User Tools
Site Tools
This is an old revision of the document!
Table of Contents
Cloud Router
Introduction
Reason for Cloud Router
This cloud-based M2M solution gives control stations access to remote stations in the field by putting all devices into a common VPN. In particular, it provides the following features:
- Fast and easy configuration of NetModule Routers (automatic setup of remote stations)
- Giving access to remote stations
- Attaching various control stations
- Connection status overview
- Installation of a VPN server on a scalable hardware in the cloud
For small projects with less than 25 clients, using a NB1600 Wireline can be a alternative but does not offer all features of the cloud router, for example the automatic setup. As shown on the picture below, control stations can easily access remote sites and address hosts in each remote network.
Terminology
Control station: A managing station that communicates with the devices in the field. Control stations can be PCs, smart phones, tablets, and so on.
Remote station: A decentral station that needs to communicate with a control station. This can be a plant, a vehicle, and so on.
Cloud router: A intermediary VPN router between control stations and remote stations.
Devices: The equipment in the LAN of the remote stations that needs to be communicated with.
The Steps to Get Up and Running
Basically the following steps are required:
- Setting up the server (get a Linux server with Internet access, installation this software, initial configuration of the server). If you are evaluating the product, please ask for a ready to use evaluation account.
- Attachment of remote station by downloading a configuration template, transferring it to the routers via USB stick and joining the stations into the cloud via the control panel.
- Attachment of control stations by defining accounts and configuring the stations accordingly (server address, IPsec secret, user name, password)
Conventions
The NetModule M2M Cloud concept uses the following conventions:
- Remote station can be attached via OpenVPN and/or Mobile IP. Control stations are attached using L2TP/Ipsec.
- Remote stations attached via OpenVPN have the IP network 10.8.x.0/24, where x is the station number
- Remote stations attached via Mobile IP have the IP network 10.16.x.0/24, where x is the station number
- Control stations attached via L2TP/IPsec have the IP address 10.250.0.x, where x is the station number
- There are two users admin and operator. The operator may not configure the server.
Use Cases
There are basically two network modes that can be applied on the remote stations: natting and routing. Natting means, that the router’s VPN network will be mapped to a standard network that is the same at all remote sites (192.168.1.0/24). The advantage is, that the devices on all remote sites can be configured identically. Routing means, that no NAT is performed. The router’s VPN network will be forward (routed) into a unique network for every single site. The advantage of this mode is, that no IP packets are modified, hence for technicians looking into the system it might be easier that immediately understand what’s going on. Permuting the two network modes with the two VPN types OpenVPN results in 4 generic uses cases:
1:1 NATed Networks with OpenVPN
1:1 NATed Networks with Mobile IP
Routed Networkd with OpenVPN
Routed Networks with Mobile IP
Installation
For setting up test installation using VirtualBox see Cloud Router with VirtualBox.
Hardware Prerequisites
A server with Intel processor and Internet access is required. This can be a physical root server or a virtual server. As remote stations, the Netmodule Router types NB1600, NB2700, NB2710, NB3700, and NB3710 are supported.
Software Installation
The software requires Debian GNU/Linux 7.0 (Wheezy) or higher. Both, 32 (i386) and 64 bit (amd64) versions are supported. For automatic installation type in a root terminal
wget -q ftp://share.netmodule.com/router/cloud/install.sh -O - | bash
This will install the depenencies (apache2 openswan openvpn php5 php5-sqlite sqlite3 sudo zip unzip xl2tpd libevent-2.0-5) and also the Cloud Router software.
Manual installation would be:
apt-get update apt-get -y install apache2 openswan openvpn php5 php5-sqlite sqlite3 sudo zip unzip xl2tpd libevent-2.0-5 arch=$(dpkg --print-architecture) wget ftp://share.netmodule.com/router/cloud/vpnportal_1.0_$arch.deb dpkg -i vpnportal_1.0_$arch.deb # optionally install Mobile IP Home Agent wget ftp://share.netmodule.com/router/cloud/home-agent_1.0_$arch.deb dpkg -i home-agent_1.0_$arch.deb
After the package installation, the cloud router’s control panel is available on http://localhost. You will have to define the administrator’s password, the interface for Internet access, and some more things. Please follow the wizard.
Configuration
Remote Stations
Stations
| Parameter | Description |
|---|---|
| Name: | Station name corresponding to the third block in its IP address, e.g. CLIENT_7 has IP address 10.8.7.1 |
| Type: | The VPN/tunnelling method that has been used to attach this client |
| Connected: | Whether this client is currently connected or not |
| Description: | A description to remember the station, e.g. Plant 7, Train 5 |
Configuration Template
Please define the settings to be included in the configuration file that is uploaded to your routers.
| Parameter | Description |
|---|---|
| Router password: | The password that will be applied to the router. |
| Use Ethernet: | Configure Ethernet port as DHCP client and use it for Internet connection |
| Use WLAN: | Configure WLAN client and use it for Internet connection |
| Use SSID: | Enter the SSID of the WLAN network that shall be used |
| Use Security mode: | Select a security mode supported by your access point |
| Passphrase: | The password to connect to your access point |
| Use WWAN: | Configure mobile connection and use it for Internet connection |
| Provider: | Configure WLAN client and use it for Internet connection |
| APN: | Enter the SSID of the WLAN network that shall be used |
| Username: | Select a security mode supported by your access point |
| Password: | The password to connect to your access point |
Auto Setup Download
Configuration via USB stick
To add a router to the VPN, unpack the downloaded zip file, copy the contents to a USB stick and connect it to your router. The router will connect tp the cloud router and appear in the control panel as remote stations to be joint. You can now join this
router to the VPN and repeat this step for more routers.
Configuration via manual configuration file upload
Alternatively, you can also add routers to the VPN, by downloading the appropriate zip file and directly uploading it using the router’s Web Manager.
Manual Setup
Please define the settings to be included in the configuration file that is uploaded to your routers.
| Parameter | Description |
|---|---|
| VPN Type: | The password that will be applied to the router. |
| Client ID: | Station ID corresponding to the third block in its IP address, e.g. Station 7 will have IP address 10.8.7.1 |
| System Type: | Select router type |
| System Serial Number: | The serial number of the router, if available |
| Description: | A description in order to remember the station |
| Use 1:1 NAT: | Use 1:1 NAT on the router. The network 10.8.X.0/24 will be mapped to 192.168.1.0/24 |
| Redirect Gateway: | Setting this option will direct all traffic through the tunnel, a.k.a disable split tunnelling |
Control Stations
Here you can add the control stations. Supported are any devices that can establish L2TP/IPsec VPN tunnels including Windows, Linux, Mac OS, Android, Apple iOS and others.
User name: Station name corresponding to the third block in its IP address, e.g. CLIENT_7 has IP address 10.8.7.1
VPN IP Address: The IP address of the VPN tunnel on the client side
Connected: Whether this station is currently connected or not
Description: A description to remember the station, e.g. control station 7 or a smart phone
Windows 7 Stations
Enter the host name or IP address of the cloud server: Select type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) and click Advanced settings Enter the Preshared secret defined on the server.
Do not use RAS Credentials
On VPN connections are stored in the phone book file located under:
%userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK\rasphone.pbk
Open this file and set UseRasCredentials=0 in order to avoid Windows to use these credentials globally.
Split Tunneling uncheck use default gateway on remote network under Advanced TCP/IP Options
Windows 8 Stations
Windows 8 comes with Powershell. You can start it via the execution dialog Win + R by typing powershell and OK
- add-vpn.ps1
$name = "Cloud Router VPN" $server = "my.cloud.netmodule.com" $psk = "MyPresharedKey" $auth = "PAP","CHAP","MSCHAPv2" Add-VpnConnection -Name $name -ServerAddress $server -TunnelType L2tp -AuthenticationMethod $auth -L2tpPsk $psk -RememberCredential -SplitTunneling -Force
Apple iOS (iPhone/iPad) Stations
Add a new VPN connection: Fill in Server, Account, Password and Shared Secret.
Server Settings
OpenVPN
| Parameter | Description |
|---|---|
| Enabled: | Enable OpenVPN Server |
| Transport Protocol: | OpenVPN transport protocol |
| Listening Port: | OpenVPN server port |
| Network Address: | OpenVPN network |
| Network Mask: | OpenVPN network |
| Cipher Algorithm: | OpenVPN cipher algorithm |
| Hash Algorithm: | OpenVPN hash algorithm |
| Enable Compression: | Enable OpenVPN compression |
| Enable Keepalive: | Enable OpenVPN keep-alive |
These parameters cannot be changed after initial server configuration.
Client Defaults
| Parameter | Description |
|---|---|
| Use 1:1 NAT: | Use 1:1 NAT on the router. The network 10.8.X.0/24 will be mapped to 192.168.1.0/24 |
| Redirect Gateway: | Setting this option will direct all traffic through the tunnel, a.k.a disable split tunnelling |
Mobile IP
| Parameter | Description |
|---|---|
| Enabled: | Enable Mobile IP Home Agent |
| Network Address: | OpenVPN network |
| Network Mask: | OpenVPN network |
These parameters cannot be changed after initial server configuration.
Client Defaults
| Parameter | Description |
|---|---|
| Use 1:1 NAT: | Use 1:1 NAT on the router. The network 10.8.X.0/24 will be mapped to 192.168.1.0/24 |
| Parameter | Description |
|---|---|
| Enabled: | Enable Mobile IP Home Agent |
| Preshared secret: | The IPsec Preshard Secret |
| Leases Start Address: | L2TP VPN network |
| Leases End Address: | L2TP VPN network |
The network parameters cannot be changed after initial server configuration.
Internet Access
| Parameter | Description |
|---|---|
| Server interface: | The interface on which the server will listen |
| Server address: | Server address |
| Server netmask: | Server netmask |
| Default gateway: | Default gateway |
| Name server 1: | First name server |
| Name server 2: | Second name server |
| Fully Qualified Domain Name: | This FQDN will be used when generating client configurations |
| Allow internet access from VPN: | Allow Internet access from control and remote stations |
The network parameters cannot be changed after initial server configuration.
Change Passwords
| Parameter | Description |
|---|---|
| User: | This user’s password will be changed |
| New Password : | The new password |
| Confirm Password : | The new password |
Backup / Restore
| Parameter | Description |
|---|---|
| Backup configuration: | Save a backup of the configuration |
| Restore configuration: | Restore a configuration from backup |
WARNING: Restoring an inappropriate configuration may cause loss of VPN connectivity for all VPN clients.
Maintenance
| Parameter | Description |
|---|---|
| Reboot: | This reboots the Linux server, i.e. all services |
| Reset: | This resets the configuration to defaults. |
WARNING: Resetting the server deletes all configuration data including client certificates. You will have to set up all VPN clients again.
Samples and Extensions
See Cloud Router Alarms for more information on how to supervise VPN clients and send alarms via e-mail.