VPN-CC for VPN Security Suite

The Welotec VPN Container Client (VPN-CC) is a hardware independent software container. In combination with our Welotec VPN Security Suite the VPN-CC provides secure connections for distributed VPN infrastructures. This enables secure E2E-connectivity with devices and machines in the field. The rollout can be done via cloud, Docker Swarm or Kubernets.

System Requirements

VPN Container Client is released as docker container. System should have following application installed:
Docker Engine - minimum version 19.03.8
Installation procedures for those applications can be found at:
https://docs.docker.com/engine/install/⁠

How to run VPN-CC

1. Download and install Docker Engine (see System Requirements)
2. Download VPN-CC via Docker pull command
3. Create docker volume
4. Run the VPN-CC with the Docker run command

Docker commands

Create Volume To create a new docker volume, you could use this command:

docker volume create vpncontainerclient-volume-filestorage

Run VPN-CC You could use the following example command to start the VPN-CC

docker run -d --restart always \
-e INITIAL_NAME="VPN Container Client" \
-e VSS_ADDRESS=https://smartems.com \
-e VSS_API_USER=vpncontainerclient \
-e VSS_API_KEY=123456 \
-e VSS_LOG_LEVEL=info \
-e VSS_SEND_LOG_LEVEL=info \
-e VSS_CONTACT_INTERVAL=300 \
-e VSS_SEND_LOGS_INTERVAL=120 \
-e VSS_VERIFY_SSL_CERTIFICATE="True" \
-v vpncontainerclient-volume-filestorage:/filestorage \
-v /proc/sys/net/ipv4/ip_forward:/ip_forward \
--device /dev/net/tun:/dev/net/tun \
--network host \
--cap-add NET_ADMIN \
--name vpncontainerclient \
welotec/vpncc:1.3.0

Explanation:
-e parameter sets environmental variables

docker-compose VPN-CC

To start, a Docker-Compose file (.yml) docker-compose is required. This can be started with docker-compose -f vpncc-compose.yml up -d

version: "2.1"

services:
  vpncontainerclient-1.3.0:
    image: welotec/vpncc:1.3.0
    container_name: vpncc
    network_mode: host
    restart: unless-stopped
    environment:
      #INITIAL_NAME: "VPN Container Client" #Please fill in initial instance name, or leave blank to use system hostname
      VSS_ADDRESS: https://SMART-EMS IP # Please fill in smartems instance address
      #VSS_ENDPOINT_PREFIX /api/edgegatewayvcc # Please fill in the API endpoint the VPN Container Client will use. By default /api/vpncontainerclient is used.
      VSS_API_USER: connector #Please fill in VPN Container Client API user
      VSS_API_KEY: 123456 #Please fill in VPN Container Client API password
      VSS_LOG_LEVEL: debug #Lowest log level of messages shown on the docker logs, available options: debug, info, error
      VSS_SEND_LOG_LEVEL: info #Lowest log level of messages sent to Smart EMS, available options: debug, info, error
      VSS_CONTACT_INTERVAL: 300 #Interval of contact to Smart EMS (to check for configuration change), value is in seconds
      VSS_SEND_LOGS_INTERVAL: 120 #Interval of sending logs to Smart EMS, value is in seconds
      DISABLE_IPTABLES_PURGE: "false" #Disabling might solve docker other containers issue
      #In some OS adding iptables rules in container makes docker masquarading rules overriten
      IPTABLES_MASQ_TYPE: "disabled" # Available options: "disabled", "enabled", "iface", "networks"
      # if above is enabled, network from docker0 interface will be used for masquerading, if iface is choosen network from IPTABLES_MASQ_IFACE interface will be used for masquerading, if networks is choosen - networks from IPTABLES_MASQ_NETWORKS will be used for masquerading
      #IPTABLES_MASQ_IFACE: "docker1" # Available after choosing "iface" option above,
      #IPTABLES_MASQ_NETWORKS: "172.17.0.0/16 172.99.3.0/24" #  Available after choosing "networks" option above this parameter if filled adds those rules e.g. "172.17.0.0/16 172.99.3.0/24", or leave empty to disable
      VSS_VERIFY_SSL_CERTIFICATE: "True" #Enables SSL certifictate verification of VPN Security Suite. Set to "False" to disable.
      # If incorrect options are set we should stop container
    cap_add:
      - NET_ADMIN
    volumes:
      - /proc/sys/net/ipv4/ip_forward:/ip_forward
      - "filestorage:/filestorage"
    devices:
      - /dev/net/tun:/dev/net/tun
volumes:
  # Volume for storing files e.g. uuid
  filestorage:
    name: vpncontainerclient-volume-filestorage

How to check if VPN-CC is running

You could check if VPN-CC is running correctly by take a look inside of the docker logs.
docker logs -f vpncontainerclient

Welotec VPN Security Suite

With our software solution Welotec VPN Security Suite users benefit from a fully automated VPN infrastructure enabling connectivity and secure access to devices like HMI, PLC, IPC and machines in the field. It comes with an easy deployment, brings flexibility in case of applications and ads an additional security layer to the network infrastructure. The advantages at a glance:

• Easy setup of automated industrial VPN infrastructures
• VPN concentrator with integrated firewall Embedded
• PKI for automated certificate handling
• Device management for easy rollout of configurations and updates
• Own WebUI for central administration
• REST-API for integration into ERP, Monitoring or SIEM

Learn more about our solution here: https://www.welotec.com/product/welotec-vpn-security-suite/⁠

In case on interest, please get in touch: https://www.welotec.com/contact/⁠

Disclaimer

As a service provider we are responsible according to § 7 Abs.1 TMG for our own contents on these pages according to the general laws. According to §§ 8 to 10 TMG, we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information in accordance with general laws remain unaffected by this. However, liability in this respect is only possible from the time of knowledge of a concrete violation of the law. As soon as we become aware of such infringements, we will remove the content immediately.

Liability for links

Our offer contains links to external websites of third parties on whose contents we have no influence. Therefore, we cannot assume any liability for these external contents. The respective provider or operator of the pages is always responsible for the contents of the linked pages. The linked pages were checked for possible legal infringements at the time of linking. Illegal contents were not recognisable at the time of linking.

A permanent control of the contents of the linked pages is not reasonable without concrete evidence of an infringement. As soon as we become aware of any legal infringements, we will remove such links immediately.

Copyright

The contents and works on these pages created by the site operators are subject to German copyright law. Duplication, processing, distribution and any form of commercialization of such material beyond the scope of the copyright law shall require the prior written consent of its respective author or creator. Downloads and copies of these pages are only permitted for private, non-commercial use.

Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, contents of third parties are marked as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. As soon as we become aware of any infringements, we will remove such content immediately.