Integration of different device types in VPN infrastructures
The advantages through digitalization can only be fully exploited by networking all devices in the field. With local PLCs, HMIs and IPCs at one location, for example on a shop floor, this is easily possible via the local network. However, if devices are distributed over many locations, public networks must be used. The industry standard to securely connect distributed devices and networks is VPN. VPN stands for Virtual Private Network and enables connecting different networks over public infrastructure like the Internet. Several VPN technologies, such as IPsec, Wireguard and OpenVPN are used. OpenVPN has the advantage that it is very secure and already integrated in many devices. In addition to that, OpenVPN is very compatible between different devices from different vendors. OpenVPN is a server client protocol. Usually, there is one OpenVPN server in a central location and an OpenVPN client on the devices in the field. The identity of the devices and the encryption of the data is managed by digital certificates. There are multiple possibilities to integrate devices like RTUs, PLCs, HMIs and IPCs into a OpenVPN infrastructure. The most important requirement is that the devices have access through a network to the central server. This can be accomplished through a wired internet connection, 4G LTE, 5G or Wifi. In addition to that, they need to have an OpenVPN Client support. There are multiple ways to do that:- Direct software support for OpenVPN
- Support to run additional applications e.g. Docker Container
- External Gateway for OpenVPN (like Welotec Router or Edge Gateways)
Challenges of integrating different devices in VPN infrastructures
Secure and reliable operation of a VPN infrastructure is often complex. Among other things, configurations for the local firewall, the VPN tunnel and certificates for identity and security must be installed on each device in the field. To ensure security, the VPN configurations must be updated, and the digital certificates must be renewed frequently. With a few devices from one vendor, it is easy to keep track of and perform these tasks manually. However, especially in the energy sector and machine building, where many systems are distributed , these tasks can not be carried out manually. An automated approach is needed.Welotec VPN Security Suite
The Welotec VPN Security Suite offers automated processes to roll out and manage VPN infrastructures. It consists of three components. This includes a central VPN Concentrator with integrated Firewall and access rules. An integrated Public Key Infrastructure (PKI) manages and renews digital certificates. The third component is a Device Management for rollouts and distributing configurations.
The Welotec VPN Security Suite allows to roll out a uniform VPN infrastructure on different device types, regardless of the manufacturer. It is necessary that the devices have an integrated OpenVPN client or support Docker containers. Docker container-enabled devices can be connected through the Welotec VPN Container Client (VPN-CC). VPN-CC enables self-registration to the VPN Security Suite and communication with the end device. With the end device communication, you can directly access devices/machines behind the VPN-CC connected device. In addition, the certificates and VPN configuration are automatically distributed to the VPN-CC device. By using orchestration software such as Kubernetes, VPN-CC offers a very simple and scalable approach to building VPN infrastructures.
