Flexy 205 Permanent VPN Connection

Rob_Cunningham · March 17, 2022, 9:44pm

I’m looking to establish a permanent VPN connection between LAN devices and an IoT server and curious if this can be facilitated with Flexy 205. This is theoretical at the moment, so I have no way to do much testing.

Specifically, we are planning to use IFM IO-Link Master Blocks in the field and centrally host an IoT Server (IFM Moneo) either at HQ or in the cloud. Moneo is typically an on-premise solution and therefore the dataflow is not encrypted. Technically, the data is via MQTT. The preferred solution would be to set up the IO-Link Master Block(s) on the LAN side of the Flexy and then permanently connect them to Moneo via an encrypted tunnel. We could run a VPN Server alongside the Moneo instance and then, theoretically, set up a VPN Client on the Flexy to connect the two LANs. I know that NAT1:1 would theoretically allow the IO-Link Master to reach out to the Server, but also need to wrap that traffic in a tunnel for security purposes.

We use an eWon in nearly every machine and many of those use a PLC, so we leverage DataMailbox to facilitate that dataflow. It would be great if we can use this in those cases where we need a stand-alone condition monitoring system sans-PLC. Any suggestions are greatly appreciated!

kyle_HMS · March 18, 2022, 5:52pm

You can setup the Ewon to connect to your own OpenVPN server. We have instructions here. You can also set it up to connect to a firewall appliance like the Netgate pfsense XG-7100 1U.

In your case though, it might be easier to use the MQTT functionality of the Ewon to communicate with each device, and then send the data using the M2Web API as shown here.

Another alternative would be to send the data using MQTT (encrypted by the Ewon) to another MQTT device (could be on the same server as the Moneo). Are you sure the Moneo doesn’t support encrypted MQTT?

Rob_Cunningham · March 18, 2022, 6:52pm

Thanks Kyle! Regarding Moneo encryption, I’m being told that it does not support it. There is a “Security Mode” that can be enabled, but that appears to simply protect access to configuration / settings and not the data flow. I don’t actually have an instance of the server as of yet to experiment with, but I’m being told that the MQTT data in the background uses port 80, so that would definitely be basic http.

Just so I understand fully, the Netgate pfsense appliance would be on the Moneo server-side and run the VPN Server itself, correct? Then the eWon in the field would be configured to establish the connection to it. One question would be…if the eWon is configured to use OpenVPN to connect to the server, does that impact my ability to connect to the eWon via eCatcher? Our machines are in remote locations, so if something fails with the OpenVPN connection, it would be best if we could still get in via eCatcher to test and update settings as needed.

Interesting idea with retransmitting the MQTT data via the eWon. So, in that case, the eWon would be set up to subscribe to the necessary topics and it would then retransmit all MQTT data. Then, we would subscribe to that MQTT retransmission on the server side with the proper decryption in place.

Since we are already using DataMailbox to return data…I wonder if there would be a way to forego MQTT and switch to something like Ethernet/IP or Modbus and read the data directly from these blocks into tags within the eWon. I’m only familiar with setting this up to read from a PLC, so I’m not sure if it can work this way with the way the addressing might be. But, IFM offers these IO-Link Masters in a few different protocols…Ethernet/IP, Modbus TCP, Profinet, EtherCAT, Powerlink, as well as MQTT JSON. On the server-side, we will have the LR Agent software running, which is able to ingest JSON / CSV, which is how we will be handling data from DataMailbox already.

kyle_HMS · March 21, 2022, 1:02pm

You can’t use your own OpenVPN server and eCatcher. It’s one or the other. You’d have to connect to it through your own VPN server.

If they have these blocks in Modbus TCP, that would probably be the easiest way to set these up. The Flexy could read the data using Modbus TCP and you could pull the tags from DataMailbox. Of course, you could still use MQTT or maybe Profinet, but Modbus TCP would make for the easiest configuration. This way you could also continue to use eCatcher for the remote access.