Cloud Router Manual

Introduction

Reason for Cloud Router

This cloud-based M2M solution gives control stations access to remote stations in the field by putting all devices into a common VPN. In particular, it provides the following features:

  • Fast and easy configuration of NetModule Routers (automatic setup of remote stations)
  • Giving access to remote stations
  • Attaching various control stations
  • Connection status overview
  • Installation of a VPN server on a scalable hardware in the cloud

For small projects with less than 25 clients, using a NB1600 Wireline can be a alternative but does not offer all features of the cloud router, for example the automatic setup. As shown on the picture below, control stations can easily access remote sites and address hosts in each remote network.

Terminology

Control station: A managing station that communicates with the devices in the field. Control stations can be PCs, smart phones, tablets, and so on.
Remote station: A decentral station that needs to communicate with a control station. This can be a plant, a vehicle, and so on.
Cloud router: A intermediary VPN router between control stations and remote stations.
Devices: The equipment in the LAN of the remote stations that needs to be communicated with.

The Steps to Get Up and Running

Basically the following steps are required:

  1. Setting up the server (get a Linux server with Internet access, installation this software, initial configuration of the server). If you are evaluating the product, please ask for a ready to use evaluation account.
  2. Attachment of remote station by downloading a configuration template, transferring it to the routers via USB stick and joining the stations into the cloud via the control panel.
  3. Attachment of control stations by defining accounts and configuring the stations accordingly (server address, IPsec secret, user name, password)

Conventions

The NetModule M2M Cloud concept uses the following conventions:

  • Remote stations can be attached via OpenVPN and/or Mobile IP. Control stations are attached using L2TP/Ipsec.
  • Remote stations attached via OpenVPN have the IP network 10.8.x.0/24, where x is the station number
  • Remote stations attached via Mobile IP have the IP network 10.16.x.0/24, where x is the station number
  • Control stations attached via L2TP/IPsec have the IP address 10.250.0.x, where x is the station number
  • There are two users admin and operator. The operator may not configure the server.

Use Cases

There are basically two network modes that can be applied on the remote stations: natting and routing. Natting means, that the router’s VPN network will be mapped to a standard network that is the same at all remote sites (192.168.1.0/24). The advantage is, that the devices on all remote sites can be configured identically. Routing means, that no NAT is performed. The router’s VPN network will be forward (routed) into a unique network for every single site. The advantage of this mode is, that no IP packets are modified, hence for technicians looking into the system it might be easier that immediately understand what’s going on. Permuting the two network modes with the two VPN types OpenVPN results in 4 generic uses cases:

1:1 NATed Networks with OpenVPN

1:1 NATed Networks with Mobile IP

Routed Networks with OpenVPN

Routed Networks with Mobile IP

Installation

For setting up test installation using VirtualBox see Cloud Router with VirtualBox.

Hardware Prerequisites

A server with Intel processor and Internet access is required. This can be a physical root server or a virtual server. As remote stations, the Netmodule Router types NB1600, NB2700, NB2710, NB3700, and NB3710 are supported.

Software Installation

The software requires Debian GNU/Linux 8.0 (Jessie) or higher. Both, 32 (i386) and 64 bit (amd64) versions are supported. For automatic installation type in a root terminal

wget -q ftp://share.netmodule.com/router/cloud/install.sh -O - | bash

This will install the depenencies and also the Cloud Router software.

After the package installation, the cloud router’s control panel is available on http://localhost. You will have to define the administrator’s password, the interface for Internet access, and some more things. Please follow the wizard.

Configuration

Remote Stations

Stations

ParameterDescription
Name: Station name corresponding to the third block in its IP address, e.g. CLIENT_7 has IP address 10.8.7.1
Type: The VPN/tunnelling method that has been used to attach this client
Connected: Whether this client is currently connected or not
Description: A description to remember the station, e.g. Plant 7, Train 5

Configuration Template

Please define the settings to be included in the configuration file that is uploaded to your routers.

ParameterDescription
Router password: The password that will be applied to the router.
Use Ethernet: Configure Ethernet port as DHCP client and use it for Internet connection
Use WLAN: Configure WLAN client and use it for Internet connection
Use SSID: Enter the SSID of the WLAN network that shall be used
Use Security mode: Select a security mode supported by your access point
Passphrase: The password to connect to your access point
Use WWAN: Configure mobile connection and use it for Internet connection
Provider: Configure WLAN client and use it for Internet connection
APN: Enter the SSID of the WLAN network that shall be used
Username: Select a security mode supported by your access point
Password: The password to connect to your access point

Auto Setup Download

Configuration via USB stick To add a router to the VPN, unpack the downloaded zip file, copy the contents to a USB stick and connect it to your router. The router will connect tp the cloud router and appear in the control panel as remote stations to be joint. You can now join this router to the VPN and repeat this step for more routers.
Configuration via manual configuration file upload Alternatively, you can also add routers to the VPN, by downloading the appropriate zip file and directly uploading it using the router’s Web Manager.

Manual Setup

Please define the settings to be included in the configuration file that is uploaded to your routers.

ParameterDescription
VPN Type: The password that will be applied to the router.
Client ID: Station ID corresponding to the third block in its IP address, e.g. Station 7 will have IP address 10.8.7.1
System Type: Select router type
System Serial Number: The serial number of the router, if available
Description: A description in order to remember the station
Use 1:1 NAT: Use 1:1 NAT on the router. The network 10.8.X.0/24 will be mapped to 192.168.1.0/24
Redirect Gateway: Setting this option will direct all traffic through the tunnel, a.k.a disable split tunnelling

Control Stations

Here you can add the control stations. Supported are any devices that can establish L2TP/IPsec VPN tunnels including Windows, Linux, Mac OS, Android, Apple iOS and others. User name: Station name corresponding to the third block in its IP address, e.g. CLIENT_7 has IP address 10.8.7.1 VPN IP Address: The IP address of the VPN tunnel on the client side Connected: Whether this station is currently connected or not Description: A description to remember the station, e.g. control station 7 or a smart phone

Windows 7 Stations

Enter the host name or IP address of the cloud server: Select type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) and click Advanced settings Enter the Preshared secret defined on the server.

Do not use RAS Credentials On VPN connections are stored in the phone book file located under: %userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK\rasphone.pbk Open this file and set UseRasCredentials=0 in order to avoid Windows to use these credentials globally.

Split Tunneling uncheck use default gateway on remote network under Advanced TCP/IP Options

Windows 8 Stations

Windows 8 comes with Powershell. You can start it via the execution dialog Win + R by typing powershell and OK

add-vpn.ps1
$name = "Cloud Router VPN"
$server = "my.cloud.netmodule.com"
$psk = "MyPresharedKey"
$auth = "PAP","CHAP","MSCHAPv2"
 
Add-VpnConnection -Name $name -ServerAddress $server -TunnelType L2tp -AuthenticationMethod $auth -L2tpPsk $psk -RememberCredential -SplitTunneling -Force

Apple iOS (iPhone/iPad) Stations

Add a new VPN connection: Fill in Server, Account, Password and Shared Secret.

Server Settings

OpenVPN

ParameterDescription
Enabled: Enable OpenVPN Server
Transport Protocol: OpenVPN transport protocol
Listening Port: OpenVPN server port
Network Address: OpenVPN network
Network Mask: OpenVPN network
Cipher Algorithm: OpenVPN cipher algorithm
Hash Algorithm: OpenVPN hash algorithm
Enable Compression: Enable OpenVPN compression
Enable Keepalive: Enable OpenVPN keep-alive

These parameters cannot be changed after initial server configuration.

Client Defaults

ParameterDescription
Use 1:1 NAT: Use 1:1 NAT on the router. The network 10.8.X.0/24 will be mapped to 192.168.1.0/24
Redirect Gateway: Setting this option will direct all traffic through the tunnel, a.k.a disable split tunnelling

Mobile IP

ParameterDescription
Enabled: Enable Mobile IP Home Agent
Network Address: OpenVPN network
Network Mask: OpenVPN network

These parameters cannot be changed after initial server configuration.

Client Defaults

ParameterDescription
Use 1:1 NAT: Use 1:1 NAT on the router. The network 10.8.X.0/24 will be mapped to 192.168.1.0/24
ParameterDescription
Enabled: Enable Mobile IP Home Agent
Preshared secret: The IPsec Preshard Secret
Leases Start Address: L2TP VPN network
Leases End Address: L2TP VPN network

The network parameters cannot be changed after initial server configuration.

Internet Access

ParameterDescription
Server interface: The interface on which the server will listen
Server address: Server address
Server netmask: Server netmask
Default gateway: Default gateway
Name server 1: First name server
Name server 2: Second name server
Fully Qualified Domain Name: This FQDN will be used when generating client configurations
Allow internet access from VPN: Allow Internet access from control and remote stations

The network parameters cannot be changed after initial server configuration.

Change Passwords

ParameterDescription
User: This user’s password will be changed
New Password : The new password
Confirm Password : The new password

Backup / Restore

ParameterDescription
Backup configuration: Save a backup of the configuration
Restore configuration: Restore a configuration from backup

WARNING: Restoring an inappropriate configuration may cause loss of VPN connectivity for all VPN clients.

Maintenance

ParameterDescription
Reboot: This reboots the Linux server, i.e. all services
Reset: This resets the configuration to defaults.

WARNING: Resetting the server deletes all configuration data including client certificates. You will have to set up all VPN clients again.

Samples and Extensions

See Cloud Router Alarms for more information on how to supervise VPN clients and send alarms via e-mail.