> Communication Products

Use the viaVPN System for Remote Access

Data Communication Product Application

What is the viaVPN System, and which functions does it offer

viaVPN consist of three main components: Routers, Cloud Servers and a Client Utility software. With this system users install and operate very secure remote connections to any kind of machinery, sensors or actuators. The complexity of the security requirements is hidden by an easy-to-use interface, this results in secure remote access for everyone without studying protocols like IPSec and the like.

 Figure 1: The connection scheme in viaVPN
The operation principle is explained in this picture. On the lower right is one machine, representing any hardware installed in a factory. This machine is connected to the local network of the factory, either direct by Ethernet or via some gateways for serial ports / CAN Bus / Digital-I/O. The connection to the LAN allows all computers on this LAN access to the machine for monitoring, control or maintenance.
The new task is to allow for remote access to that machine, so the technician of the manufacturer has the same level of access without personally showing up at the factory. To install this ability first a small Router is installed, now the machine connects to the LAN via the Router. This Router allows access from the LAN to the machine as before, and in parallel establishes a secure VPN connection to one of the Cloud Servers operated by viaVPN.
On the other side (lower left) the technician has the Client Utility software installed on his PC. Operating the Client Utility the technician has access to the Cloud Servers as well, and he can request a secure connection to one Router. The Cloud Server then creates the connection, providing the technician with access to the machine.

If the company LAN has no Internet access, the Router may use a 3G/4G modem. Also the technician with his laptop computer may use a mobile connection, WLAN in an Internet Café or any other means of Internet access.
All data transfer from Router and Client Utility software is protected by SSL and AES-256. This applies to basic transfer via https, but more important it is mandatory for the VPN connections. This guarantees the transferred data can not be monitored by any third, and on the other hand only selected operators can connect to the Router and the machine; no other person has a chance to counterfeit as an employee.

Why prefer the viaVPN systems for other means of Remote Access

Many machines nowadays provide an Ethernet port for connection to a local network, and they use TCP/IP for data transfer. So in principle they can be connected via the Internet and not only from computers in the LAN.

 Figure 2: Customers local network
However the firewall of customers network will block such access for good reasons. So the administrator of the LAN is then tasked with allowing the special access from a technician to the machine, while still blocking all other access from the Internet. This is a task administrators are not happy to do.
To avoid the problem with customers firewall the machine could open a reverse connection to the manufacturers network. Administrators do not like this phone-home option either. But more important the administrator at the manufacturers site now has to open special access for each of the installed machines while blocking unwanted attempts.

The solution are the Cloud Servers of viaVPN. The Router and the Client Utility software both open connections from the local network to the Internet, not the other way around. Typical firewall configurations already allow such access (like web browsing), or require minimal configuration (of Router or Client Utility). The Cloud Servers then transfer the data from one secure connection to other, in a sense "pairing" these VPN tunnels.

Models with viaVPN option

( NetCom / NetCAN Plus | Baltos ARM RISC )
The primary installation mode for viaVPN is the use of a dedicated Router system to provide access to the viaVPN services (see models here…). This allows for very flexible connection of any kind of hardware via the Ethernet ports (labelled LAN). At the same time the Routers provide serial ports, Digital-I/O and CAN Bus, depending on the specific models. All these added functions are usable via network (customers LAN and viaVPN) to connect hardware with those interfaces.

 Figure 3: A viaVPN PRO Router
Often there are situations when no Ethernet is required to connect to the machines or other devices. Instead a serial port or a CAN Bus is the single requirement. For such installations a complete Router seems oversized.
In contrast Baltos systems are used to perform customized monitoring and control tasks. They may serve as some protocol gateway, or direct monitor and control procedures in production. There are other tasks as well. All are characterized by an application software developed and installed by the customer himself. The application may or may not have special means for remote access, but such option can be useful.

These device classes can benefit from the viaVPN services by embedding a 'Software-Router' in the firmware. The NetCom and NetCAN already provide the function of viaVPN access. Customers application software in Baltos systems of course does not have this feature. But Vision Systems offers an option to install it in existing firmware as a Demon.

NetCom Plus / NetCAN Plus
NetCom Plus and NetCAN Plus device servers already provide an option to access the viaVPN services. This option is inactive until a special data module (Certificate) for authentication is loaded onto the device server.
 Figure 4: viaVPN in NetCom Plus / NetCAN Plus Device Servers
Once the option is enabled, the function can be configured. Typically the Proxy parameters remain empty, these are only used for very restrictive firewalls.
Usually the device server operates as DHCP server for the VPN tunnel connection. It is not a DHCP server on the customers LAN.

The systems Baltos iR run a software implemented by the customer. This combines the operating system with the target application, and is installed either on an SD-card or into the NAND Flash memory. These systems are shipped with only a small demonstration system in the Flash memory.
Since the final software is 100% installed by the customer, no option for access to the viaVPN services is pre-built-in. But VS Vision Systems GmbH offers an add-on software module for this purpose, the viaVPN Demon.
Customers may use many ways to create their own software implementation. One method is the provided DEBIAN GNU/Linux software shipped as part of the starter kit. Customers use this as a starting point, and configure it for their special requirements. Paired with the application software this is then the final software.
A second way is to use the system of buildroot. This results in small size software installations, which often fits into the NAND Flash memory. This "firmware" is then booted from the Flash memory direct. There are other methods like Yocto for the same purpose.

The Debian Starter Kit and buildroot are especially named because the mentioned viaVPN Demon is tested and available for these two ways of software implementation. Customers order the Demon viaVPN for their systems and get a ZIP file with software and data packages. The software then is either embedded directly in the compilation process of buildroot, or installed into the existing Debian software package. Said software is identical on all systems, so the build process is generic. However the data packages (Certificates) are individual for each system to identify it for the viaVPN Cloud Servers.
As the keypoint here, the existing application software of the customer is not changed. The Demon vayVPN is not a module or library to load or integrate into the application, and there is no requirement to execute/invoke certain functions in it. Instead the Demon operates on the level of the Operating System, in the background and parallel to the existing application. Software developers do not need to care at all about the Demon viaVPN.

Important: viaVPN provides users and systems with a way to get a network connection to remote locations. All methods for functional access, monitoring and control of operation must already exist implemented in customers software. There are many ways to do this, ranging from console access via SSH up to a complex web interface to use in a browser. But usually customers software already has a way to do this for operation in a local network.

Summary and special Remarks

Many hardware (sensors, actuators, …) nowadays provide an option to use their functions via an internal and thus protected network based on Ethernet. Other devices can provide similar functions when outfitted with a Serial Device Server or an Ethernet to CAN-Bus Gateway, also other types of Gateways exist. The access via network from any PC in the LAN is convenient, and it is also convenient to do the same via Internet from everywhere. However for security issues the latter is not a reasonable option when done without caution.
viaVPN extends the access via local network over secured VPN tunnels. This then results in ease-of-use with miniscule impact on the existing installation. And the Remote Access becomes secure without changing the connected devices at all, this results in no need for re-certification of installed firmware.


All trademarks and brands are property of their rightful owners.
Copyright © 2005-2024, VS Vision Systems GmbH. All Rights Reserved.