PLC Remote Access with same subnets/IPs on PLCs

Hey Everyone, I hope someone can help me. I have softether running on windows server on a VPS. I have successfully setup up server and clients and can connect via PC and the 4G LTE Route (Teltonika RTU240 ) and can access siemens s7-1200 PLC. I have a NAT setup on VPN server with 192.168.5.1 and have given PLC static IP of 192.168.5.10 and Have set static IP on TAP Interface on PC with 192.168.5.15 and have Installed virtual ethernet adapter (microsoft loopback) and assigned a satic IP of 192.168.5.20 and bridged the connections in softether server to the virtual hub. This now gives me access from server to PLC ( I can ping PLC from Server and Engineering PC ) I can connect to the PLC from PC fine.

The Problem I now have Is I have a lot of PLCs at remote sites already set up and they all have the same subnets and they can not be changed (connected to other devices in the network I have no control over) I have thought about setting up individual NATs on the routers I will be installing but it seems the OpenVPN TAP client in the router is bridged to the local lan and can't be altered.

The other issue I see is the SCADA software running on the server needs to access these PLC ( I set the PLC IP address in the software for which one they connect to) I now have an issue as they all have same IP so I was possibly thinking about setting PLC IP in the software as the NAT ip set on the Router and then create static route to the PLC on the router.

If I need to access PLC network from Engineering PC I will just connect to server and set the TAP IP to the NAT the PLC is on and may need to cascade the connection to that particular virtual VPN Hub.

I will link a diagram for a better understanding

If anyone has any better ideas or ways of achieving this would be great

When you want to access a specific PLC, you first setup the VPN connection.
When the VPN connection is OK, you have to tell your PC which route to use to reach the remote IPs.
Some VPN solutions automatically setup a route on your engineering PC. If it does not, you have to setup the route manually.

Here is an example of a small batch file that sets up a route to 2 devices on a remote location:
The IPs 192.168.1.114 and 192.168.1.115 are the 2 devices on the remote site.
The IP 7.123.45.67 is the IP of the VPN on the remote site.

deleted... (wifi problems in the middle of posting !)

As to the issue with the SCADA needing to access the PLCs simultanously, yes I think you need some kind of NAT. You cannot setup routes to the actual IPs since they are the same.
If you do use a NAT, then I guess your programming PC should be able to use the NAT as well.
My answer above is for when you have a VPN that connects the programming PC to the remote site(s) directly.

I have been down that track using tun before and setting up static routes etc but was always an issue and worked some days and not others... was always a fight and just setting up tap VPN was so much straight forward and had remote connection straight away in my lab tests, now it is to find a solution that will allow subnets with same IPs etc I see some companies don't even use VPN anymore because of the issues and use Secure Link Services type stuff. But I can't find any details on how to achieve this so it looks like I will just stick with the VPN. I am using Layer 2 and not Layer 3 so the VPN connection is bridged to the LAN automatically and requires no static IP routes etc But this provides issues in its self as I will need a VLAN in the server for every PLC/Site so I also don't think that's a good way to go either. I have always wondered how E won and some of these other services get around these issues, I know E won is based on OpenVPN

We do use E won, but not for a permanently active connection. We use it for remote support, and for fetching logfiles. So we activate an E won connection, do what we need to do, and then deactivate the connection.

E won merely sets up the VPN connection, and at the same time provides a route between the home PC and the newtrok on the remote site.

We do not have the scenario that we need to connected to remote sites permanently 24/7 and to multiple sites with duplicate IPs at the same time.
We do have multiple lines with duplicate IP, but at the same site, not different sites. And we deal with that with a NAT router at the site.

It looks like there is no easy way around this one, maybe I need to start looking into another solution such as software-defined networks. I may try tun type VPN again and see how I go with setting up static routes. I would have thought of this being quite common, but everyone probably does what you just described and don't require full-time connection