A multi site VPN setup

Hi, I have a ongoing project to deploy containerized control systems to remote site.
Each container consists PLC, Ignition Edge and multiple other TCP/IP devices under local subnet.
I would like to install a 4g modem in each container, to allow the container to connect to a central VPN server, so all containers are within the VPN network.

Can anyone shine some light on how it can be achieved?

My initial thought is to purchase 4g modem with vpn server/client function, so I can define DDNS and OpenVPN to connect each container to the cloud VPN before dispatching to site.
I found the ASUS 4G-AC68U has the requirement function, but it’s very difficult to find it on the market.

All ignition edge devices are talking to the cloud via MQTT at the moment, it does not require VPN setup. But I would like to install ptz camera as well, once installed, the video files are too large to send to the cloud, they have to stay in local HDD, once under the same VPn, the ignition client should be able to view the files easily.

Talk with your ISP provider, most of them offer a PRIVATE VPN that can be setup and mine with VERIZON work great. Very affordable.

I maintain remote locations just as you describe, I setup a local LAN at each site and each site may have all kinds of other devices on the lan. I can manage every device just as if they were on my shop bench.

This is all done through our Private Cellular Network which is just a large scale VPN.

1 Like

Private cellular is the simplest to administer. If that isn’t an option for you, consider deploying OpenVPN yourself on the Ignition Edge system. If you are wise, that system is Linux, and OpenVPN on Linux can do just about anything.

1 Like

a private apn from a cellular provider will work well. Only downside is that you would have to setup port forwarding to access your devices. this may or may not work well in some instances. a vpn would get you direct access to every device behind your modem without the need for using port forwarding. Depending on your setup, this may be necessary.

At a minimum I would use a private apn so you dont have a device on a public IP.

1 Like

I am talking to cooperate IT to see any solution from the IT team.

TosiBox would work well for this and be very secure.

Does Tosibox have a 4g modem with VPN inbuilt? I couldn’t find the right device from their website.
What’s the price range I should be look at for each device?

@chaoliang,

We use the lock 500i (TBL5iCPS) model. Built in VPN that is plug and play. There are good videos on YouTube demonstrating how it works.

We have their Virtual Central Lock that resides on our server and then we connect the locks that are in various regions to it over generic 4G cellular. This setup allows that always on VPN connection for Ignition to receive/request data.

I’d recommended inquiring for info through TosiBox so they can set you up with the right team/Vendors for best support and pricing.

1 Like

Wonderful.

Thanks for sharing the information.

I will contact local sales for further discussion.

OpenVPN? Gross. Use wireguard.

I find OpenVPN much more reliably passes through others’ firewalls. Otherwise I’d be delighted to use wireguard.

The upside with wireguard is its less resource hungry that openvpn are.
I wish my router could do wireguard, but still it maxes out my 500/500 Mbit connection with openvpn tho.

You must be doing something else wrong. My OpenVPN infrastructure adds a few percent overhead to the traffic it carries.

Just to update:
I have contacted local tosibox sales and a quote has been provided for my next project. I will see how it goes with the tosibox system.

Meanwhile, just a quick question regarding the vpn setup on the commercial LTE router.

I have a tplink 4G router, it has inbuilt function for DDNS and OpenVPN. I have them setup and hope it can work so I can remote access the site PLC from the software installed on my laptop. Then I realized that the sim card has a ISP provided private IP, instead of a public IP. I can ask the ISP to assign a public IP to it, but it will be long process.

Instead of using Tosibox, or similar product, is there any way I can get a local sim card, pluging to the off the shelf commercial router and quickly setup a VPN connection to site, with budget under 500 hundred bucks?

Why do you need a static IP on the SIM?

I have an OpenVPN setup at one of my clients.

Running OpenVPN on my laptop I can create a connection to any device in the field, they are on private IP sims. OpenVPN creates a tunnel from the server to the end device, the sim IP doesn’t matter.

DDNS does not work with private ip sim behind the ISP firewall.

I have just changed the topology, instead of creating a VPN server on the site router, I created a VPN client on the site router. The site VPN client connects to the VPN server at the office, with my laptop connecting to the VPN server as another VPN client, I can remote access the site PLC now. Not many routers support the VPN client function, TP Link AX20 is the one, and less $200.
With multiple sites connecting to the same VPN server, I believe it achieves the requirements I listed in the post. All clients should be able to talk to each other and I can centralise the monitoring from the office.

Just don’t know how many clients can be connected to the server in this way before the whole VPN network slows down or crush.

Any suggestions?

Just to update:

I end up using the complete solution provided by Tosibox.
Current cost is around AUD1000 per site setup (TLK175) and AUD3000 per year for setup of the cloud based VPN server. 6 sites connected for now. Ignition Gateway talking to site Ignition edge via MQTT.

Not bad experience, so far.

2 Likes

That’s exciting to hear!