VPN and Tunneling
The Role of LTE VPN Access to Remote Sites during and after COVID-19
How WebAccess/VPN and LTE devices offer seamless, secure remote access to remote sites
The global pandemic of COVID-19 has increased the urgency and need for upgraded technology solutions to solve unique problems with remote site access. With some U.S. states issuing stay-at-home orders and companies having to figure out how to continue to work with limited or no travel or site visits, many challenges have presented themselves.
From not being able to get to a customer site for needed device information to being stalled on in-progress projects, many are looking to new technology implementation to help similar issues in the near- and far-future. The question of “What’s the new normal going to look like?” is regularly asked.
Remote access via an LTE-based virtual private network (VPN) is one solution that is helping to solve these issues now. Utilizing the Industrial Internet of Things (IIoT), remote access LTE VPN connections are already helping solve problems when people can’t go in person to a customer site, or can’t get Internet access for their machines at a site. It also enables condition-based monitoring and web applications that rely on data from remote assets. And it’s not just about adding more devices to your roster—LTE VPN access to remote sites is about solving existing problems while also creating new opportunities for revenue and service streams.
There are numerous reasons to look to remote access, but some of the main goals include the following:
- Decrease number of truck rolls
- Decrease cost of downtime
- Mitigate the risk of inconsistent and unpredictable on-site visit policies
- Increase health and safety measures
So how do we get there? There are two main ingredients for a successful remote access solution: IP Connectivity and a Network Solution.
Connectivity challenges at remote sites come down to two main hurdles. Remote sites often lack Internet connectivity and customer IT policies often restrict third-party access or even third-party equipment. To combat these connectivity challenges you need two important things: LTE routers and the right Remote Access Network.
LTE Routers
LTE routers provide in independent network to the router and all of the devices connected to it downstream. Utilizing LTE routers means remote devices can send you the data. There is one issue, however, in that you can’t connect in to the remote devices. The whole cellular network is designed around the human factor—like cellphones—and needs to be initiated by the remote site, so we need another part to the solution: the right remote access network.
Remote Access Network Options
- Non-public and public dynamic IPs – Non-public and public IP addresses available from your carrier not only create a serious security risk, but can also cost you money as you pay for the cellular traffic of all those intrusion attempts in addition to your own bandwidth usage.
- Private APNs are available from most carriers, and can be a good—though costly—solution in many ways. However, by relying on the cellular carrier, you are also losing the flexibility to use other carriers who may have better coverage or pricing in the future.
- Traditional VPN client/server gives you a secure, private connection and flexibility across carriers, but this solution can be cumbersome when managing large networks of remote devices.
None of the above remote access network options have every needed element for successful remote access applications, such as security, scalability, and flexibility. VPN technology is worth a deeper review. Many of us are familiar with traditional VPNs, where a remote worker takes their laptop or device to an offsite location with Internet access. Then, they can initiate the VPN connection to the VPN server on the office network. A secure “tunnel” is created between the VPN client (laptop) and office network, providing access to all the network resources just as if they were at the office in-person.
But applying that technology in an IoT application flips the traditional model on its head.
The Answer is VPN Access Utilizing the IoT
Traditionally, a VPN client (remote worker and their laptop) is accessing central resources, but when utilizing the IoT, centralized and distributed resources need access to the remote client. Additionally, there may be multiple users, sites, and locations that need access to that machine, such as headquarters, service center, or mobile field service staff. The machine needs to initiate the connection automatically. And, there’s usually a network of remote devices that are needed to be reached at any given site, such as Human Machine Interface, Industrial PCs, Drives, etc.
This is where WebAccess/VPN from Advantech comes into play. With WebAccess/VPN, there is a set of VPN services for connectivity, connection management, and monitoring of Advantech routers and the LANs behind them. It offers a scalable connection because the VPN server can handle thousands of routers, and it’s flexible because it can be hosted on premise or in AWS. WebAccess/VPN is secure; all the network traffic is secured in OpenVPN tunnels and it is carrier independent and customer owned.
With WebAccess/VPN, communication among devices and third-party devices is encrypted. Each device, or router, has to establish a VPN encrypted connection. Only the devices with valid certificates can connect to each other and safe HTTPS protocol is used for VPN portal UI connection. WebAccess/VPN provides complete supervision over the network and builds a resistant private environment within the Internet. Devices are not accessible from public Internet.
Key security factors include the following:
- All connecting devices must be validated
- Full-time encryption over all phases of communications
- VPN tunnel established using strong cryptography
WebAccess/VPN also has a sub-network concept for inter-router access control. The sub-network allows users to create “fine grade groups” of router visibility and reachability. The routers are grouped into sub-networks with the capability to join one or more sub-network. This feature allows you to create separate groups of routers that are visible to each other, and also assign a router to be a member of more networks, concurrently. It allows users to truly manage large networks of sub-networks to provide all levels of access and control.
To reach the devices connected downstream of the router, WebAccess/VPN supports 1:1 NAT mode so each local LAN IP address can be translated to a virtual address space and accessed remotely. Utilizing 1:1 NAT mode, users can remotely connect to up to 254 devices to each router.
WebAccess/VPN isn’t just a solution for Advantech routers—other stand-alone VPN clients can be added. This can include a laptop, table, smartphone, etc., which allows for remote access of various devices and clients to enable your mobile or field workforce to connect to your devices from any location. These features and benefits all add up to create a powerful tool for seamless, secure remote access to all of your remote sites and assets.
To learn more, you can visit Advantech online at https://ep.advantech-bb.cz/products/software/webaccess-vpn, or watch this video on Remote Management Access with WebAccess/VPN: https://youtu.be/JYEj9knKfc0.
By Mike Fahrion, CTO of Advantech IIoT Solutions, and Andrew Lund, Advantech LTE product manager