Connectware users can now benefit from the latest Wireguard VPN service for private, secure and independent remote access. Wireguard is a very easy-to-understand and modern VPN solution. It aims to be faster, simpler and leaner than other technologies such as IPSec and OpenVPN. A combination of extremely efficient cryptographic primitives and the fact that Wireguard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.

Use Cases

• Remote access for machine manufacturers
• Remote access for factory operators
• Remote access for service providers

Wireguard Connectware Service

The Wireguard service takes advantage of the Connectware service capabilities of bundling all the activities into a single point of configuration and execution. This means that when a Service is enabled it will perform a set of operations on Connectware and when disabled these operations will be removed. This makes enabling/disabling remote access quick and easy with minimal configuration.

The Wireguard service acts as a VPN gateway on the remote location. A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. You can use this VPN gateway to send traffic securely between for example, a factory floor and a service technician network.

The Connectware Wireguard service augments a Wireguard interface with an MQTT API for starting/stopping the VPN connection, publishing the generated public key of the client and emitting the state and config changes of the VPN connection on pre-configured MQTT topics. No additional VPN client software has to be installed on the host machine since Connectware service is based on Docker containers, the service is installed in a container and all the configured network parameters are exposed as environment variables inside the container.

Advantages

• Service based remote access requires minimal technical configuration. All the security features are automatically configured. Users have to configure basic networking parameters and just need to enable the service to establish a remote connection.
• The remote connection is centrally monitored and managed. Adding and removing VPN gateways are managed through the relay server.
• IT security policies on the operations site can be enforced by using the built-in MQTT API that is only accessible through the Connectware MQTT broker to enable and disable the VPN. This feature ensures remote connection is always started from the operations site.

Additional Requirements

• Service providers have to set up their own public relay server based on the Wireguard protocol for centrally managing all the VPN connections. This server is just a normal Wireguard peer that is able to act as an intermediate between any VPN clients behind NAT.
• Each client has to be assigned a fixed IP address. Dynamic IP assignment is not possible.

Additional links

Connectware technical overview
https://www.cybus.io/learn/connectware-technical-overview/

Connectware service concept basics
https://www.cybus.io/learn/service-basics/

Wireguard technical whitepaper
https://www.wireguard.com/papers/wireguard.pdf

You could also be interested in: