 | V1.x, V2.x | Older | | V12 | V1.x, V2.x, V3.x | | | V13 SP1+ | V1.x - V4.x | | | V14 | V1.x - V4.x | | | V15 | V1.x - V4.x | | | V16 | V1.x - V4.x | Recommended | | V17 | V1.x - V4.5 | Latest features | | V18 | V1.x - V4.6 | Current | --- ## Post-Configuration Checklist - [ ] TeamViewer installed on both computers - [ ] TeamViewer license verified (VPN feature enabled) - [ ] Unattended access configured on remote gateway PC - [ ] VPN connection established successfully - [ ] VPN IP addresses identified - [ ] Static route added to PLC network - [ ] Can ping remote VPN IP from your computer - [ ] Can ping PLC IP from your computer - [ ] IP forwarding enabled (Linux gateway) - [ ] Firewall rules configured (Linux gateway) - [ ] TIA Portal can detect/connect to PLC - [ ] Successfully uploaded/downloaded PLC program - [ ] Routes made persistent (optional but recommended) - [ ] Connection documented for future use - [ ] Backup of PLC program created --- ## Support Resources **TeamViewer:** - Official Documentation: https://www.teamviewer.com/en/documents/ - VPN Guide: https://community.teamviewer.com/ **Siemens:** - TIA Portal Documentation: https://support.industry.siemens.com/ - S7-1200 Manual: Search for "S7-1200 System Manual" - Siemens Forum: https://support.industry.siemens.com/tf/ww/en/ **Community:** - PLCTalk Forum: https://www.plctalk.net/ - Reddit r/PLC: https://www.reddit.com/r/PLC/ --- **Document Version:** 1.0 **Last Updated:** February 16, 2026 **Tested With:** TeamViewer 15, TIA Portal V17, S7-1214C DC/DC/DC