The CloudVPN router is a device meant to create a local network for the devices that are associated with an industrial machine, so that they can be accessed remotely in a secure manner. In order to make sure that the CloudVPN router can establish this connection, you need to make sure that you configure the network correctly. This article explains how to configure the corporate and machine network to remotely access your machine using using the CloudVPN Portal.
Please use the links below for easy navigation:
What do I need to know?
To understand how to set up your network so that your CloudVPN router can be used in the network, you first need to understand a few basic networking terms, they are clarified in the table below.
|Network||A group of electronic devices that communicate together.|
|IP address||The IP address is like a street address of a house, only then for electronic devices in a network. It looks something like this: 192.168.140.1|
|IP range||The IP range is like all home addresses in one street. It looks something like this: 192.168.140.1 to 192.168.140.254|
|LAN||A Local Area Network (LAN) is network of devices that are close together. An example is a machine network as a part of a larger factory network.|
|WAN||A Wide Area Network (WAN) is a larger network of devices. An example is the internet, a global network of many devices.|
|A firewall is a security measure that controls and monitors all data traffic between different networks. A firewall blocks traffic that is not allowed.|
A router is a device that forwards data between two or more networks. An example can be a router between a corporate network and the internet.
What do I need to do?
Basically, you need to set up the WAN and LAN side of the CloudVPN router so that you can access the devices behind your CloudVPN router. The infographic below shows the route that data has to travel between the CloudVPN Portal and the machine that you want to access remotely. Please note that the WAN side of the CloudVPN router is connected to the corporate network and that the LAN side of the CloudVPN router is connected to the machine network. There are 3 points that you have to consider for your network configuration.
- To establish an outgoing connection, port 443 needs to be open on the firewall of the corporate network that is connected to the WAN port of the CloudVPN router, for some additional features, additional ports have to be opened.
- The IP range of the corporate network and machine network can't be the same, because then the CloudVPN Portal won't be able to find the CloudVPN router.
- The IP addresses of the devices in the machine network need to be in the LAN IP range.
(1) The very first package may be considered unencrypted as the OpenVPN handshake takes place prior to the TLS handshake. For this reason an exception may be required on firewall rules that block non-SSL traffic over SSL-ports.
(2) (Optional) Only used when VPN connection type is set to UDP.
(3) (Optional) Only used when stealth mode is activated for connectivity via a censored internet connection (i.e. when located in China).
(4) (optional) DNS requests are often handled by local DNS servers. In those cases the listed DNS port can be ignored.
(5) (Optional) Used to synchronize the time for its internal system log, Cloud Logging data, and providing NTP functionality to the machine.
(6) (Optional) Only used when failover is configured.
Please follow the steps below to set up your network correctly for integration of the CloudVPN router into the network:
- Open the ports that you need to use in the firewall of your corporate network. By default, only port 443 is needed. For VPN, it might be needed to make an exception in the SSL inspection feature of the firewall. You can see what ports you may need to open in the infographic above. More info can be found in this article.
- Check what the local IP range is of the WAN network that you would like to connect the CloudVPN router to. Your local IT-department will know what this is.
- Choose a different IP address range for the machine network (LAN) behind the CloudVPN router. The default is 192.168.140.x
- Give all electronic devices (PLC's, HMI's etc.) that you are placing in this network a different IP address in the same IP range. The default is 192.168.140.xx.
- Make sure that each of the devices has a different IP-address then the other devices in the LAN network.
- Establish a VPN connection in the CloudVPN Portal and ping each of the devices to see if you can interact with them remotely. You can ping a device by typing ping <device IP-address> in the command prompt or terminal of your computer.
Configuration completeYou have now completed the configuration of your corporate and machine network. You can now start using the CloudVPN Portal to access your machine remotely, log machine data and receive alarms and notifications about important machine events.