This use-case describes how to scale a private VPN setup. Flexy and or Cosy+ can connect as VPN Client with OpenSSL to Anybus Defender as a VPN server - however the Defender depending on model and traffic load can only handle a limited amount of Client. To scale up a second Defender can be deployed in parallel, and this use-case describes how to setup the routing so that all Spokes are reachable regardless what Defender you connect to as a use.
Anybus Defender
Ewon Cosy+
Ewon Flexy
On this Defender we will setup 2 VPN servers, one for Flexy/Cosy-s to connect to, and a second for PC clients to connect to. In this way each will use a unique IP subnet and interface and firewall rules and dictate the security policy for traffic between them.
Create two servers on one of the Defenders, one for the Flexy/Cosy and one for the Engineering users.
Follow this guide for setting up VPN for PC clients: https://support.hms-networks.com/hc/en-us/articles/32510760936978-How-to-Setup-an-OpenVPN-server-on-Anybus-Defender using the build in Wizard. We call this VPN server "PC".
Follow this guide for Connecting Cosy/Flexy as VPN clients: https://support.hms-networks.com/hc/en-us/articles/26680200195986-How-to-configure-the-Anybus-Defender-as-VPN-Server-for-Ewon-Flexy-Cosy We call this VPN server "Flexy".
NOTE: Deviating from this guide above you must change the Server Mode to Remote Access (SSL/TLS) and Device Mode: tun - Layer 3 Tunnel Mode - as in screenshot below:
Edit the server configuration "Flexy" and change the settings.
Further down settings can remain the same:
Choose a IPv4 Tunnel Network and write the local networks on the Defender tha you wan to announce to the VPN spokes so you can also allow Inter-client communication:Write what you see below in Custom options:
route 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
route 172.1.0.0 255.255.255.0
push "route 172.1.0.0 255.255.255.0"
When configuring these servers, you define which networks are reachable through them. For example, when you add:
route 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
You are doing two things:
"route 10.0.0.0 255.255.255.0"
This is a client-side directive. It tells the VPN client itself:
“Send traffic destined for 10.0.0.0/24 through the VPN tunnel.”
"push "route 10.0.0.0 255.255.255.0""
This is a server-side directive. It tells the VPN server:
“When clients connect, instruct them to add this route.”
The following is the configuration for the VPN Server connecting Engineering Users. Using the wizard will bring a good default configuration, verify with below steps:
Use either Remote Access (SSL/TLS) or Remote Access (SSL/TLS + User Auth), the difference is that with User Auth you can choose a Database for the users and it requires the user to login before they can connect to the VPN.
Edit the server configuration "PC" and change the settings.
Choose a Tunnel Network and write the networks that can be reached from the server:
Next lower down you need to push routes to be deployed towards the connecting VPN clients, to announce that they should connect to the VPN runnel to reach these networks. In our case we want to announce all the VPN Networks
In Custom options write what you see below:
route 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "route 20.0.0.0 255.255.255.0"
push "route 172.20.0.0 255.255.255.0"
To add more Ewon devices like in the diagram above you would use the following.
Device B:
route 10.0.1.0 255.255.255.0
push "route 10.0.1.0 255.255.255.0"
Device C:
route 10.0.2.0 255.255.255.0
push "route 10.0.2.0 255.255.255.0"
You could also use:
route 10.0.0.0 255.255.0.0
push "route 10.0.0.0 255.255.0.0"
This would add all the Devices LAN in one command, however you would need to have a grasp about IP subnets.
We must create a user for each Flexy/Cosy device and Engineering user that will be connected to the servers on this Defender:
To create new users, got to System -> User Manager:
Press "+Add".
User for Flexy205:
Scope: Remote.
Username: flexy205.
Check "Click to create a user certificate".
Descriptive name: flexy205
Choose Certificate authority: Flexy205 (the one created during the first wizzard)Save.
Chose the correct "Certificate Authority" depending on if you are creating a user for a Ewon Device or an Engineering User.
A list of current users is displayed:
On each users there is a private certificate stored, you can see them by editing the user. For the Flexy users:
And for the Engineering Users:
We will now add the Flexy/Cosy LAN to the users in "Client Specific Overrides" so that the LAN can be accessed.
Go to VPN -> OpenVPN -> Client Specific Overrides
Make sure to select the Server the user belongs to in Server List.
Add
iroute 10.0.0.0 255.255.255.0
in Advanced on the Client Specific Overwrite for each Flexy
The other Ewon devices would have the following configurations:
IPv4 Remote Networks: 10.0.1.0/24
Advanced: iroute 10.0.1.0 255.255.255.0
and
IPv4 Remote Networks: 10.0.2.0/24
Advanced: iroute 10.0.2.0 255.255.255.0
and so on.
The iroute command is what ties a specific subnet to a specific VPN client.
Without it, the Defender would know that a subnet exists—but not which connected device owns it.
So when you configure:
iroute 10.0.0.0 255.255.255.0
you are effectively saying:
“Traffic to this network should go through this specific VPN client.”
This is what makes communication to individual remote sites work correctly.
Interfaces for OpenVPN
Make sure that the OpenVPN Servers have an Interface and are enabled. Check Interfaces -> Assignment and you should see this:If not click the dropdown menu besides "Available network ports" and select ovpns1 (Flexy) then +Add. Click the name of the newly added interface. In the new window you can enable the interface and in the Description box give it a name.
Gateway, Routes & Rules.
Now we will create new Gateways for the routing.
Go to System -> Routing -> Gateways -> +Add
Interface: WAN
Name: Scada
Gateway: 10.10.10.2
Save.
This will point to the other Defenders WAN IP.
Routes:
Go to System -> Routing -> Gateways -> Static Routes
We create two routes, one for each Flexy/Cosy LAN network. The first one for the device connected to the server on the same Defender - this will be used by traffic coming from for instance Engineering user VPN and the second for the device on the other Defender.
10.0.0.0/24 is the LAN of the Flexy205.
Gateway: VPN_FLEXY_VPNv4
VPN_FLEXY_VPNv4 is the Gateway created for the VPN_FLEXY Interface.
20.0.0.0/24 is the LAN of the Cosy+.
Gateway: Scada - 10.10.10.2
On the WAN Interface we change the IPv4 Upstream gateway to the Scada GW we just created.
Rules:
To add a rule press the Add button, the one with an arrow up adds the rule at the top and the arrow down adds it at the bottom, rules at the bottom are overridden by the rules above.
Action: Block
Protocol: Any
Save.
There is a deny everything rule added to the bottom of every interface rule tab.
Here a rule for port 5020 has been added for SCADA to work, you can tighten security by adding the IP addresses.
Action: Pass
Protocol: TCP
Port: From - 5020, To - 5020
Save.Here are two ICMP rules have been added to test the connectivity by pinging the devices behind the Flexy/Cosy LAN.
Action: Pass
Protocol: ICMP
Source: 172.1.0.0/24
Destination: 20.0.0.0/24 or 10.0.0.0/24
On this Defender we will setup a VPN servers for Flexy/Cosy-s to connect to. In this the server will use a unique IP subnet and interface and firewall rules.
NOTE: Deviating from this guide above you must change the Server Mode to Remote Access (SSL/TLS) and Device Mode: tun - Layer 3 Tunnel Mode - as in screenshot below:
Edit the server configuration "Cosy" and change the settings.
Choose a IPv4 Tunnel Network and write the local networks that can be reached from it, you can also enable inter-client communication:
In Custom options write what you see below:
route 20.0.0.0 255.255.255.0
push "route 20.0.0.0 255.255.255.0"push "route 172.1.0.0 255.255.255.0"
We must create a user for each Flexy/Cosy device that will be connected to the server on this Defender.
To create new users, got to System -> User Manager:
Press "+Add".
User for Cosy:
Scope: Remote.
Username: cosyplus.
Check "Click to create a user certificate".
Descriptive name: cosyplus
Certificate authority: CosyPlus
Save.
A list of current users is displayed:
On each users there is a private certificate stored, you can see them by editing the user. For the Cosy users:
We will now add the Flexy/Cosy LAN to the users in "Client Specific Overrides" so that the LAN can be accessed.
Go to VPN -> OpenVPN -> Client Specific Overrides
Write the LAN network for the Flexy/Cosy in IPv4 Remote Network/s. (20.0.0.0/24 in this case)
And
iroute 20.0.0.0 255.255.255.0
in Advanced.
Now we will create new Gateways for the routing.
Go to System -> Routing -> Gateways -> +Add
Interface: WAN
Name: Scada
Gateway: 10.10.10.1
Save.
This will point to the other Defenders WAN IP.
10.0.0.0/24 is the LAN of the Cosy.
Gateway: VPN_COSY_VPNv4
VPN_COSY_VPNv4 is the Gateway created for the VPN_COSY Interface.
We create two routes, one for each Flexy/Cosy LAN network. The first one for the device connected to the server on the same Defender as the Engineering user and the second for the device on the other Defender.
On the WAN Interface we change the IPv4 Upstream gateway to the Gateway we just created.
Rules:
To add a rule press the Add button, the one with an arrow up adds the rule at the top and the arrow down adds it at the bottom, rules at the bottom are overridden by the rules above.
Action: Block
Protocol: Any
Save.
There is a deny everything rule added to the bottom of every interface rule tab.
Here is a rule to allow SCADA to work on port 5020, you can tighten security by adding the IP addresses.
Action: Pass
Protocol: TCP
Port: From - 5020, To - 5020
Save.
and a ICMP rule to allow ping to reach the Flexy/Cosy LAN.
Action: Pass
Protocol: ICMP
Source: 10.10.10.1/24
Destination: 20.0.0.0/24
Save.
On the Cosy+/Flexy you will need to go to Setup -> System -> Storage -> Edit COM cfg.
Search for the following and change the number.
VPNCnxType = 2
VPNCfgFile = /usr/<ConfigFileName>.ovpn ("/usr/Anybus-Master-UDP4-1194-flexy205-config.ovpn" in this case)
RTEnIpFwrd = 1 enables IP forwarding on the device
NatItf = 3 sets the NAT interface
VpnFltEn = 0 disables VPN filtering
FwrdToWAN = 1 allows forwarding to the WAN interface
These settings ensure that the Cosy+/Flexy correctly routes traffic between its LAN and the VPN tunnel, allowing devices behind it to be reachable from the VPN.
READY
