Cloud / VPN Service

Cloud / VPN Service allows devices to connect to remote servers through a secure connection.

Prerequisites

This service requires external access to the server for VPN setup (default port UDP/1194) and for self-configuration/other advanced features on TCP port 443 (Cloud Server mode only), so please check configuration and make sure no firewalls block such ports.

Setup

If you need endpoints behind your gateway device to be reached, make sure Router Service is active and set it up as follows:

WAN port (eth0) connected to the main network with Internet access (Cloud Server must be reachable from this network)
LAN port (eth1) connected to one or more endpoint devices (newly-created private network)

This functionality is automatically supported when using a Cloud Server, but will require extra manual setup for plain OpenVPN server.

Configuration

Configuration options are available in the Services Menu of System Settings (see "System Settings").

Parameter	Description
Enable	Enable the Cloud / VPN Service
Autostart	If selected, the application will start when the HMI device is turned on
Server type	Select, from the available supported server types, the server type to use
Server	Select the Corvina server to use (available only when the selected server type is "Cloud Server")
Files	Allows you to upload VPN configuration files (available only when the selected server type is "OpenVPN")
Authentication	Select from the available authentication modes Username/ password Activation code (available only when the selected server type is "Cloud Server") Certificate (available only when the selected server type is "OpenVPN") Certificate + username/ password (available only when the selected server type is "OpenVPN") None (available only when the selected server type is "OpenVPN")
Username	Enter the username of the remote server account
Password	Enter the password of the remote server account
Show Password	Displays the typed characters on the password

Cloud Server

Cloud Server is a VPN-based solution that allows seamless connection of users with gateways and endpoints. It provides a full management infrastructure to make such process painfree.

Configuration is downloaded automatically from Cloud Server, so the only required parameters are Server (hostname or IP address), Username and Password.

Error list

Error	Note
System Error - please check resource status	Unpacking downloaded configuration package error
Generic Error	Generic Error
Configuration missing	Downloaded configuration package is empty
Please check credentials	Authentication data error, not present, invalid
Request timed out	An API request has not received a response, generic error
Invalid activation code	Error from Corvina
Activation code not registered	Error from Corvina
Local Encloud Service Unreachable	Local service on BSP not active
Server Unreachable	Server not reachable
Failed verifying Server - check CA certificate	Invalid certificate
Generic Server Error	Generic error from Server
Server reported Invalid License	Error from Corvina
Server reported content not found	Error from Corvina
Server Authentication Failure - please check credentials	Invalid credentials
Server Authentication Failure - user already connected	The user is valid but is already connected
Proxy Authentication Failure - please check credentials	The proxy responded with an error to the authentication request
Server Authentication Failure - organization required	The mandatory organization field was not entered
Configuration download failed - Please check that your license is valid and credits assigned	Unable to download the configuration
VPN Client Failure	VPN client generic error
VPN Client Timeout	The VPN client (openVPN) is not responding
Bad Client Configuration	The VPN client (openVPN) does not have a valid configuration

OpenVPN

This mode uses a standard OpenVPN configuration to connect devices.

Case A: Configuration files provided

In remote access environments based on an OpenVPN server, system administrators normally supply a number of OpenVPN configuration files directly to end users.

In such case configuration is quite straight-forward since it requires only two simple steps:

browse and upload N files (this should include at least a main OpenVPN configuration file, but may also include server and/or client certificates in .pem, .p12 or other formats); make sure you select all necessary files in one shot by using platform-dependent multiselection;
select an appropriate Authentication type and insert credentials if they are required.

You're done! now press Save, wait a little while and you should see an updated connection status.

Case B: No configuration files provided

If no configuration files have been provided by your system administrator, you will need to create the OpenVPN configuration file yourself.

Sample 1: Username/Password

This sample uses:

username/passsword-based authenticaition
LZO compression and TAP device
server running on UDP port 1194

openvpn.conf

   client
   dev tap
   proto udp
   remote testserver.whatever.com 1194
   comp-lzo
   ca cacert.pem
   auth-user-pass

This configuration file only refers to one external file (cacert.pem), so:

upload the 2 files using the Browse option
insert your allocated Username and Password - note that the auth-user-pass option can also take a file argument, so you can even insert newline-separated username and password in a new file and specify its name here (not recommended); in such case you would select also your external file when browsing files and choose None (from file) Authentication method
Save and wait for State change

Sample 2: Plain certificate

This sample uses:

plain X509 certificate-based authentation
LZO compression, TUN device, custom MTU and AES-128-CBC cipher
server running on TCP port 1195

openvpn.conf

   tls-client
   dev tun
   proto tcp
   tun-mtu 1400
   remote testserver.whatever.com 1195
   pkcs12 mycert.p12
   ca cacert.pem
   cert client.pem
   key client.key
   cipher AES-128-CBC
   comp-lzo
   verb 4

This configuration refers to 3 files (cacert.pem, client.pem, client.key), so:

upload main openvpn.conf and external files (total 4), using the Browse option
since no passwords are required, choose None (from file) Authentication
Save and wait for State change

Sample 3: Password-protected PKCS #12 certificate

This sample uses:

certificate-based authentation (password-protected PKCS #12)
other parameters same as Sample 2

openvpn.conf

   [..]
   pkcs12 mycert.p12

The PKCS #12 bundle normally contains both CA certificate client keypair, so this configuration file only refers to one external file (mycert.p12). Hence:

upload the 2 files using the Browse option
choose Certificate Authentication
insert the password which should be used to unencrypt the PKCS #12 bundle containing your certificate
Save and wait for State change

Sample 4: 2-factor authentication via password-protected PKCS #12 certificate + username/password

This sample uses:

both certificate-based authentication (password-protected PKCS #12) and username/password
other parameters same as Sample 2

openvpn.conf

   [..]
   pkcs12 mycert.p12
   auth-user-pass

upload the 2 files using the Browse option

choose Certificate + Username/Password Authentication

insert Username and Password for PSK authentication

insert the PKCS #12 Password

Save and wait for State change

Links

Please refer to openvpn.net for further details.