OpenVPN SC PC V10 en

Setting up an
OpenVPN connection
between a SCALANCE
SC and a PC
Siemens
Industrial Security Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109481101 Support
Legal information
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several components in
the form of text, graphics and/or software modules. The application examples are a free service by Siemens AG
and/or a subsidiary of Siemens AG ("Siemens"). They are non-binding and make no claim to completeness or
functionality regarding configuration and equipment. The application examples merely offer help with typical
tasks; they do not constitute customer-specific solutions. You yourself are responsible for the proper and safe
operation of the products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the application
examples used by technically trained personnel. Any change to the application examples is your responsibility.
Sharing the application examples with third parties or copying the application examples or excerpts thereof is
permitted only in combination with your own products. The application examples are not required to undergo the
customary tests and quality inspections of a chargeable product; they may have functional and performance
defects as well as errors. It is your responsibility to use them in such a manner that any malfunctions that may
occur do not result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without limitation, liability for
the usability, availability, completeness and freedom from defects of the application examples as well as for
related information, configuration and performance data and any damage caused thereby. This shall not apply in
cases of mandatory liability, for example under the German Product Liability Act, or in cases of intent, gross
negligence, or culpable loss of life, bodily injury or damage to health, non-compliance with a guarantee,
fraudulent non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for damages
arising from a breach of material contractual obligations shall however be limited to the foreseeable damage
typical of the type of agreement, unless liability arises from intent or gross negligence or is based on loss of life,
bodily injury or damage to health. The foregoing provisions do not imply any change in the burden of proof to
© Siemens AG 2023 All rights reserved
your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection
except where Siemens is mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any damage beyond
the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without notice. In case of
discrepancies between the suggestions in the application examples and other Siemens publications such as
catalogs, the content of the other documentation shall have precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement –
and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and
solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.
Such systems, machines and components should only be connected to an enterprise network or the internet if
and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls
and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends that product updates are applied as soon as they are available and that the latest product versions
are used. Use of product versions that are no longer supported, and failure to apply the latest updates may
increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under
https://www.siemens.com/cert.
Security: OpenVPN SC <=> Win10

Article ID: 109481101, V1.0, 05/2023 2
Table of contents
Table of contents
Legal information ......................................................................................................................... 2
1 Introduction ........................................................................................................................ 4
1.1 Overview ............................................................................................................... 4
1.2 Mode of operation.................................................................................................. 6
1.3 Components used ................................................................................................. 9
2 Engineering ...................................................................................................................... 10
2.1 Setting up the environment .................................................................................. 10
2.1.1 IP address overview ............................................................................................ 10
2.1.2 Infrastructure overview ........................................................................................ 12
2.2 Preparing the devices .......................................................................................... 13
2.2.1 PCs ..................................................................................................................... 13
2.2.2 Router ................................................................................................................. 16
2.2.3 SCALANCE SC-600 security appliance ............................................................... 17
2.3 Setting up security ............................................................................................... 30
2.3.1 Certificates .......................................................................................................... 30
2.3.2 SCALANCE SC-600 security appliance ............................................................... 37
2.3.3 VPN client on the Microsoft Windows 10 PC ........................................................ 52
3 Operation .......................................................................................................................... 57
4 Appendix .......................................................................................................................... 62
4.1 Service and support............................................................................................. 62
4.2 Industry Mall ........................................................................................................ 63
4.3 Links and literature .............................................................................................. 63
4.4 Change documentation ........................................................................................ 63

Article ID: 109481101, V1.0, 05/2023 3
1 Introduction
1 Introduction
1.1 Overview
Industry 4.0
The Internet serves as an enormous accelerator of business processes and has revolutionized
business operations around the world. The resulting change in the manufacturing industry is
also referred to as Industry 4.0.
Industry 4.0 affects all aspects of the industrial value chain, with industrial communication and
security being the important aspects we will consider here.
Industrial Security
In the face of digitization and the increasing networking of machinery and equipment, data
security must always be taken into account. The use of industrial security solutions precisely
tailored to the needs of industry is therefore of fundamental importance – and should be
inseparably linked with industrial communication.
This includes the following points:
• Use of robust products with security features and security services
• Use of concepts such as "Defense in Depth" and a holistic security concept
Measures
The measures for safe operation in a digital enterprise are:
• Encryption and monitoring of communication
• Access control for industrial components and networks
• Protection of transfer and saving of data
• Authentication of devices and users
VPN as a solution
To ensure secure operation in a digital enterprise, data transmission can be encrypted using
Virtual Private Network (VPN) to protect against data espionage and tampering. The
communication partners are securely authenticated.
Implementation in practice
You can run the SCALANCE SC industrial security appliance as an OpenVPN server.
This application example shows you how to use the SCALANCE SC industrial security
appliance and a PC to set up a VPN connection. We will use the OpenVPN protocol with X.509
certificates. Two scenarios will be considered:
• OpenVPN connection in routing mode (layer 3)
• OpenVPN connection in bridging mode (layer 2) (only SCALANCE SC63x/SC64x)

Article ID: 109481101, V1.0, 05/2023 4
1 Introduction
Advantages
When you use the SCALANCE SC industrial security appliances, you have the following added
value:
• Protection of networks and individual TIA components according to the "defense in depth"
security concept
• Flexibly configurable security zones
• Controlled and encrypted data traffic between a PC and the SCALANCE SC via OpenVPN
• High security for machines and systems by implementing the cell security concept
• Versatile configuration options with TIA Portal, WBM, command line interface (CLI) and
Simple Network Management Protocol (SNMP)
• Easy integration into existing networks and protection of devices without their own security
functions.

Article ID: 109481101, V1.0, 05/2023 5
1 Introduction
1.2 Mode of operation

Schematic representation
The Figure below shows the essential structure of the application example when in routing
mode:
Automation cell
Service PC with SCALANCE
MS Windows 10 SC
Internet Internet
modem/router router
Win10
Static WAN IP
address VPN server
VPN client
SIMATIC S7
VPN tunnel stations
Industrial ethernet
The Figure below shows the essential structure of the application example when in bridging
mode:
Automation cell
Service PC with
SCALANCE
MS Windows 10 SC
Win10
Static IP
address
VPN client VPN server
SIMATIC S7
VPN tunnel stations
Industrial ethernet
Description
The connection between the service PC and the automation cell (nodes such as SIMATIC
stations, Panels, drives, PCs) is secured with a VPN tunnel.
The OpenVPN client software is installed on the PC. The OpenVPN client software and one
SCALANCE SC646-2C form the two tunnel endpoints for the secure connection in this example.
The SCALANCE SC646-2C acts as a VPN server.
The tunnel endpoints are authenticated and verified with X.509 certificates.
Access to the SCALANCE SC is defined through the use of a static IP address.
The role distribution when setting up the VPN tunnel is defined as follows:
Table 1-1
Component VPN role
PC Initiator (VPN client); starts the VPN connection
SCALANCE SC Responder (VPN server); waits for VPN connection

Article ID: 109481101, V1.0, 05/2023 6
1 Introduction
Operating modes of OpenVPN

OpenVPN supports two operating modes:
• Routing mode (TUN device)
• Bridging mode (TAP device)
Routing mode establishes an encrypted tunnel which routes exclusively IP packets (layer 3).
Every remote station is assigned a virtual IP address in a hypothetical subnet (transfer net).
Access to the network behind that is not possible by default, but can be allowed with IP
forwarding and entries in the firewall's routing table.
In routing mode, OpenVPN sets up virtual network adapters, so-called TUN devices, which
allow for a point-to-point connection on the IP layer.
Bridging mode involves complete tunneling of Ethernet frames (layer 2). The VPN client is
transparently dialed into the dial-up network and receives an IP address in the local subnet. To
all parties involved, it appears as if another network adapter has been connected directly to
Ethernet.
Bridging mode generates virtual network adapters, also known as TAP devices.
OpenVPN client software

The "OpenVPN GUI" software is used as an OpenVPN client. It is available as freeware on the
internet (see \7\ in chapter 4.3).
The software is configured with a configuration file with the "ovpn" file ending.
The software supports OpenVPN in routing mode and bridging mode.
This application example provides you with the configuration file "Client.ovpn". You can find
Note
the text file on the HTML page of this article in the "Download" section (see chapter 4.3).
SCALANCE SC security appliance

The industrial security appliances support the industrial security concept of "defense in depth".
They secure automation networks and seamlessly connect to the security structures of the
office and IT world.
The security components protect devices and networks in discrete manufacturing and the
process industry and help to set up a flexible security zone concept.
The functions they provide include the following:
• Stateful inspection firewall with filtering of IP-based data traffic
• Global and user-defined firewall rules
• Management of multiple VPN connections at the same time (OpenVPN, IPsec, SINEMA
Remote Connect)
• Support for OpenVPN in routing mode and bridging mode
• NAT/NAPT for communication with serial machines with identical IP addresses
• Digital input for local activation of secure remote access
• Redundant power supply
• Simple device replacement via C-PLUG removable storage device for automatic backup of
configuration data

Article ID: 109481101, V1.0, 05/2023 7
1 Introduction
Certificates
The VPN connection in this application example is secured with X.509 certificates. Every VPN
client and the SCALANCE module (VPN server) require the following certificates:
• A private key
• A public certificate signed by a certificate authority (CA)
• The public certificate of the certificate authority
Private Key Public Cert Public Cert
Client PC CA
Private Key Public Cert Public Cert
SCALANCE CA
Private Key Public Cert
Certificate
Authority
These three certificates can be saved inside of an archive file with the ".pfx" file ending.
Depending on your security requirements, there are multiple ways of procuring the necessary
X509 certificates:
• Obtain the certificates from your IT department. Your IT department can also tell you how
Note or whether you should use the listed certificates.
• Generate the certificates yourself, for example with the "XCA" freeware, TIA Portal or
"PowerShell" commands.
In this application example, certificates are created with PowerShell (see chapter 2.3.1).
PowerShell script
PowerShell is a cross-platform framework from Microsoft. It consists of a command line
interpreter and a scripting language that can be used to automate, manage and configure
systems in Microsoft Windows.
This application example provides you with a PowerShell script that implements the following
actions:
• A certificate authority (CA) is generated.
• The certificates necessary for the VPN client and VPN server are created.
• The certificates are saved in a ".pfx" archive file and exported.

Article ID: 109481101, V1.0, 05/2023 8
1 Introduction
1.3 Components used

Required devices/components
To build the application example, use the following components:
• One SCALANCE SC646-2C (optional: an appropriately assembled DIN rail with mounting
material) with current firmware (here: Firmware V3.0)
• A 24 V power supply with cable connector and terminal block plug
• A PC with Microsoft Windows 10 and the "OpenVPN GUI" freeware (see \7\ in chapter 4.3).
• A configuration PC with Microsoft Windows 10, used for the following tasks:
– Generation of certificates
– Configuration of the SCALANCE device via the WBM
• The required network cables, TP cables (twisted pair) complying with the IE FC RJ45
standard for Industrial Ethernet
For routing mode, you will also need the following components:
• DSL access with dynamic WAN IP address and a DSL router
• DSL access with static WAN IP address and a DSL router
You can also use another internet access method, e.g. mobile internet.
Note The configuration described below refers explicitly to the components mentioned in the
section "Required devices/components".

Article ID: 109481101, V1.0, 05/2023 9
2 Engineering
2 Engineering
2.1 Setting up the environment
2.1.1 IP address overview
IP addresses in routing mode

The assignment of the IP addresses is defined as follows for this example:
DSL router1 DSL router2 SCALANCE SC
Win10
192.168.1.12
Dynamic Static
192.168.2.88 192.168.2.1 172.16.0.1 172.16.60.12
WAN-IP WAN-IP
Virtual
interface
Table 2-1
Component Port IP address Router Subnet mask
MS Windows 10 PC LAN port 192.168.2.88 192.168.2.1 255.255.255.0

(VPN client)
MS Windows 10 PC Virtual interface Dynamic IP Assigned by the
(VPN client) address of the VPN server
VPN server
DSL-Router1 LAN port 192.168.2.1 - 255.255.255.0
DSL-Router1 WAN port Dynamic IP - Assigned by the
address of the provider
provider
DSL-Router2 WAN port Static IP address - Assigned by the
of the provider provider
DSL-Router2 LAN port 172.16.0.1 - 255.255.0.0
SC646-2C Zone EXT; LAN port: 172.16.60.12 172.16.0.1 255.255.0.0
P5 or P6
SC646-2C Zone INT; LAN-Port: 192.168.1.12 - 255.255.255.0
P1 to P4
MS Windows 10 PC LAN port 192.168.1.100 255.255.255.0
(configuration)
You can also use the Microsoft Windows 10 PC (VPN client) to set up the SCALANCE device
and generate the certificates.
Note In this case, the Windows 10 PC (VPN client) will need another IP address that is in the
internal network of the SCALANCE device, for example 192.168.1.100/24.
Remove the additional IP address after completing chapter 2.

Article ID: 109481101, V1.0, 05/2023 10
2 Engineering
IP addresses in bridging mode

The assignment of the IP addresses is defined as follows for this example:
SCALANCE SC
Win10
192.168.1.12
172.16.60.100 172.16.60.12
192.168.1.10
Table 2-2
Component Port IP address Subnet mask
(VPN client)
MS Windows 10 PC Virtual interface 192.168.1.10 255.255.255.0
(VPN client)
SC646-2C Zone EXT; LAN 172.16.60.12 255.255.0.0
port: P5 or P6
SC646-2C Zone INT; LAN- 192.168.1.12 255.255.255.0
Port: P1 to P4
(configuration)
You can also use the Microsoft Windows 10 PC (VPN client) to set up the SCALANCE device
and generate the certificates.
Note In this case, the Windows 10 PC (VPN client) will need another IP address that is in the
internal network of the SCALANCE device, for example 192.168.1.100/24.
Remove the additional IP address after completing chapter 2.

Article ID: 109481101, V1.0, 05/2023 11
2 Engineering
2.1.2 Infrastructure overview
For all devices in the internal network of the SCALANCE SC646-2C (e.g. controllers, Panels),
Note remember to enter the internal IP address (Zone: INT; vlan1) of the SCALANCE SC646-2C
as the default gateway.
Routing mode
The Figure below shows how all the components involves in this solution are connected to each
other after completing chapter 2.
SC646-2C
PC
Win 10 DSL router1 DSL router2

(VPN) P1
LAN port LAN port WAN ports LAN port

P5
Table 2-3
Component Local port Partners Partner port
PC (VPN client) LAN port DSL-Router1 LAN port
SC646-2C Zone EXT; LAN port (P5 to P6) DSL-Router2 LAN port
(VPN server)
SC646-2C Zone INT; LAN port (P1 to P4) E.g. an automation network (not present in
this solution)
Bridging mode
The Figure below shows how all the components involves in this solution are connected to each
other after completing chapter 2.
SC646-2C
PC
Win 10
(VPN) P1
LAN port
P5
Table 2-4
Component Local port Partners Partner port
PC (VPN client) LAN port SC646-2C Zone EXT; LAN port (P5 to P6)
SC646-2C Zone INT; E.g. an automation network (not present in this
(VPN server) LAN port (P1 to solution)
P4)

Article ID: 109481101, V1.0, 05/2023 12
2 Engineering
2.2 Preparing the devices

2.2.1 PCs
This application example uses two Microsoft Windows 10 PCs. One PC serves as a VPN client
while the other PC serves as the configuration PC.
Software
Set up the PCs as follows:
1. On both PCs, install the latest update or service pack for Microsoft Windows 10, as well as
the latest version of the web browser.
2. Install the "OpenVPN GUI" software on the PC acting as the OpenVPN client. The
OpenVPN package is installed on your PC in the default directory C:\Program
Files\OpenVPN.
Result
The "OpenVPN GUI" software is installed. An icon for the "OpenVPN GUI" software will be
created in the Windows system tray.
3. Install one of the following web browsers on the configuration PC:

– Microsoft Internet Explorer
– Microsoft Edge
– Firefox Quantum
– Google Chrome
PowerShell and a text editor are pre-installed components of Microsoft Windows 10 and do
not need to be installed separately.
Note
You need version V5.1 or higher for PowerShell.
Physical IP address
To use this application example, the two Windows 10 PCs will need an IP address for the
physical network interface.
To assign an IP address, proceed as follows:
1. Enter "View network connections" in the Windows search bar.
2. Select the network adapter that you are physically connected to, then enter the IP address
according to Table 2-1 or Table 2-2.

Article ID: 109481101, V1.0, 05/2023 13
2 Engineering
Virtual network interfaces

During the installation of "OpenVPN GUI", the following virtual network interfaces are set up:
You can view them under "Settings > Network & Internet".
In routing mode, the VPN server assigns an IP address to the "TAP-Windows Adapter V9"
virtual interface.
In bridging mode, the "TAP-Windows Adapter V9" virtual interface requires an IP address from
the internal network of the SCALANCE device.
Proceed as follows to view and/or modify the network settings of the virtual interface:
1. Enter "View network connections" in the Windows search bar. Open the IPv4 settings of the
virtual network interface "TAP-Windows Adapter V9".
2. For routing mode, change the setting to "Obtain an IP address automatically".


Article ID: 109481101, V1.0, 05/2023 14
2 Engineering
For bridging mode, use the IP address as specified in Table 2-2.
3. Click "OK" to close all dialogs.

Result
The virtual network adapter has been set up.

Article ID: 109481101, V1.0, 05/2023 15
2 Engineering
2.2.2 Router
Note Only relevant when using the application example in routing mode.
VPN
If VPN connections have been configured on your router and activated, terminate them.
LAN port
On the LAN port, use a static IP address in accordance with Table 2-1.
Static IP address on the SCALANCE SC router

WAN access for the two RTUs (VPN clients) to the SCALANCE SC (VPN server) is achieved
with a fixed public IP address.
1. Request a fixed public IP address from your provider.
2. Then enter the fixed public IP address in your DSL router.
Port forwarding on the SCALANCE SC router

Port forwarding is required so that tunnel packets can pass freely between the devices. Port
forwarding pertains to the following port number(s):

Table 2-5
Protocol Port number
UDP 1194
1. In the router, enable port forwarding for "OpenVPN" and "HTTPS" with TCP and UDP.
2. Forward the packets to the external IP address (zone: EXT; vlan2) of the SCALANCE
device, port 1194.
OpenVPN uses exclusively either UDP or TCP.

Note UDP should be preferred (wherever possible) since it is faster and exhibits better
performance.

Article ID: 109481101, V1.0, 05/2023 16
2 Engineering
2.2.3 SCALANCE SC-600 security appliance
Factory setting
To ensure that there are no old configurations or certificates stored in the SCALANCE device,
reset the appliance to its factory settings.
You will find instructions in the module manual (see chapter 4.3).
Preparation
The SCALANCE device is set up using the PC and the WBM. To access the WBM, the following
requirements must be met:
• You will need an Ethernet connection between the PC and the SCALANCE device (Zone
INT; LAN port: P1 to P4).
• The PC has an IP address in the network of the SCALANCE device, for example
192.168.1.100/24.
Assign the IP address

To open the WBM or to download the configuration to the module via TIA Portal, the
SCALANCE device needs an IP address. The initial assignment of an IP address for the device
cannot be done with the WBM because this configuration tool itself requires an IP address. You
have the following options for assigning the associated IP address to the unconfigured device
(see Table 2-1 and/or Table 2-2).
• SINEC PNI
To assign the device an IP address with SINEC PNI, the device must be available over
Ethernet. You can download SINEC PNI for free from the Siemens Industry Online Support
pages (see chapter 4.3).
• Command Line Interface (CLI)
• TIA Portal and the "Accessible Devices…" function
Follow these steps:

1. Open one of the options listed above.
2. Assign the SCALANCE device the associated IP address for the internal network.

Article ID: 109481101, V1.0, 05/2023 17
2 Engineering
Open the WBM

Proceed as follows to open the WBM of the SCALANCE device:
1. In the address bar of the internet browser, enter the internal IP address of the SCALANCE
device (see Table 2-1 and/or Table 2-2) ("https://192.168.1.12").
A message about the security certificate will appear.
2. Acknowledge this message and continue loading the page.

The WBM login page appears.
3. If you are signing in for the first time or after a "Restore Factory Defaults and Restart", the
login credentials are set as follows:
– "Name" field: "admin"
– "Password" field: "admin"
Enter the name and the password in the corresponding fields.
Click the "Login" button or confirm with the Enter key.

Article ID: 109481101, V1.0, 05/2023 18
2 Engineering
4. If you are signing in for the first time or after a "Restore Factory Defaults and Restart", you
will be prompted to change the password.
Enter the current password in the "Current User Password" field.
The new password must meet the following password requirements:
– Password length: a minimum of 8 characters, a maximum of 128 characters
– At least 1 uppercase letter
– At least 1 special character (special characters § and ß are not allowed)
– At least 1 number
Set the new password in the "New Password" field. Repeat your password to confirm. Both
passwords must match.
Click the "Set Values" button to finish the process.
Result
The homepage of the WBM appears.

Article ID: 109481101, V1.0, 05/2023 19
2 Engineering
Set the IP address

At the start of the chapter, you already assigned the SCALANCE device an internal IP address
(Zone: INT; vlan1).
To set up the external IP address (Zone: EXT; vlan2) in the SCALANCE device, proceed as
follows:
1. Open the menu "Layer 3 > Subnets".
The "Connected Subnets Overview" window will open and you will be in the "Overview" tab.
This page shows you the subnets for the selected interface .
2. Switch to the "Configuration" tab.
The "Configuration" tab opens. Configure the subnet for the interface on this page.

Article ID: 109481101, V1.0, 05/2023 20
2 Engineering
3. Make the following settings:

– Set the interface to "vlan2 (EXT)".
– Check whether the status is "enabled".
– Disable DHCP.
– For "vlan2 (EXT)", enter the IP address and subnet mask for the external network
(Zone: EXT; vlan2; P5 or P6) (see Table 2-1 and/or Table 2-2).
To confirm your changes, click on the "Set Values" button.
5
Result
The SCALANCE device has an IP address for all VLANs.
You will be automatically taken back to the "Overview" tab. Here you will see an overview of the
IP addresses.

Article ID: 109481101, V1.0, 05/2023 21
2 Engineering
Define default router
A static route lets you specify the routes through which data can be exchanged between the
various subnets.
To store a static route in the SCALANCE device, proceed as follows:
1. Open the menu "Layer 3 > Static Routes".
The "Static Routes" page opens.

Here you can specify the routes through which data can be exchanged between the various
subnets.
2. To reach all subnets, enter the following values:

– In the field "Destination network" and in the field "Subnet mask", enter: the network
address "0.0.0.0"
– In the "Gateway" field, enter: the corresponding router (see Table 2-1)
Click the "Create" button.

Article ID: 109481101, V1.0, 05/2023 22
2 Engineering
Result
The static route for the module has been set up. A new entry is created in the table.
Define time synchronization

The VPN connection in this application example is secured with certificates. If you work with
certificates, it is essential that the correct time be entered in the VPN partners. If the time in the
device is incorrect, then the certificates will be considered invalid and will not be accepted.
Use a time synchronization protocol such as NTP to set the system time of the device.
To set up time synchronization with NTP, proceed as follows:
1. Open the menu "System > System time".
The "Manual System Time Setting" window will open and you will be in the "Manual Setting"
tab.
2. Select the "NTP Client" tab.
The "NTP Client" tab opens.

Article ID: 109481101, V1.0, 05/2023 23
2 Engineering
3. Tick the "NTP Client" box and click the "Set Values" button.
4. Click the "Create" button to register an NTP server.

A new table row is added.

Article ID: 109481101, V1.0, 05/2023 24
2 Engineering
5. In the "NTP Server Address" column, enter the address of the NTP server.
When you run the application example in routing mode, one address you can use is
"pool.ntp.org". The "pool.ntp.org" project is a network of time servers that provide simple,
reliable time synchronization over NTP.
Note
When you run the application example in bridging mode, then you will need an NTP server in
the LAN network of the SCALANCE device.
6. To confirm your change, click on the "Set Values" button.
Result
The time synchronization protocol has been set up.

Article ID: 109481101, V1.0, 05/2023 25
2 Engineering
Enter DNS
The SCALANCE device requires a DNS server address to resolve the name of the NTP server.
Follow these steps:
1. Open the menu "System > DNS".
The "Domain Name System (DNS) Client" window opens and you will be in the "DNS
Client" tab.
2. In the "DNS Server Address" column, enter the IP address of the local DNS server or of a
public server, e.g. "1.1.1.1".
Result
The DNS server in the SCALANCE device has been set up.

Article ID: 109481101, V1.0, 05/2023 26
2 Engineering
Check the clock time

You can check the current system time in the SCALANCE device in the menu "System >
General" in the "Device" tab.
Set up inter-VLAN bridge
Note Only relevant when using the application example in bridging mode.
Description
The "Inter-VLAN bridge" function is required when different VLANs need to communicate with
one another.
The layer 2 OpenVPN connection is established via a virtual network interface, which is referred
to as the TAP device. The TAP device is connected to the actual network via a network bridge
(the inter-VLAN bridge). The layer 2 OpenVPN connection must be assigned to a bridge at all
times; it cannot be used directly on a VLAN.
Proceed as follows to set up the inter-VLAN bridge:
1. Open the menu "Layer 2 > Inter-VLAN Bridge".
The "Inter-VLAN-Bridge Overview" window opens and you will be in the "Overview" tab.

Article ID: 109481101, V1.0, 05/2023 27
2 Engineering
2. Enter a number between 1 and 255 as the Bridge ID in the "Bridge-ID" input field (here: "1").
A new table row is created.
3. Switch to the "Configuration" tab.

The "Configuration" tab opens. On this page, you will define the VLANs between which a
bridge will be established; and you will define which VLAN will be used as the master VLAN.
4. Set up "vlan1" as the bridge.

In the row for "vlan1" in the "Bridge-ID" column, select the ID of the bridge that you wish to
use for the selected interface (here: "1").
In the "Type" column, select "Master". This will cause the IP address configuration of the
interface to be used for the bridge.
To apply your settings, click on the "Set Values" button.
The settings will be saved.

Article ID: 109481101, V1.0, 05/2023 28
2 Engineering
5. Switch back to the "Overview" tab.
The "Overview" tab opens.
6. Activate the inter-VLAN bridge for the Bridge ID that you created (here: "1").
Result
You have created an inter-VLAN bridge. Master is "vlan1".

Article ID: 109481101, V1.0, 05/2023 29
2 Engineering
2.3 Setting up security

2.3.1 Certificates
PC
The PowerShell script is run on the configuration PC.
PowerShell script
This application example provides you with the already finished PowerShell script
"Cert_gen.txt".
You can find the text file on the HTML page of this article in the "Download" section (see
chapter 4.3).
Overview
The PowerShell automatically performs the following tasks:
• A certificate authority (CA) is generated.
• The certificates necessary for the VPN client and VPN server are created. The certificates
are protected with a password.
• The certificates are saved in a ".pfx" archive file and exported.

Article ID: 109481101, V1.0, 05/2023 30
2 Engineering
Open PowerShell
You will run script with PowerShell. Proceed as follows to open PowerShell:
1. Enter "PowerShell" in the Windows search bar.
2. Run PowerShell as an administrator.


Article ID: 109481101, V1.0, 05/2023 31
2 Engineering
3. PowerShell opens. If a message appears, accept it with "Yes".
4. To check the version of PowerShell, enter the command "$PSVersionTable" in the

command line and press the Enter key.
The version number will be displayed. If the version is below V5.1, update your version of
PowerShell.

Article ID: 109481101, V1.0, 05/2023 32
2 Engineering
Modify the script

Some script variables are optional or mandatory to adapt to your environment. The following
Table lists the variables and their use.
Table 2-6
Variable Description Default declaration Use
$validMonth Validity period of the 180 Optional
certificates in months
$dns_ip IP address, DNS name $dns_ip='IPAddress= Obligatory
(or both) at which the 111.222.111.2'
VPN server can be Modify one of the three
reached. If you are running the possible code lines and enter
application example in your values for <IP-address>
The script has three lines routing mode, then it and/or <DNS-address>.
for this. is the static WAN
If the VPN server is address of DSL-
reachable via an IP Router2. Delete the two lines that are
not needed.
address, use the code If you are running the
line application example in Alternatively, comment out the
$dns_ip='IPAddress=<IP bridging mode, then it unused lines with the "#"
-address>' is the external IP character at the start of each
address (zone: EXT; line, for example,
vlan2) of the #$dns_ip='DNS=example.com
If the VPN server is '
reachable via a DNS SCALANCE device.
address, use the code

line
$dns_ip='DNS=<DNS-
address>'
If the VPN server is

reachable via an IP
address and a DNS
address, use the code
line
$dns_ip = 'DNS=<DNS-
address>$IPAddress=
<IP-address>'
$cert_n List with the names of 'SCALANCE','Win10' Optional
the VPN participants
The first entry is Add additional VPN clients to
reserved for the VPN the list in the format '<Name>',
server (here: e.g. 'SCALANCE','Win10',
SCALANCE). 'Client'
$cert_pw List of passwords for the 'Siemens1!','Siemens1! Obligatory
certificate '
The order follows the Change the password (here:
same order as the list Siemens1!) for the certificates
with the names of VPN in the format '<Password>'.
participants ($cert_n). If you entered additional VPN
clients in the "$cert_n" list,
then setting passwords for
these VPN clients is also
required.
$mydir The certificates and the "D:\VPN_Cer" Optional
text file are exported to
this directory.
$CA_n General name for the "MyCA" Optional
certificate authority

Article ID: 109481101, V1.0, 05/2023 33
2 Engineering
Variable Description Default declaration Use

$cerloc Type of certificate store "LocalMachine" Optional
on the Microsoft
Windows operating
system:
• "LocalMachine": The
store is locally on
the device and
global for all users
on the device.
• "CurrentUser": The
store is local for the
current user account
on the device.
Proceed as follows to modify the variables:
1. Open the text file "Cert_gen.txt" with a text editor.

In the upper section of the text file you will find the variables that either can or must be
adapted to your environment. Declare the variables as required.
2. Save the text file. Select the entire contents of the text file (for example with the keyboard
combination <CTRL + A>) and copy it to the clipboard (for example with the keyboard
combination <CTRL + C>).

Article ID: 109481101, V1.0, 05/2023 34
2 Engineering
Run the script

Proceed as follows to launch the script in PowerShell:
1. Click inside of the PowerShell window and copy the contents of the clipboard, for example
by using the keyboard combination <CTRL + V>.
2. Press Enter to execute the script. The following tasks will be performed in succession:
– A CA will be generated.
– Based on this CA, X.509 certificates for the VPN server and VPN client will be
generated and exported in password-protected format to the directory you specified
(see "$mydir" variable in Table 2-6). The file has the name "<Servername>.pfx" or
"<Clientname>.pfx".
– The certificates are deleted from the internal certificate store on the PC because this PC
is only used to generate the certificates, not as a VPN client.

Article ID: 109481101, V1.0, 05/2023 35
2 Engineering
In case of an error, the script will stop running and the cause of the error will be displayed in
PowerShell. The script will also create a log file with the error messages at the same time.
You can find the log file "logfile.txt" in the specified directory (here: "D:\VPN_Cer").
If an error occurred, look for the error message and remedy the error.
Result
If the script ran without errors, then all the necessary certificates will be located in the folder you
specified (here: "D:\VPN_Cer").
If you gave the VPN participants other names (variable "$cert_n"; see Table 2-6), then the
Note appearance of the file names will differ.
For more details on the files contained in the folder, refer to the Table below:
Table 2-7
File Meaning
CA_private.pfx The private key of the certificate authority. It is needed if you wish to add
more VPN clients at a later time.
<Clientname>.pfx Certificate for the VPN client. This certificate contains:
(here: Win10.pfx) • The private key
• The public certificate signed by the CA
• The public certificate of the CA
<Servername>.pfx Certificate for the VPN server. This certificate contains:
(here: SCALANCE.pfx) • The private key
• The public certificate signed by the CA
• The public certificate of the CA
CAUTION Always keep the private key of the certificate authority in a safe place.
Copy files
This application example uses a different PC for the VPN client.
Copy the files needed for the VPN client to a storage device. The files are the following:
• The client certificate <Clientname>.pfx (here: "Win10.pfx")
• The configuration file "Client.ovpn". You can find the file on the HTML page of this article in
the "Download" section (see chapter 4.3).

Article ID: 109481101, V1.0, 05/2023 36
2 Engineering
2.3.2 SCALANCE SC-600 security appliance
Preparation
The SCALANCE module is set up using the configuration PC and the WBM. To access the
WBM, the following requirements must be met:
• You will need an Ethernet connection between the configuration PC and the SCALANCE
(Zone INT; LAN port: P1 to P4).
• The configuration PC has an IP address in the network of the SCALANCE device, for
example 192.168.1.100/24.
Overview
The following settings are relevant for this application example:
• Load certificate
• Set up VPN connection
• Configure firewall
Load certificates
In chapter 2.3.1, you utilized PowerShell to generate the necessary certificates and keys for
each VPN participant.
The WBM offers the option of loading data (for example, the certificates necessary for
establishing a secure VPN connection) from the PC to the SCALANCE device.
To load the password-protected VPN server certificate (here: "SCALANCE.pfx") to the

SCALANCE, proceed as follows:
1. Open the WBM of the SCALANCE device.
2. Navigate to the menu "System > Load&Save".
The window "Load and Save via HTTP" opens and you will be in the "HTTP" tab.

Article ID: 109481101, V1.0, 05/2023 37
2 Engineering
3. Change to the "Passwords" tab.
The "Passwords" tab opens.

4. In the "Password" and "Password Confirmation" column for the "X509Cert" row, enter the
password that you assigned for the server certificate (see "$cert_pw" variable in Table 2-6).
5. To use the password, tick the box in the "Setting" column.

Then click the "Set Values" button to save the changes.

Article ID: 109481101, V1.0, 05/2023 38
2 Engineering
6. To import the X.509 certificate, change to the "HTTP" tab.
The "HTTP" tab opens.
7. To load the certificate, click on the "Load" button in the "X509Cert" line.
A dialog window opens where you can upload a file.

Article ID: 109481101, V1.0, 05/2023 39
2 Engineering
8. Navigate to the folder that you selected as the save location for the certificates (see
"$mydir" variable in Table 2-6; here "D:\VPN_Cer").
Select the X.509 certificate in "<Servername>.pfx" format that was generated for the VPN
server (here: "SCALANCE.pfx") and then confirm the upload with "Open".
9. When the certificate has been uploaded successfully, a message will appear that you
should confirm with "OK".
Result
The certificate has been uploaded. You can see the certificates in the menu "Security >
Certificates > Overview". Check whether the certificates have the status "valid".
If the certificates appear with the status "expired", then make sure that the time in the
Note
SCALANCE device is correct.

Article ID: 109481101, V1.0, 05/2023 40
2 Engineering
Set up OpenVPN in routing mode

Proceed as follows to set up the OpenVPN connection:
1. Switch to the menu "Security > OpenVPN".
The "OpenVPN General" window opens and you will be in the "General" tab.
2. Change to the "Connections" tab.

The "Connections" tab opens. Here you will configure the basic settings for the OpenVPN
connection.
3. Enter a unique name for the OpenVPN connection. Click the "Create" button to create a
connection.
The connection will be created and a new table row will be added.

Article ID: 109481101, V1.0, 05/2023 41
2 Engineering
4. Switch to the "Authentication" tab.
The "Authentication" tab opens. Here you will define how the VPN connection partners
authenticate with one another.
5. Select the following settings for the specified table columns:

– "Method" column "Certificates"
– "CA certificate" column: The CA certificate (here: "SCALANCE_CACert.pem")
– "Machine certificate" column: The server certificate (here: "SCALANCE_Cert.pem").
6. Change to the "Server" tab.
The "Server" tab opens. Here you will configure the OpenVPN server.

Article ID: 109481101, V1.0, 05/2023 42
2 Engineering
7. In the "Server Name" field, enter a unique name for the OpenVPN server (here:
"MyServer").
The server will be created and a new table row will be added.

– "Connection": Select the connection that you selected in Step 3 (here:
"OpenVPN_Conn").
– "OpenVPN Subnet": Define a unique IP address range from which the OpenVPN clients
connected with the server will obtain their tunnel IP address, for example 172.17.0.0/16.
Leave all the other columns in the table at their default settings.
The "Connections" tab opens. You can start the connection here.

Article ID: 109481101, V1.0, 05/2023 43
2 Engineering
10. In the "Operation" column, set the value to "Start".

11. Go to the "General" tab.

The "General" tab opens. Here you will enable the OpenVPN functionality.
12. Tick the "Activate OpenVPN" checkbox.

Result
The OpenVPN connection in the SCALANCE device has been set up in routing mode and the
server certificates are assigned to the OpenVPN connection. The SCALANCE device waits for
the VPN client to establish a connection.

Article ID: 109481101, V1.0, 05/2023 44
2 Engineering
Set up OpenVPN in bridging mode

Proceed as follows to set up the OpenVPN connection:
1. Switch to the menu "Security > OpenVPN".
The "OpenVPN General" window opens and you will be in the "General" tab.

The "Connections" tab opens. Here you will configure the basic settings for the OpenVPN
connection.
3. Enter a unique name for the OpenVPN connection. Click the "Create" button to create a
connection.
The connection will be created and a new table row will be added.

Article ID: 109481101, V1.0, 05/2023 45
2 Engineering
4. Select the Bridge ID in the "Bridged" column (here: "1"); this Bridge ID is the one that will
carry the layer 2 OpenVPN connection (see chapter 2.2.3).
5. Switch to the "Authentication" tab.

The "Authentication" tab opens. Here you will define how the VPN connection partners
authenticate with one another.

– "Method" column "Certificates"
– "CA certificate" column: The CA certificate (here: "SCALANCE_CACert.pem")
– "Machine certificate" column: The server certificate (here: "SCALANCE_Cert.pem").
7. Change to the "Server" tab.
The "Server" tab opens. Here you will configure the OpenVPN server.

Article ID: 109481101, V1.0, 05/2023 46
2 Engineering
8. In the "Server Name" field, enter a unique name for the OpenVPN server (here:
"MyServer").
The server will be created and a new table row will be added.
9. For the "Connection" table columns, select the connection your created in Step 3 (here:
"OpenVPN_Conn").
Leave all the other columns in the table at their default settings.
The "Connections" tab opens. You can start the connection here.

Article ID: 109481101, V1.0, 05/2023 47
2 Engineering
11. In the "Operation" column, set the value to "Start".

12. Go to the "General" tab.

The "General" tab opens. Here you will enable the OpenVPN functionality.
13. Tick the "Activate OpenVPN" checkbox.

Result
The OpenVPN connection in the SCALANCE device has been set up in bridging mode and the
server certificates are assigned to the OpenVPN connection. The SCALANCE device waits for
the OpenVPN client to establish a connection.

Article ID: 109481101, V1.0, 05/2023 48
2 Engineering
Set up the firewall

Per the default setting, OpenVPN is disabled on all interfaces of the SCALANCE device.
Proceed as follows to allow the OpenVPN connection:
1. Switch to the menu "Security > Firewall".
The "Firewall General" window opens and you will be on the "General" tab.
2. Change to the "Predefined" tab.

The "Predefined" tab opens. This tab contains predefined IP packet filter rules.
3. For the "vlan2 (EXT)" interface in the IP version "IPv4", enable the "OpenVPN" protocol.
Result
OpenVPN has been allowed in the firewall for the external interface.

Article ID: 109481101, V1.0, 05/2023 49
2 Engineering
Create IP rule
Note Only relevant when using the application example in bridging mode.
In bridging mode, you establish a VPN connection on the layer 2 level. Layer 3 data packets, for
example access to the WBM, or a PING test, are by definition not possible.
IP packet filter rules have already been predefined (and some of them enabled) in the
SCALANCE device for the WBM and the PING command. You can use them and optionally
define other IP rules.
Proceed as follows:
1. Activate the WBM for the VPN connection.
2. To create additional IP rules, change to the "IP Rules" tab.
The "IP Rules" tab opens.
3. Click the "Create" button to create a new IP rule.
A new table row will be created.

Article ID: 109481101, V1.0, 05/2023 50
2 Engineering
4. Edit the IP rule as follows:

– "From" column: The OpenVPN connection you created (here: "OpenVPN
OpenVPN_Conn")
– "To" column: "Device"
– "Action" column: "Accept"
– "Service" column: all
5. Click the "Set Values" button.

Result
The firewall has been set up so that layer 3 data packets from the layer 2 VPN connection can
reach the SCALANCE device.

Article ID: 109481101, V1.0, 05/2023 51
2 Engineering
2.3.3 VPN client on the Microsoft Windows 10 PC
Preparation
In the final step of chapter 2.3.1, you copied the following files from the configuration PC to a
storage device:
• The X.509 certificate for the VPN client in the format <Clientname>.pfx (here: "Win10.pfx")
• The configuration file "Client.ovpn". You can find the file on the HTML page of this article in
the "Download" section (see chapter 4.3).
Now copy these files from the storage device to a folder of your choice on the Microsoft
Windows 10 PC (VPN client) (here, the folder is: "D:\VPN_Cer").
Structure of the configuration file

The "OpenVPN GUI" software is configured with the help of the "Client.ovpn" configuration file.
The configuration file is divided into the following sections:
Figure 2-1
2
3
4
Table 2-8
No. Description
1. Name of the virtual network interface "TAP-Windows Adapter V9"; this was set up while installing
OpenVPN.
2. OpenVPN mode:
• tun: OpenVPN operates in routing mode (layer 3)
• tap: OpenVPN operates in bridging mode (layer 2)
Note: A semicolon at the start of the line disables the line.
3. Network protocol used
4. IP address and port at which the VPN server can be reached.
5. Encryption information.
Must match the algorithms in the VPN server.
6. Save location of the client certificate (here: "D:\VPN_Cer\Win10.pfx")
In Windows, you must enter a double backslash to represent a backslash when specifying folder
paths in the configuration file (here: "D:\\VPN_Cer\\Win10.pfx").

Article ID: 109481101, V1.0, 05/2023 52
2 Engineering
Modify the configuration file

Follow these steps to modify the configuration file to match your environment:
1. Right-click on the "Client.ovpn" configuration file.
The context menu opens.
2. Open the configuration file in a text editor like Notepad.

The configuration file opens.

Article ID: 109481101, V1.0, 05/2023 53
2 Engineering
3. In the Microsoft Windows network settings, check whether the name of the virtual network
interface matches the name entered in the configuration file. If necessary, modify the name
of the virtual interface in the configuration file.

Article ID: 109481101, V1.0, 05/2023 54
2 Engineering
4. When operating in routing mode, activate the line "dev tun" and deactivate the line "dev
tap".
When operating in bridging mode, deactivate the line "dev tun" and activate the line "dev
tap".
To activate the line, remove the semicolon at the start of the line.
Note
To deactivate the line, add a semicolon at the start of the line.
5. In place of "<IP_ADDRESS>", enter the IP address where the VPN server can be reached.
– In routing mode: WAN IP address of DSL-Router2.
– In bridging mode: IP address (zone EXT; LAN port) of the SCALANCE device

Article ID: 109481101, V1.0, 05/2023 55
2 Engineering
6. If the client certificate is not in the folder specified here, then change the path.
7. Press <CTRL + S> to save the configuration file.


Article ID: 109481101, V1.0, 05/2023 56
3 Operation
3 Operation
For the Microsoft Windows 10 PC (VPN client) and the SCALANCE SC646-2C (VPN server) to
establish a VPN connection, the following requirements must be met:
• You have used the PowerShell script to generate certificates on the configuration PC,
exported them, and transferred the necessary data to the Windows 10 PC (VPN client).
• The client certificate has been saved on the Windows 10 PC (VPN client) and the
configuration file has been adapted.
• You have configured the SCALANCE device and the certificates in the SCALANCE appear
as "valid".
• All participating components of this solution are interconnected (see chapter 2.1.2).
• The VPN connection is not blocked on the Windows 10 PC (VPN client) by a firewall or
similar measure.
If you also used the Microsoft Windows 10 PC (VPN client) to set up the SCALANCE device
Note and generate the certificates, then remove the additional IP address, located in the internal
network of the SCALANCE device, e.g. 192.168.1.100/24.
Establish VPN connection

To establish the VPN connection, proceed as follows:
1. Right-click on the "Client.ovpn" configuration file.
2. Select "Import into OpenVPN-GUI".
A message from the "OpenVPN GUI" software appears.

Article ID: 109481101, V1.0, 05/2023 57
3 Operation
3. Confirm the message with "Yes".
The configuration file will be imported. A notification to this effect is displayed.
If there are errors in the configuration file, you will receive a corresponding error message.
Note
Remedy the error and re-import the configuration file.
4. Right-click on the "OpenVPN GUI" icon in the system tray.
5. Select "Connect".

Article ID: 109481101, V1.0, 05/2023 58
3 Operation
6. You will be prompted to enter the password for the client certificate.
Enter the password (see "$cert_pw" variable in Table 2-6) and tick the box for "Save
password".
Click "OK".
Result
The VPN tunnel will be established. The current status appears as "Connected".
In routing mode, you will also see which virtual tunnel IP address that VPN client has received
(here: "172.17.0.2").
The icon in the system tray turns green.

Article ID: 109481101, V1.0, 05/2023 59
3 Operation
Check VPN connection

You can view the status of the VPN connection via the WBM of the SCALANCE device.
To check the VPN connection status in the SCALANCE device, proceed as follows:
1. Open the WBM.
2. Change to the "Information > OpenVPN" menu, then go to the "Server" tab.
Here you can see which VPN clients have connected with the SCALANCE device.

Article ID: 109481101, V1.0, 05/2023 60
3 Operation
Test VPN connection

You can test the VPN connection by using the Windows 10 PC to run a PING test, for example,
to the internal IP address (Zone: INT; vlan1) of the SCALANCE device or another node in the
internal network of the SCALANCE device.

Article ID: 109481101, V1.0, 05/2023 61
4 Appendix
4 Appendix
4.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire service and support
know-how and portfolio.
The Industry Online Support is the central address for information about our products, solutions
and services.
Product information, manuals, downloads, FAQs, application examples and videos – all
information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent support regarding
all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
siemens.com/SupportRequest
SITRAIN – Digital Industry Academy

We support you with our globally available training courses for industry with practical
experience, innovative learning methods and a concept that’s tailored to the customer’s specific
needs.
For more information on our offered trainings and courses, as well as their locations and dates,
refer to our web page:
siemens.com/sitrain
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog web page:
support.industry.siemens.com/cs/sc
Industry Online Support app

You will receive optimum support wherever you are with the "Siemens Industry Online Support"
APP. The app is available for iOS and Android:
support.industry.siemens.com/cs/ww/en/sc/2067

Article ID: 109481101, V1.0, 05/2023 62
4 Appendix
4.2 Industry Mall
The Siemens Industry Mall is the platform on which the entire siemens Industry product portfolio
is accessible. From the selection of products to the order and the delivery tracking, the Industry
Mall enables the complete purchasing processing – directly and independently of time and
location:
mall.industry.siemens.com
4.3 Links and literature

Table 4-1
No. Topic
\1\ Siemens Industry Online Support

https://support.industry.siemens.com
\2\ Link to this entry page of this application example
https://support.industry.siemens.com/cs/ww/en/view/109481101
\3\ SIMATIC NET: Industrial Ethernet Security SCALANCE SC-600
\4\ SIMATIC NET: Industrial Ethernet Security SCALANCE SC-600 Command Line Interface (CLI)
\5\ SIMATIC NET: Industrial Ethernet Security SCALANCE SC-600 Web Based Management (WBM)
\6\ SINEC PNI
https://support.industry.siemens.com/cs/ww/en/ps/26672/dl
\7\ OpenVPN GUI
https://openvpn.net/community-downloads/
4.4 Change documentation

Table 4-2
Version Date Modifications
V1.0 05/2023 First version

Article ID: 109481101, V1.0, 05/2023 63

OpenVPN SC PC V10 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OpenVPN SC PC V10 en

Uploaded by

Copyright:

Available Formats

Setting up an

Security: OpenVPN SC <=> Win10

Security: OpenVPN SC <=> Win10

Security: OpenVPN SC <=> Win10

Security: OpenVPN SC <=> Win10

1.2 Mode of operation

Security: OpenVPN SC <=> Win10

Operating modes of OpenVPN

OpenVPN client software

The software supports OpenVPN in routing mode and bridging mode.

SCALANCE SC security appliance

Security: OpenVPN SC <=> Win10

Private Key Public Cert Public Cert

Private Key Public Cert Public Cert

Private Key Public Cert

Security: OpenVPN SC <=> Win10

1.3 Components used

Security: OpenVPN SC <=> Win10

IP addresses in routing mode

MS Windows 10 PC LAN port 192.168.2.88 192.168.2.1 255.255.255.0

Security: OpenVPN SC <=> Win10

IP addresses in bridging mode

Security: OpenVPN SC <=> Win10

2.1.2 Infrastructure overview

Win 10 DSL router1 DSL router2

LAN port LAN port WAN ports LAN port

Security: OpenVPN SC <=> Win10

2.2 Preparing the devices

3. Install one of the following web browsers on the configuration PC:

Security: OpenVPN SC <=> Win10

Virtual network interfaces

2. For routing mode, change the setting to "Obtain an IP address automatically".

Security: OpenVPN SC <=> Win10

For bridging mode, use the IP address as specified in Table 2-2.

3. Click "OK" to close all dialogs.

Security: OpenVPN SC <=> Win10

Static IP address on the SCALANCE SC router

2. Then enter the fixed public IP address in your DSL router.

Port forwarding on the SCALANCE SC router

forwarding pertains to the following port number(s):

OpenVPN uses exclusively either UDP or TCP.

Security: OpenVPN SC <=> Win10

2.2.3 SCALANCE SC-600 security appliance

Assign the IP address

Follow these steps:

Security: OpenVPN SC <=> Win10

Open the WBM

2. Acknowledge this message and continue loading the page.

Security: OpenVPN SC <=> Win10

Security: OpenVPN SC <=> Win10

Set the IP address

2. Switch to the "Configuration" tab.

Security: OpenVPN SC <=> Win10

3. Make the following settings:

Security: OpenVPN SC <=> Win10

Define default router

The "Static Routes" page opens.

2. To reach all subnets, enter the following values:

Security: OpenVPN SC <=> Win10

Define time synchronization

2. Select the "NTP Client" tab.

The "NTP Client" tab opens.

Security: OpenVPN SC <=> Win10