Control Network Newsletter
BridgeVPN Provides Secure Remote Access with Seamless Integration
American Heating, Inc., a company that designs and implements HVAC systems, incorporated Contemporary Controls' EIGR-VB Skorpion Gigabit IP router to create a secure remote connection over the Internet with seamless integration at the client site. Part of our BridgeVPN solution, the EIGR-VB router supports OpenVPN client/server functionality and can be configured as a wired bridge VPN server with support for up to 10 VPN clients on Windows and Linux PCs.
Headquartered in Portland, OR, American Heating, Inc. provides complete design, construction, and maintenance for commercial and industrial heating, plumbing, ventilation, and air conditioning systems. For this project, they installed the EIGR-VB router behind an existing cellular router. With the EIGR-VB router configured as a bridge VPN server, American Heating was able to add security while reducing setup complexity at the same time. Simultaneous access from multiple PCs allows easy collaboration between engineers and site technicians.
"American Heating has been using two EIGR-VB routers with Cradlepoint cellular routers for several years to connect remotely to our DDC controllers," said Scott Orendorff, Controls Lead at American Heating. "The routers have been so robust and have had virtually no issues, so we decided to replace our other four VPN routers with EIGR-VBs. Once OpenVPN connection setup is configured, the system works flawlessly."
The existing setup used Port Forwarding rules in the cellular router to provide access to the devices at their client site. Port Forwarding rules need to be configured in the router firewall to allow access to an application for the device, and each device needs its own rules. This setup requires constant addition of new Port Forwarding rules if remote access to more devices or services is needed. With BridgeVPN, American Heating completed the VPN setup by generating and testing the required keys and certificates at their office.
The cellular router and EIGR-VB routers were then shipped to the customer to connect their remote site devices. The VPN bridge gives American Heating secure remote access to their customer's equipment without any setup required from the customer. This configuration can be used for initial commissioning as well as programming updates or troubleshooting later.
"Combining the Cradlepoint cellular router with an EIGR-VB router provides a very portable and secure way to access HVAC controls during startup and commissioning," said Jon Vietti, Lead Consultant at Vietti Controls Consulting. "The cellular router is placed into pass-through mode, and the EIGR-VB router manages the OpenVPN security."
VPNs typically require routing over different subnets, but BridgeVPN simplifies setup by using bridge mode with the same subnet. The VPN clients are bridged to the router's local-area network (LAN) side and assigned an IP address from the LAN subnet which provides the same application experience as if the client devices were part of the router's LAN. In addition, bridge mode allows passage of multicast and broadcast messages through the VPN tunnel which eliminates the need for a BACnet/IP Broadcast Management Device (BBMD).
Although the EIGR-VB router has many of the same features found in a high-end router, it is simpler to install and commission. A resident DHCP server on the LAN side, a DHCP client on the wide-area network (WAN) side, and Static IP addressing are supported. Configuration is performed from a web browser using the router's built-in webpage interface.
Our BridgeVPN solution is now supported by our EIGR-C Gigabit Cellular IP router. Operating in OpenVPN server mode, the EIGR-C can operate as a wireless bridge VPN server to provide secure remote access over cellular by using a single router.
Offering the same functionality as the EIGR-VB, the EIGR-C router features a built-in cellular modem to link cellular to IPv4 networks—passing appropriate traffic while blocking all other traffic. One network is the local-area-network (LAN); the cellular is the wide-area-network (WAN). It also has an Ethernet port that can act as the WAN if cellular access is not required. The built-in stateful firewall passes communication initiated on the LAN-side while blocking WAN-side initiated communication. With Port Address Translation (PAT), LAN-side clients can access the Internet. The EIGR-C's OpenVPN client functionality is also compatible with Contemporary Controls' Cloud-VPN service, RemoteVPN.
Visit our BridgeVPN product page to learn more.