VPN No computer

[Jacky Jackson]

Say I want to make a secure connection like this:


[pc]---cable----->[internet]---cable------>[device without software]

How can I do it? The device is a specialized hardware part in a private network. It cannot run any software. I think I would need a router device with all the VPN tunnelling/software on that device. Hence...

[pc with VPN stuff]---cable----->[internet]----cable---->[router with VPN stuff]---cable--->[device without software]

In my setup, authentication is the principle need. Encryption a plus. Tampering with the data would be unlikely. But if protection against it comes in the box, I am happy with that to. Cost should be as low as possible. The "device without software" is cheap, so the router would add a rather important ratio to the overall price. Preferable the software development costs should be low too. But I can make something myself on the PC side.

 

[Alabalcho]

Your "device without software" - how it is connected to the 'Net? Is it direct connection (e.g. cable/DSL modem and your device), GSM/cellular, or it is part of larger closed network?

 

[Jacky Jackson]

Your "device without software" - how it is connected to the 'Net? Is it direct connection (e.g. cable/DSL modem and your device), GSM/cellular, or it is part of larger closed network?

It is through an ethernet cable. Probably the ISP specific modem/router is before a telephone line or what was originally the TV cable. That option is actually still free. That ISP network gear has a cable that would connect on occasion through an ethernet connection. The cable would not be connected permanently, only when the device needs to be configured.

The device has the possibility to program embedded software, but it cannot run a VPN windows/linux program or something similar. And I would not like to touch that software. It is not a cellular thing, it is a specific hardware device in a larger closed network.

 

[Jacky Jackson]

It would help to know what OS or type of device this is that you are wanting to connect to. If it's a Linux based system, you might be able to just configure SSH and then configure port forwarding through a router.

Well, that is the whole problem I think. It is a specific hardware device with only embedded software on it. So if something like VPN tunneling/encryption/authentication must run, it should run on some dedicated VPN device itself, not that specialized hardware device. Is that possible? That is actually the core question. Can I have VPN to the device without a PC before the internet connection running VPN enabling software.

I cannot put a PC between the device and the connection. For two reasons, first the PC would be very expensive compared to the hardware device and devices in the network, effecting the total cost of the solution, second I should figure out a general solution. If it was only one system, I could get an old PC, put something like Bodhi Linux on it, a low demand Unix system, and configure that. But it should be a generally applicable solution.

 

[Someone Somewhere]

I was going to do something similar a while ago with a Raspberry Pi and a WiFi stick.

I might have another go and post my results, but life is a little hectic currently.

 

[Someone Somewhere]

If you have physical access to the device, you own it no matter what. Putting a raspberry pi or similar immediately beside the device should provide minimal additional risk.

 

[Jacky Jackson]

What kind of device is this, what are you trying to protect, what are you using it for, what are its capabilities, etc.?

If I am vague, it is also because I do not understand everything myself yet. Nor VPN as such, nor the hardware I am connecting too. My apologies.

It is proprietary made hardware. It cannot be bought in a shop. It is not consumer hardware. It is a device that controls other small proprietary hardware items in a network, also not consumer hardware. I dont want to make any changes on that hardware/embeded software. I can ask the embedded software programmer to do that, but only if an out of the box, to be bought solution is not available or expensive.

I guess my question is, can I have VPN with only a bought-in router, without other stuff? What I have understood is that with VPN you have to run something (tunneling, encryption, authentication). That something cannot be on a PC, that is too expensive. It cannot be on the device, that cannot be changed. Can it run on the router itself? Maybe this is a very stupid question, but can you run software on a router? Or do you always have to run something on the device connected to the router?

 

[Jacky Jackson]

Correct me if I'm wrong, but as long as you can't do VPN on the device itself, then wouldn't all packets from the VPN device you want to set up before the device can be sniffed by putting something between the VPN endpoint and the device itself? If so, is it in a secure location where this would be an acceptable risk for whatever you are using it for?

That is no problem. It is in a secure location, the responsibility of the customer, and also no one there would have interest to tamper with the data in that space.

 

[Jacky Jackson]

I am very sorry I have not been clear, I will try to explain the situation by more accurately specifying the goal I am trying to achieve:

In an old situation a field technical guy would go to the device and run a configuration program on a laptop to change the settings. Between the laptop of the technical and the device there is no secure line. It is a meter long and the technical is standing right infront of the device so, no need there.
Now instead of sending a technical, they want the possibility that the customer gives them permission to change the configuration of the device remote. Hence the technical support is now not on location but at the service point in the home office. The customer connects the wire from the device to internet, what happens between internet and device, that is the responsibility of the customer. The route from internet to home office however, that has to be secured somehow, without the customer to be obliged to buy an extra PC, just for the two or three times a year, they want to change those settings.

 

[Someone Somewhere]

What communications protocols do the device support? Is it an HTTP webserver, or telnet or SSH or serial or something?

 

[Alabalcho]

I don't think stand-alone "box-in-the-middle" between the Ethernet connection and that device will help without support from the "master" router. OP stated that this is "large closed network". So whatever we put here at this connection, has to be accessible from the outside world, that is - port forwarding must be in place toward that specific device, for VPN protocol to work. I think it would be much easier if that device' HTTP port (providing it is web server) to be made accessible from the outside.

The only site-independent solution would be for some intermediate device to initiate VPN connection toward a for-the-purpose VPN server, then OP can connect to that same VPN server (thus forming a VPN network with the device), and running whatever software is necessary. This is something an ordinary RPi/BBB can do, but nothing off-the-shelf.

 

[Jacky Jackson]

I will try to answer some questions. I don't understand every yet. For example I did not even know there was some like a firewall appliance. So,I really feel stupid... Sorry I am such a dolt.

What are you wanting to connect to your device from? Windows/Mac Computer, Android Phone, iOS, etc.?

Windows PC, runs a program, uploads information to the hardware device.

Is there a specific program you are using to connect to this device?

Yes. And only this special configuration program can do something useful with it. So the chances of something going wrong are very low. Nevertheless the customer demands 'a save line', if doing so through internet. Which is maybe hosophobial.

What is your estimated budget on the VPN hardware you are wanting to accomplish this?

100 euro

Depending on their network topography and how easily a device would integrate also has an impact on what you could/should use for the VPN hardware.

I don't understand this question to the full 100%. The devices on the network are not very intelligent, cannot do much. Think of things like fire alarm signaling hardware. It aren't PCs or consumer electronic devices. The packets only go from 'the outside world' to the central device. The central device is configured, nothing more happens in the network. Also the whole process of configuration consists of only a few kilobytes of data. And that only half a dozen times a year, when the network master device has to be reconfigured, since f.e. more fire alarm devices are placed in newly constructed rooms.

I think a very cheap router with only a 2 connection points but with VPN enabling stuff on it, would do it. Something like a TL-R600VPN I have found that on the internet.

 

[Jacky Jackson]

What communications protocols do the device support? Is it an HTTP webserver, or telnet or SSH or serial or something?

What normally goes from the laptop to the proprietary hardware device is a specialized proprietary protocol, like directly writing and listening on a socket on TCP.

 

[Jacky Jackson]

Here is a basic diagram of what I picture you needing

That was my guess too. But I have, a probably very novice, question. Say you have more locations you want to remote to, would you need a router for every location at the service centre site? So if you would set this up for ten locations, do you need eleven routers or 20? (Or with n setups, and n+1 routers, or 2n routers)

How do you access this device?

Until now the electrician, the service guy, goes to the location with a laptop.

He then connects to the device through an ethernet cable to the laptop. A configuration is uploaded to the device using a TCP port in the 130XX region. The latter portnumber is adjustable/configurable. So it talks directly 'on the wire', using a custom programmed programmed protocol.

Mostly it is not such a problem the service guy has to go there to upload the configuration, since he would also install a few hardware pieces (like the firecall pieces) in the network and configure some other things. But if he only has to go there to upload a configuration, that is a bit of a waste.

I must also ask a few things from the customer and cram a bit of VPN and Network 1.0.1, so I will reread all this stuff in the weekend, and come back to try to give you guys more accurate information. Thanks very very much for all the advice. Got a lot learn..

 

[Jacky Jackson]

The important things we need to know is how do you connect to the device.

It has an Ip Address, it communicates through a direct tcp socket on a port with a 130XX number. XX can be configured from 01 to 20.
Normally the laptop is in a network where also the device is, and connects through Ip Address and TCP socket.
Does that make sense?

It is for example a sort of central signal dispatcher for fire alarm devices.

 

[Alabalcho]

Jacky, can you talk that site' network administrator to forward an external port to your device? If yes - your problem is solved, ask them to forward external port 12345 to your port 13000, and then you just have to know each customer' external IP address.

If not, the only workable solution is to put another device in between your controller, and your customer' network, and this device to be programmed to "dial" a predefined VPN server under your control. You can then "dial" into that VPN server from anywhere as well, thus forming a VPN network between you and the controller. You will probably still have to talk to the customer to configure his firewall to allow for outgoing VPN traffic.

Did you think about putting a GSM modem next to your device? This way you will be independent of your customers' networks.

 

[Jacky Jackson]

Jacky, can you talk that site' network administrator to forward an external port to your device? If yes - your problem is solved, ask them to forward external port 12345 to your port 13000, and then you just have to know each customer' external IP address.

Yes I can.

Although, I have a few questions. First, I did not even know what forwarding ports was 😱(.., but I have read stuff about that now.

But I have two other questions:
1. Do you mean the port on the support department LAN network, or the port on the customer LAN network where the device is. I suppose the latter, but I am just checking.
2. If you say, my problem is solved, do you mean I do not need a VPN router at all in my set-up?

 

[Jacky Jackson]

Did you think about putting a GSM modem next to your device? This way you will be independent of your customers' networks.

I think that is an idea. The amount of data is really small. That might help picking that as a solution.

But I am thinking about security, how is that managed? A very simple security method would be to just leave the GSM modem switched off, since it would be only used for uploading the configuration. And that happens about two or three times a year, and will take about an hour. I do not need a permanent line available.

 

[Alabalcho]

"Port forwarding" is the term used in NAT (Network Address Translation, the way single real IP address can server many internal nodes) to allow for direct access to a node behind the NAT. So, you can ask the IT department of your customer following questions:
- will they allow your device to be connected to their internal network?
- do their policies allow for NAT Port Forwarding?
- if so: What is their external IP address?
- if so: Can you configure static IP address for your device on their network?
- and finally, what external TCP port can they allocate to you and forward to your device' port 130xx?

 

[Jacky Jackson]

- will they allow your device to be connected to their internal network?
Yes
- do their policies allow for NAT Port Forwarding?
Yes
- if so: What is their external IP address?
Differs, it is a solution for about a hundred customers.
- if so: Can you configure static IP address for your device on their network?
Yes
- and finally, what external TCP port can they allocate to you and forward to your device' port 130xx?
Should differ also since it are about a hundred customers. But it is possible.

Since it is about a hundred customers, making it cheap would make profit. In that light, the rates in Gigabytes I see with those modems are overkill for the device that takes Kilobytes of configuration data a few times a year.

 

[Alabalcho]

Once you answered "Yes" to all of these questions, then you don't need GSM modem. You just need a spreadsheet to keep all these IP addresses and port numbers, once you collect them. You will probably have to setup every customer in turn where there is a tech onsite to connect and configure your device to run on customer' network, and another person to access that device remotely and confirm it's working.

 

[Jacky Jackson]

You will probably have to setup every customer in turn

Okay, I think I understand, but just to double check:

I have one VPN router in the office, a hundred in the field. At the moment I want to change the settings that proprietary device remote, I choose a specific setting in my VPN router in the office, and that will connect to the configured remote VPN router on site. Hence at the office I just need one router for a hundred connections. Not a router for each individual connection?

We are going to make a setup in the office to try this out. We will use a cheap VPN router of about a hundred euro. This would be cost efficient, and save time and money enough for when the technician does not have to go on site. Also I think the VPN device is cheaper than somehow changing the firmware of the device to perhaps do the tunneling directly.

Thanks for all your advice. Well, I know a lot more about VPN and tunneling now.