The ESF Virtual Private Network (VPN) Client Service manages an underlying OpenVPN client by connecting it on demand (requested over MQTT) to an Everyware Cloud VPN Service. Once the VPN connection is established, the ESF device can be remotely accessed from a PC using an OpenVPN client, even if the device is in a Network Address Translation (NAT) enabled network. Remote access to the device over the VPN is subject to the usual firewall rules that are set on the device.
The Everyware Cloud VPN provides account isolation, whereby a device will only be able to communicate with devices and VPN clients that belong either to the same account, or to its subaccounts.
This section explains how to setup an ESF device, manage its VPN client from the Everyware Cloud Console, and remotely access it via SSH over the VPN connection.
The OpenVPN package must be installed on the device running ESF. All Eurotech devices support natively this feature.
To manage (connect and disconnect) the OpenVPN client from the Everyware Cloud Console, install the org.eclipse.kura.net.vpn.client deployment package from here.
With the org.eclipse.kura.net.vpn.client installed, a new VpnClient service appears in the Everyware Cloud Console as shown below. Its configuration properties include the username and password of a user in the account with vpn:connect permissions. When a new account is established, a user (account name_vpn with vpn:connect permissions) is automatically created.
After the device connects to the Everyware Cloud, it may be selected from the Devices Table in the top portion of the Everyware Cloud Console. Click on the VPN tab in the bottom portion of the Everyware Cloud Console to view and manage its connection status as shown below.
The VPN tab is enabled only if the ESF device has remote VPN management capabilities (i.e., the org.eclipse.kura.net.vpn.client bundle is running on the device).
To connect the ESF device’s VPN client, click the Connect button in the bottom portion of the Everyware Cloud Console. After the client successfully connects to the VPN server, its virtual IP address appears in the VPN tab as shown below.
The ESF VPN client disconnects automatically after a brief inactivity period. To reconnect the ESF VPN client, repeat the above steps as needed.
The VPN selection in the left navigation menu of the Everyware Cloud Console displays the active VPN connections of the selected account in the bottom portion of the console as shown in the screen capture below.
The active VPN connections that appear in the console depend on which account you logged into and whether subaccounts are created in cases of a parent account. Everyware Cloud provides the ability to create subaccounts, whereby a parent account can have subaccounts. In this case, the parent account has visibility to other accounts, but those accounts do not have visibility to each other or to the parent account. Therefore, if you log into the parent account, you may see VPN clients from other accounts as well as their subaccounts.
Subaccounts are selected from the Account drop-down menu as shown below. Child accounts can be edited through the Child Accounts selection in the left navigation menu of the Everyware Cloud Console also shown below.
As shown in the top portion of the Everyware Cloud Console, the VPN selection provides OpenVPN Client Software links for supported platforms (i.e., Mac OS X, Windows, and Linux) and the ability to download the OpenVPN Client Configuration files that are necessary to connect to the Everyware Cloud VPN server.
To remotely access a device over a VPN tunnel, download and install the OpenVPN client that is appropriate for your platform. Next, download the platform-compliant client configuration file.
When connecting the OpenVPN client to the Everyware Cloud VPN server, login with the username and password of a user in your account with vpn:connect permissions, using the format \EC username\[@\subaccount]/\device ID].
These parameters are defined as follows:
EC username - identifies a user with vpn:connect permissions as previously described (e.g., myAccount_vpn). (Required field.)
subaccount - specifies a user’s subaccount (e.g., mySubaccount). If this parameter is defined, the parent account will be able to connect to a VPN client that belongs to one of its subaccounts. If this parameter is not defined, the parent account will only be able to connect to the VPN clients that belong to its account.
device ID - identifies the connecting VPN client. If this parameter is defined, the device ID appear in the Active VPN Connections portion of the Everyware Cloud Console.
Once the OpenVPN client is connected to the Everyware Cloud VPN server, the PC client appears as an active VPN connection in the Everyware Cloud Console.
At this point, the ESF device may be accessed from the PC using SSH over the VPN connection. To verify the connection, note the IP address of the target device from the Everyware Cloud VPN client tab and connect to this IP address using SSH. An established SSH connection indicates that the VPN connection is working.
In the same way, the ESF Gateway Administration Console may be accessed over the VPN from a browser.
Updated almost 3 years ago