Cloud / VPN Service
Cloud /VPN Service allows devices to connect to remote servers through a secure connection.
BSP v1.0.117 or greater is required
Prerequisites
This service requires external access to the server for VPN setup (default port UDP/1194)
Setup
If you need endpoints behind your gateway device to be reached, make sure Router Service is active and set it up as follows:
- WAN port (eth0) connected to the main network with Internet access
- LAN port (eth1) connected to one or more endpoint devices (newly-created private network)
This functionality is automatically supported when using a Cloud Server, but will require extra manual setup for plain OpenVPN server.
Configuration
Configuration options are available in the Services Menu of System Settings (see "System Settings").
In case of connectivity error, from the BSP v1.0.348 and later the retry timeout has a geometric progression: starting from 5s, the successive retry is after 2*(Previous Time). This means 5s, 10s, 20s, 40s, etc. until a max retry time of 5 minutes. On previous BSP versions, the retry times was fixed to 5 Seconds.
| Parameter | Description |
|---|---|
| Enable | Enable the Cloud / VPN Service |
| Autostart | If selected, the application will start when the HMI device is turned on |
| Server type | Select, from the available supported server types, the server type to use |
| Server |
Select the Corvina Cloud server to use (available only when the selected server type is "Cloud Server") |
| Files | Allows you to upload VPN configuration files |
| Authentication |
Select from the available authentication modes
|
| Username | Enter the username of the remote server account |
| Password | Enter the password of the remote server account |
| Show Password | Displays the typed characters on the password |
Cloud Server
Cloud Server is a VPN-based solution that allows seamless connection of users with gateways and endpoints. It provides a full management infrastructure to make such process painfree.
Configuration is downloaded automatically from Cloud Server, so the only required parameters are Server (hostname or IP address), Username and Password.
OpenVPN
This mode uses a standard OpenVPN configuration to connect devices.
Case A: Configuration files provided
In remote access environments based on an OpenVPN server, system administrators normally supply a number of OpenVPN configuration files directly to end users.
In such case configuration is quite straight-forward since it requires only two simple steps:
- browse and upload N files (this should include at least a main OpenVPN configuration file, but may also include server and/or client certificates in .pem, .p12 or other formats); make sure you select all necessary files in one shot by using platform-dependent multiselection;
- select an appropriate Authentication type and insert credentials if they are required.
You're done! now press Save, wait a little while and you should see an updated connection status.
Case B: No configuration files provided
If no configuration files have been provided by your system administrator, you will need to create the OpenVPN configuration file yourself.
Sample 1: Username/Password
This sample uses:
- username/passsword-based authenticaition
- LZO compression and TAP device
- server running on UDP port 1194
openvpn.conf
client dev tap proto udp remote testserver.whatever.com 1194 comp-lzo ca cacert.pem auth-user-pass
This configuration file only refers to one external file (cacert.pem), so:
- upload the 2 files using the Browse option
- insert your allocated Username and Password - note that the auth-user-pass option can also take a file argument, so you can even insert newline-separated username and password in a new file and specify its name here (not recommended); in such case you would select also your external file when browsing files and choose None (from file) Authentication method
- Save and wait for State change
Sample 2: Plain certificate
This sample uses:
- plain X509 certificate-based authentation
- LZO compression, TUN device, custom MTU and AES-128-CBC cipher
- server running on TCP port 1195
openvpn.conf
tls-client dev tun proto tcp tun-mtu 1400 remote testserver.whatever.com 1195 pkcs12 mycert.p12 ca cacert.pem cert client.pem key client.key cipher AES-128-CBC comp-lzo verb 4
This configuration refers to 3 files (cacert.pem, client.pem, client.key), so:
- upload main openvpn.conf and external files (total 4), using the Browse option
- since no passwords are required, choose None (from file) Authentication
- Save and wait for State change
Sample 3: Password-protected PKCS #12 certificate
This sample uses:
- certificate-based authentation (password-protected PKCS #12)
- other parameters same as Sample 2
openvpn.conf
[..] pkcs12 mycert.p12
The PKCS #12 bundle normally contains both CA certificate client keypair, so this configuration file only refers to one external file (mycert.p12). Hence:
- upload the 2 files using the Browse option
- choose Certificate Authentication
- insert the password which should be used to unencrypt the PKCS #12 bundle containing your certificate
- Save and wait for State change
Sample 4: 2-factor authentication via password-protected PKCS #12 certificate + username/password
This sample uses:
- both certificate-based authentication (password-protected PKCS #12) and username/password
- other parameters same as Sample 2
openvpn.conf
[..] pkcs12 mycert.p12 auth-user-pass
upload the 2 files using the Browse option
choose Certificate + Username/Password Authentication
insert Username and Password for PSK authentication
insert the PKCS #12 Password
Save and wait for State change
Links
Please refer to openvpn.net for further details.