Activate and monitor VPN-Tunnel via OPC UA


Due to security reasons, we would like to enable and disable the VPN-tunnel from a central point. Next to that, we would need to monitor the actual status of the VPN-tunnel (ON/OFF) and how many people are logged in. The first part, activating VPN remotely, I would like to do by creating a TAG in the EWON (e.g. “VPN_Activate”) and writing 0 or 1 to it via an external client (e.g. Kepware). In the EWON, whenever the TAG-value “VPN_Activate” changes, the VPN-Tunnel needs to be enabled/disabled. Does anyone have experience in doing such a thing remotely through something like KepServerEx?

The next part, enabling/disabling the VPN-Tunnel is not an issue. I do so by changing the COM-parameter “VPNCnxType”. Monitoring that value does give me some difficulties though. At the moment I scripted something that changes a TAG based on the value of “VPNCnxType”. I would prefer to read the value of “VPNCnxType” via OPC UA directly. Is that possible?

Hi @Stijn,

What is your security concern with the VPN being connected? I would recommend visiting the following site for more info about the security of T2M: Security at every level of the Ewon solution

I guess the issue with this is that you will need a connection to the Ewon in order for the Ewon to receive the command. How is it that you will be connected between the Ewon and the Kepware server?

I think the most secure way to send a command would be through the M2Web API, but if you have the VPN disabled this won’t work.

Yes, you can publish any tag in OPC UA by following the instructions on page 11 of the OPC UA Server Guide.

Just to follow up on this, there is no connectivity solution that is 100% secure. If you want to find a way to remotely switch the VPN on or off, you are just “passing the buck” to a different connectivity solution. We have other options, like the option to disable the VPN connection via SMS or HTTP, but that is not more secure in my opinion.

In order to have 100% security, you have to sacrifice connectivity. You can control the VPN or internet connectivity for the Ewon by a physical switch, for example. Depending on the project or outcome, this may make sense or it may not.

If you need connectivity though, the T2M solution is one of the most secure and tested remote connectivity platforms in the market.

Hi Kyle,

Thank you for your response. The security concern is not so much the VPN connection itself. The VPN connection to the EWON Flexy is used by suppliers to connect to our equipment (e.g. PLC) for remote support. Even though we trust our suppliers, we would like to have full control on when the EWONs can be used to connect remotely to it. With enabling/disabling the connection, we ensure that suppliers can only connect to our equipment after we request it.

The Kepware server is hosted locally and can reach the EWONs. This way, having the VPN enabled or disabled should not affect the connection with the Kepware server.

In this case, you could enable/disable the VPN using the tag as you mentioned earlier.

We have an example of how to do this here.

You could create a tag “VPNStatus” and a statement like this:

a = GETIO "VPNStatus"
IF (a=1) THEN
    SETSYS COM, "VPNCnxType",2
PRINT "VPN Enabled"
    SETSYS COM, "VPNCnxType",0
PRINT "VPN Disabled"

Hi Kyle,

Thank you for your support. I will be able to start testing the example you gave above in a few weeks. If the solution differs much from above, I will post it here for others to see it in the future.

Thanks @Stijn!