Categories: OT, IT

Remote access VPNs

Table of Contents

What VPN’s?

One of the big businesses on the internet are VPN (Virtual Private Network) services, but the ones you normally see advertised (Privacy VPN’s) are not what I want to write about today. The VPN services I want to write about are Remote access VPN’s, as per the name the purpose of these VPN services are to securely access remote device and networks. These can be needed in lots of different situations from OEM’s (Original Equipment Manufacturer) needing to support a machine on the other side of the country or a utility provider with hundreds of individual sites, normally these sites will have a little cellular router or on the odd occasion the site will have a local office network where the IT team will want to manage access.

So lets talk about the options that exist with those cellular routers as these can also apply non cellular sites as well, I would break the VPN options into the following categories:

  1. Hardware Based
  2. Managed
  3. DIY

Hardware Based

Hardware VPN’s are based around the device you buy from that vendor and they have a VPN service that is included in the price. The benefits to this category is they can be simpler options for people who with less networking knowledge and often delivers on the “it just works” promise, although I consider the cons quite overbearing personally. The biggest con to the hardware VPN is business model only really works for the supplier if you keep buying more hardware as their cost of operating the service keeps going every month, so what most of these hardware based VPN providers eventually do is have a limit on how long after purchase the hardware device will connect to the VPN service which is not what you need in an industrial environment where a site is likely to be in operation for a long period of time. The second con of this category is the simplicity of the solution can make it harder when you have a slightly unique scenario that was not envisioned by the vendor when they designed the system but that can differ from platform to platform.

Three brands that I am aware of in this space:

  • Secomea
  • eWON
  • Tosibox (Disclaimer, at the time I writing my employer sells Tosibox).

Managed

A Managed VPN service is simply a VPN that you pay someone else to maintain, they normally comes with a web dashboard to configure your connections and routers. These services use standard open source VPN technologies such as OpenVPN which means you have a good amount of choice on the cellular router to use and as a bonus you are not concerned about putting some custom software on the PC’s you are connecting to the VPN. In this category you have the power to see what is happening to verify connections are secure and appropriate ciphers are being used, but you are not having to worry about managing the server that is exposed on the internet which means that as long as you trust the provider there is less for you to worry about. You do have a con similar to Hardware based VPN’s in that the service provider envisioned a set of use cases when they designed the service and if you have a use case that falls outside that set then it can be a bit tricky getting the service to work. And a similar pro to the Hardware managed VPN’s is that the web portal is designed to make configuration of the network easier for those without in-depth networking knowledge but the same level of integrations is not there with the router as they have to try to work with a wide range of routers that may or may not give the user complete control. Managed services are priced by the number of connections which can be quite reasonable at the lower end but once you are moving in to the 100’s to 1000’s of connections the cost can be harder to justify especially if you have internal resources that could look at the DIY category but that is not for everyone.

Here is a couple of services that I am aware of:

  • OpenVPN CloudConnexa
  • TailScale (wide router support not there yet)

DIY

To be frank DIY would be my preferred option unless I was operating a large network with 100’s of devices (in that case I would still be partitioning for DIY with support to build tooling to automate deploying and managing new routers). In this category you are responsible for building and maintaining the VPN server sitting straight on the internet, provisioning/managing certificates and designing an appropriate network topology. The obvious con here is a lot of the responsibility and troubleshooting is up to you but the positive part about that is you have the flexibility to design the VPN to work exactly how you need it and change it as your needs do. The other big pro with DIY is the cost is pretty static, since you are mainly just passing traffic through the server you can get quite a lot connections to the cheapest Virtual Server from your provider of choice. You also have the power to use almost any router you want as you control the whole system so you can choose a router that only supports the features that you need (I would personally use one that is as close to an upstream Linux project as possible so you are likely to get more updates over time and I might be talking about a completely open source software industrial router in the future). All of the options I have talked about so far are a traditional one server with many clients all routing through the server which is the topology I would recommend for the most part but there is another options that I have seen used effectivity before, rather than having one single server every remote site could be a server that the client connects to directly, this does require the router to have a public IP (which costs extra and can be difficult to get on cellular) and these are normally dynamic so some sort of Dynamic DNS has to be used in conjunction but a benefit of this is if one router is compromised all the rest should be safe (assuming separate certificates are used for each router) but this does rely on the router to have timely updates to the VPN software and for it to have a properly implemented firewall which is not always the case.

These are the VPN technologies to consider when going DIY:

  • OpenVPN
  • IPsec
  • Nebula (wide router support not there yet)
  • Wireguard

More Thoughts

As I said before if I was in the situation of having to setup remote access for a number of sites I would likely go the DIY route (pause for laughter) but it would be tempting to go to TailScale or Defined Networking’s Managed Nebula offering (Defined Networking is the creators of the nebula project). But the problem most users will have with those two options is most industrial routers do not support these technologies, well if you have command line access on your router than you can probably simply download and add in the TailScale/Defined Networking binaries (depending on your router this may be very easy to very hard) but another option I would like to look at in another blog post is installing open source firmware on a industrial router so that you control the router and the software available on it. The big thing that stops me from writing that blog post is the ~$300 it would cost the get the router as this blog is a personal endeavour so it is hard to justify that amount.

Something else that is worth mentioning is by going the DIY path of building your own tooling for managing and deploying remote devices and the VPN server you are most of the way to providing a remote access VPN service, I have thoughts on how I would build this type of service and build a business around it but I do not have the time to build such a thing or the drive to run a business so there might be another blog post in the future describing how I would go about this.

The key thing to remember with remote access is you have to think about how to keep devices and services updated as give it 5-10 years and your current configuration might no longer be secure.