ICR-1601
144
4.1.2
OpenVPN
OpenVPN is an application that implements virtual private network (VPN) techniques for creating
secure point-to-point or site-to-site connections in routed or bridged configurations and remote access
facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing
network address translators (NATs) and firewalls.
OpenVPN allows peers to authenticate each other using a Static Key (pre-shared key) or certificates.
When used in a multi-client-server configuration, it allows the server to release an authentication
certificate for every client, using signature and certificate authority. It uses the OpenSSL encryption library
extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
OpenVPN Tunneling is a Client and Server based tunneling technology. The OpenVPN Server must have
a Static IP or a FQDN, and maintain a Client list. The OpenVPN Client may be a mobile user or mobile site
with public IP or private IP, and requesting the OpenVPN tunnel connection. The product can only behave
as an OpenVPN Client role for an OpenVPN tunnel connection.
There are two OpenVPN connection scenarios. They are the TAP and TUN scenarios. The product can
create either
a
layer-3
based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of
Ethernet traffic
. In addition to configuring the device as a Server or Client, you have to specify which type
of OpenVPN connection scenario is to be adopted.
OpenVPN TUN Scenario
The term "TUN" mode is referred to routing mode
and operates with layer 3 packets. In routing mode,
the VPN client is given an IP address on a different
subnet than the local LAN under the OpenVPN
server. This virtual subnet is created for connecting
to any remote VPN computers. In routing mode,
the OpenVPN server creates a "TUN" interface with
its own IP address pool which is different to the
local LAN. Remote hosts that dial-in will get an IP
address inside the virtual network and will have
access only to the server where OpenVPN resides.
If you want to offer remote access to a VPN server
from client(s), and inhibit the access to remote LAN
resources under VPN server, OpenVPN TUN mode
is the simplest solution.
As shown in the diagram, the M2M-IoT Gateway is configured as an OpenVPN TUN Client, and connects
to an OpenVPN UN Server. Once the OpenVPN TUN connection is established, the connected TUN client
will be assigned a virtual IP (10.8.0.2) which is belong to a virtual subnet that is different to the local subnet
in Control Center. With such connection, the local networked devices will get a virtual IP 10.8.0.x if its traffic
goes through the OpenVPN TUN connection when Redirect Internet Traffic settings is enabled; Besides, the
SCADA Server in Control Center can access remote attached serial device(s) with the virtual IP address
(10.8.0.2).