Avatar of Roger Cooper
Roger Cooper
Flag for New Zealand asked on

How do I connect an external user to an internal device with VPN?

Hi, I'm IT at an engineering company and I've been asked by our Automation department to provide a VPN connection from another company into our company so that they can connect to a Rockwell PLC on our premises. This all for testing and setup purposes so it will be switched on for testing then disconnected afterwards so a super secure industrial solution isn't necessary in this instance.  We have a spare internet connection with a fixed IP into our premises.

I have never setup a VPN before so I'm floundering a bit. What I would like is a standalone VPN device connected to our internet router that will provide an ipsec connection that will magically connect to the PLC which has a fixed IP. I understand I'll need to setup port forwarding on the internet router which is just a Huawei HG659 but I really don't understand what VPN device I will need. It needs to be standalone because there won't be a PC between it and the PLC so the device has to do it all.

Where do I start please?

VPNInternet Protocol Security

Avatar of undefined
Last Comment
Roger Cooper

8/22/2022 - Mon

"I understand I'll need to setup port forwarding on the internet router ": that should not be necessary of the router can act as a VPN server.

Think of a VPN as a VERY long cable between the remote device (at the other company) to the LAN side of your router.  One major difference, though, is that you'll be on different subnets, though it's all routable.

I looked up the specs on the Huawei and I'm not convinced that this will work.  It doesn't appear to support being a VPN host and it also doesn't appear to have any provision for VPN pass-through.  In the case of pass-through, you'd set up a PC on the LAN as a VPN host and you'd tell the router to send VPN traffic to it (a bit different than just port forwarding as you need to do IP Protocols 50 and 51).  I don't think your router will do that.

Would it be good enough if they had remote access to a computer on your LAN?  That may be the easiest solution.  Add a computer, set up remote access (I like realvnc.com , $40/year with a 30-day free trial) to it, and let them do whatever they want with it and the PLC.
Roger Cooper

Thanks CompProbSolv. Unfortunately giving them access to a PC won't work. The equipment we have will be shipped to our customer in a few months and connected to our customers LAN. They want Ethernet access to our equipment now so that they can setup and test the connections from their LAN to the PLC prior to delivery. We need a way to replicate that connection via VPN which is why I thought a standalone device could be the best solution.
The router does port forwarding ok. When I say it's spare, it's a 100 mbps connection used for alarm monitoring so it's got almost no traffic on it and it's completely separate from our corporate network. I have already opened ports to our alarm system so I know that works.
David Johnson, CD

for a short duration a vpn may be ooverkill  just port forward from wan ip (whatever) to lan ip of the device. This  may gum up your alarm system unless you put the alarm system port forwarding at a higher priority
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Roger Cooper

Thanks David, I'll try that. If that works it would be a very simple solution.

David provides an excellent alternative to what you requested, though there are some security risks.  Your device will be exposed to anyone on the internet that happens to probe your external IP on the appropriate port.  There are plenty of people out there automating scans to find just such an opportunity.  If it is short term and you have good security with the PLC itself, that shouldn't be a problem.  I'd think carefully about how secure it is.  If their need for access is very limited, you could turn the port forwarding off when they don't need it.

Port forwarding is only a valid option if a fully fledged FIREWALL is on that same device.
Consumer router, NO GO.
Business router, go ahead, port forward, PLUS ADD FIREWALL RULE ONLY THAT ONE EXTERNAL IP nr is allowed.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Roger Cooper

Hi All, Thanks for commenting. Our Automation staff took matters into there own hands and bought something called a Tosibox TOSIBOX® Locks, Keys and Central Locks for secure connectivity  instead. Our internal communications need some work since they got this up and running while leaving me to find a solution!! Problem solved I guess.

Glad to hear that worked.  In case it is not clear to you, what they did is to replace your router with one that can act as a VPN server.  Nothing unusual there.  In the long run, the new router should prove to be a good overall solution even when not using it as a VPN server.
Roger Cooper

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.