VPN instead of fwd port 502

[ganutenator]

I usually just forward port 502 to the plc so that I can connect remotely. All I have on the router LAN is an HMI and a PLC running a car wash.

Starting to get some blow back about fwd a port from some customers that aren't a mom pop operation and have an IT department.

Any good VPN recommendations? Anyway I could team viewer vpn to the HMI and then forward port 502 to the plc or anything tricky like that?

 

[Epy]

Are you looking to make the router at the car wash a VPN server, or client? In any case, I'd use OpenVPN. Completely free, extremely secure with the right settings. We use OpenVPN for our office VPN. Many routers come with OpenVPN client/server built-in.

 

[ganutenator]

Are you looking to make the router at the car wash a VPN server, or client? In any case, I'd use OpenVPN. Completely free, extremely secure with the right settings. We use OpenVPN for our office VPN. Many routers come with OpenVPN client/server built-in.

We don't currently provide the router, but that could be an option.

 

[damica1]

Since they have their own IT department!!!

Have them setup up a VPN Tunnel on their router and just provide you with the security parameters that would be required for you to connect.

I'm assuming you can program your local router to meet those requirements (as most routers today have the means of creating/connecting to VPN Tunnels.

That's really all that is needed you probably don't need to purchase anything.

 

[boneless]

^This

I have very good experiences with tosibox. Plug and play, key and lock based VPN. Our clients like it, since they can unplug the device to close access, and only users with USB key can have access.

At home I use a netgear router with openvpn. Fairly cheap and easy to set up. Not sure how that would do in an industrial environment tho.

 

[V0N_hydro]

we've been deploying the sonicwall soho. I don't love it but so far it has been able to do everything it has to. It includes an SSL vpn client which might just be openvpn under the hood. Having purchased a dozen in the last decade none of hace died so far.

https://www.sonicwall.com/SonicWall.com/files/1f/1f1e879e-c911-4aaf-9b8c-3f1f34836e96.pdf

one of our customers uses a Watchguard firebox and as the end user of that device I would recommend it: https://www.watchguard.com/wgrd-products/tabletop/firebox-t10

forwarding port 502 on a publicly accessible IP address to a PLC is asking for trouble. Anyone in the world can do anything they want to your customer's equipment.

the carwashes probably all show up here: https://www.shodan.io/search?query=port:502

shodan is a search engine which scans all of the IP addresses in the world and records the response from all ports... pretty easy for anyone to find your PLCs!

 

[chud]

If you add up you labour and cost of router you might aswell just get a small secomea sitemanager. Couldnt be easier to setup

 

[gartut]

Phoenix Contact have a new product called the Cloud Client.

Its really easy to set up and the technical back up is superior