Professional Documents
Culture Documents
OpenVPN connection
between a SCALANCE
SC and a PC
Siemens
Industrial Security Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109481101 Support
Legal information
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several components in
the form of text, graphics and/or software modules. The application examples are a free service by Siemens AG
and/or a subsidiary of Siemens AG ("Siemens"). They are non-binding and make no claim to completeness or
functionality regarding configuration and equipment. The application examples merely offer help with typical
tasks; they do not constitute customer-specific solutions. You yourself are responsible for the proper and safe
operation of the products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the application
examples used by technically trained personnel. Any change to the application examples is your responsibility.
Sharing the application examples with third parties or copying the application examples or excerpts thereof is
permitted only in combination with your own products. The application examples are not required to undergo the
customary tests and quality inspections of a chargeable product; they may have functional and performance
defects as well as errors. It is your responsibility to use them in such a manner that any malfunctions that may
occur do not result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without limitation, liability for
the usability, availability, completeness and freedom from defects of the application examples as well as for
related information, configuration and performance data and any damage caused thereby. This shall not apply in
cases of mandatory liability, for example under the German Product Liability Act, or in cases of intent, gross
negligence, or culpable loss of life, bodily injury or damage to health, non-compliance with a guarantee,
fraudulent non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for damages
arising from a breach of material contractual obligations shall however be limited to the foreseeable damage
typical of the type of agreement, unless liability arises from intent or gross negligence or is based on loss of life,
bodily injury or damage to health. The foregoing provisions do not imply any change in the burden of proof to
© Siemens AG 2023 All rights reserved
your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection
except where Siemens is mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any damage beyond
the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without notice. In case of
discrepancies between the suggestions in the application examples and other Siemens publications such as
catalogs, the content of the other documentation shall have precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement –
and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and
solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.
Such systems, machines and components should only be connected to an enterprise network or the internet if
and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls
and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends that product updates are applied as soon as they are available and that the latest product versions
are used. Use of product versions that are no longer supported, and failure to apply the latest updates may
increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under
https://www.siemens.com/cert.
Table of contents
Legal information ......................................................................................................................... 2
1 Introduction ........................................................................................................................ 4
1.1 Overview ............................................................................................................... 4
1.2 Mode of operation.................................................................................................. 6
1.3 Components used ................................................................................................. 9
2 Engineering ...................................................................................................................... 10
2.1 Setting up the environment .................................................................................. 10
2.1.1 IP address overview ............................................................................................ 10
2.1.2 Infrastructure overview ........................................................................................ 12
2.2 Preparing the devices .......................................................................................... 13
2.2.1 PCs ..................................................................................................................... 13
2.2.2 Router ................................................................................................................. 16
2.2.3 SCALANCE SC-600 security appliance ............................................................... 17
2.3 Setting up security ............................................................................................... 30
2.3.1 Certificates .......................................................................................................... 30
2.3.2 SCALANCE SC-600 security appliance ............................................................... 37
2.3.3 VPN client on the Microsoft Windows 10 PC ........................................................ 52
© Siemens AG 2023 All rights reserved
3 Operation .......................................................................................................................... 57
4 Appendix .......................................................................................................................... 62
4.1 Service and support............................................................................................. 62
4.2 Industry Mall ........................................................................................................ 63
4.3 Links and literature .............................................................................................. 63
4.4 Change documentation ........................................................................................ 63
1 Introduction
1.1 Overview
Industry 4.0
The Internet serves as an enormous accelerator of business processes and has revolutionized
business operations around the world. The resulting change in the manufacturing industry is
also referred to as Industry 4.0.
Industry 4.0 affects all aspects of the industrial value chain, with industrial communication and
security being the important aspects we will consider here.
Industrial Security
In the face of digitization and the increasing networking of machinery and equipment, data
security must always be taken into account. The use of industrial security solutions precisely
tailored to the needs of industry is therefore of fundamental importance – and should be
inseparably linked with industrial communication.
This includes the following points:
• Use of robust products with security features and security services
• Use of concepts such as "Defense in Depth" and a holistic security concept
© Siemens AG 2023 All rights reserved
Measures
The measures for safe operation in a digital enterprise are:
• Encryption and monitoring of communication
• Access control for industrial components and networks
• Protection of transfer and saving of data
• Authentication of devices and users
VPN as a solution
To ensure secure operation in a digital enterprise, data transmission can be encrypted using
Virtual Private Network (VPN) to protect against data espionage and tampering. The
communication partners are securely authenticated.
Implementation in practice
You can run the SCALANCE SC industrial security appliance as an OpenVPN server.
This application example shows you how to use the SCALANCE SC industrial security
appliance and a PC to set up a VPN connection. We will use the OpenVPN protocol with X.509
certificates. Two scenarios will be considered:
• OpenVPN connection in routing mode (layer 3)
• OpenVPN connection in bridging mode (layer 2) (only SCALANCE SC63x/SC64x)
Advantages
When you use the SCALANCE SC industrial security appliances, you have the following added
value:
• Protection of networks and individual TIA components according to the "defense in depth"
security concept
• Flexibly configurable security zones
• Controlled and encrypted data traffic between a PC and the SCALANCE SC via OpenVPN
• High security for machines and systems by implementing the cell security concept
• Versatile configuration options with TIA Portal, WBM, command line interface (CLI) and
Simple Network Management Protocol (SNMP)
• Easy integration into existing networks and protection of devices without their own security
functions.
© Siemens AG 2023 All rights reserved
Automation cell
Service PC with SCALANCE
MS Windows 10 SC
Internet Internet
modem/router router
Win10
Static WAN IP
address VPN server
VPN client
SIMATIC S7
VPN tunnel stations
Industrial ethernet
The Figure below shows the essential structure of the application example when in bridging
mode:
Automation cell
Service PC with
© Siemens AG 2023 All rights reserved
SCALANCE
MS Windows 10 SC
Win10
Static IP
address
VPN client VPN server
SIMATIC S7
VPN tunnel stations
Industrial ethernet
Description
The connection between the service PC and the automation cell (nodes such as SIMATIC
stations, Panels, drives, PCs) is secured with a VPN tunnel.
The OpenVPN client software is installed on the PC. The OpenVPN client software and one
SCALANCE SC646-2C form the two tunnel endpoints for the secure connection in this example.
The SCALANCE SC646-2C acts as a VPN server.
The tunnel endpoints are authenticated and verified with X.509 certificates.
Access to the SCALANCE SC is defined through the use of a static IP address.
The role distribution when setting up the VPN tunnel is defined as follows:
Table 1-1
Component VPN role
PC Initiator (VPN client); starts the VPN connection
SCALANCE SC Responder (VPN server); waits for VPN connection
This application example provides you with the configuration file "Client.ovpn". You can find
Note
the text file on the HTML page of this article in the "Download" section (see chapter 4.3).
Certificates
The VPN connection in this application example is secured with X.509 certificates. Every VPN
client and the SCALANCE module (VPN server) require the following certificates:
• A private key
• A public certificate signed by a certificate authority (CA)
• The public certificate of the certificate authority
Client PC CA
SCALANCE CA
© Siemens AG 2023 All rights reserved
Certificate
Authority
These three certificates can be saved inside of an archive file with the ".pfx" file ending.
Depending on your security requirements, there are multiple ways of procuring the necessary
X509 certificates:
• Obtain the certificates from your IT department. Your IT department can also tell you how
Note or whether you should use the listed certificates.
• Generate the certificates yourself, for example with the "XCA" freeware, TIA Portal or
"PowerShell" commands.
In this application example, certificates are created with PowerShell (see chapter 2.3.1).
PowerShell script
PowerShell is a cross-platform framework from Microsoft. It consists of a command line
interpreter and a scripting language that can be used to automate, manage and configure
systems in Microsoft Windows.
This application example provides you with a PowerShell script that implements the following
actions:
• A certificate authority (CA) is generated.
• The certificates necessary for the VPN client and VPN server are created.
• The certificates are saved in a ".pfx" archive file and exported.
You can also use another internet access method, e.g. mobile internet.
© Siemens AG 2023 All rights reserved
Note The configuration described below refers explicitly to the components mentioned in the
section "Required devices/components".
2 Engineering
2.1 Setting up the environment
2.1.1 IP address overview
Win10
192.168.1.12
Dynamic Static
192.168.2.88 192.168.2.1 172.16.0.1 172.16.60.12
WAN-IP WAN-IP
Virtual
interface
Table 2-1
Component Port IP address Router Subnet mask
© Siemens AG 2023 All rights reserved
You can also use the Microsoft Windows 10 PC (VPN client) to set up the SCALANCE device
and generate the certificates.
Note In this case, the Windows 10 PC (VPN client) will need another IP address that is in the
internal network of the SCALANCE device, for example 192.168.1.100/24.
Remove the additional IP address after completing chapter 2.
Win10
192.168.1.12
172.16.60.100 172.16.60.12
192.168.1.10
Table 2-2
Component Port IP address Subnet mask
MS Windows 10 PC LAN port 172.16.60.100 255.255.255.0
(VPN client)
MS Windows 10 PC Virtual interface 192.168.1.10 255.255.255.0
(VPN client)
SC646-2C Zone EXT; LAN 172.16.60.12 255.255.0.0
port: P5 or P6
SC646-2C Zone INT; LAN- 192.168.1.12 255.255.255.0
© Siemens AG 2023 All rights reserved
Port: P1 to P4
MS Windows 10 PC LAN port 192.168.1.100 255.255.255.0
(configuration)
You can also use the Microsoft Windows 10 PC (VPN client) to set up the SCALANCE device
and generate the certificates.
Note In this case, the Windows 10 PC (VPN client) will need another IP address that is in the
internal network of the SCALANCE device, for example 192.168.1.100/24.
Remove the additional IP address after completing chapter 2.
For all devices in the internal network of the SCALANCE SC646-2C (e.g. controllers, Panels),
Note remember to enter the internal IP address (Zone: INT; vlan1) of the SCALANCE SC646-2C
as the default gateway.
Routing mode
The Figure below shows how all the components involves in this solution are connected to each
other after completing chapter 2.
SC646-2C
PC
Table 2-3
Component Local port Partners Partner port
PC (VPN client) LAN port DSL-Router1 LAN port
SC646-2C Zone EXT; LAN port (P5 to P6) DSL-Router2 LAN port
(VPN server)
SC646-2C Zone INT; LAN port (P1 to P4) E.g. an automation network (not present in
this solution)
Bridging mode
The Figure below shows how all the components involves in this solution are connected to each
other after completing chapter 2.
SC646-2C
PC
Win 10
(VPN) P1
LAN port
P5
Table 2-4
Component Local port Partners Partner port
PC (VPN client) LAN port SC646-2C Zone EXT; LAN port (P5 to P6)
SC646-2C Zone INT; E.g. an automation network (not present in this
(VPN server) LAN port (P1 to solution)
P4)
This application example uses two Microsoft Windows 10 PCs. One PC serves as a VPN client
while the other PC serves as the configuration PC.
Software
Set up the PCs as follows:
1. On both PCs, install the latest update or service pack for Microsoft Windows 10, as well as
the latest version of the web browser.
2. Install the "OpenVPN GUI" software on the PC acting as the OpenVPN client. The
OpenVPN package is installed on your PC in the default directory C:\Program
Files\OpenVPN.
Result
The "OpenVPN GUI" software is installed. An icon for the "OpenVPN GUI" software will be
created in the Windows system tray.
© Siemens AG 2023 All rights reserved
PowerShell and a text editor are pre-installed components of Microsoft Windows 10 and do
not need to be installed separately.
Note
You need version V5.1 or higher for PowerShell.
Physical IP address
To use this application example, the two Windows 10 PCs will need an IP address for the
physical network interface.
To assign an IP address, proceed as follows:
1. Enter "View network connections" in the Windows search bar.
2. Select the network adapter that you are physically connected to, then enter the IP address
according to Table 2-1 or Table 2-2.
In routing mode, the VPN server assigns an IP address to the "TAP-Windows Adapter V9"
virtual interface.
In bridging mode, the "TAP-Windows Adapter V9" virtual interface requires an IP address from
the internal network of the SCALANCE device.
Proceed as follows to view and/or modify the network settings of the virtual interface:
1. Enter "View network connections" in the Windows search bar. Open the IPv4 settings of the
virtual network interface "TAP-Windows Adapter V9".
Result
The virtual network adapter has been set up.
2.2.2 Router
Note Only relevant when using the application example in routing mode.
VPN
If VPN connections have been configured on your router and activated, terminate them.
LAN port
On the LAN port, use a static IP address in accordance with Table 2-1.
1. In the router, enable port forwarding for "OpenVPN" and "HTTPS" with TCP and UDP.
2. Forward the packets to the external IP address (zone: EXT; vlan2) of the SCALANCE
device, port 1194.
Factory setting
To ensure that there are no old configurations or certificates stored in the SCALANCE device,
reset the appliance to its factory settings.
You will find instructions in the module manual (see chapter 4.3).
Preparation
The SCALANCE device is set up using the PC and the WBM. To access the WBM, the following
requirements must be met:
• You will need an Ethernet connection between the PC and the SCALANCE device (Zone
INT; LAN port: P1 to P4).
• The PC has an IP address in the network of the SCALANCE device, for example
192.168.1.100/24.
• SINEC PNI
To assign the device an IP address with SINEC PNI, the device must be available over
Ethernet. You can download SINEC PNI for free from the Siemens Industry Online Support
pages (see chapter 4.3).
• Command Line Interface (CLI)
• TIA Portal and the "Accessible Devices…" function
2. Assign the SCALANCE device the associated IP address for the internal network.
3. If you are signing in for the first time or after a "Restore Factory Defaults and Restart", the
login credentials are set as follows:
– "Name" field: "admin"
– "Password" field: "admin"
Enter the name and the password in the corresponding fields.
Click the "Login" button or confirm with the Enter key.
© Siemens AG 2023 All rights reserved
4. If you are signing in for the first time or after a "Restore Factory Defaults and Restart", you
will be prompted to change the password.
Enter the current password in the "Current User Password" field.
The new password must meet the following password requirements:
– Password length: a minimum of 8 characters, a maximum of 128 characters
– At least 1 uppercase letter
– At least 1 special character (special characters § and ß are not allowed)
– At least 1 number
Set the new password in the "New Password" field. Repeat your password to confirm. Both
passwords must match.
Click the "Set Values" button to finish the process.
Result
The homepage of the WBM appears.
© Siemens AG 2023 All rights reserved
The "Connected Subnets Overview" window will open and you will be in the "Overview" tab.
This page shows you the subnets for the selected interface .
© Siemens AG 2023 All rights reserved
The "Configuration" tab opens. Configure the subnet for the interface on this page.
5
© Siemens AG 2023 All rights reserved
Result
The SCALANCE device has an IP address for all VLANs.
You will be automatically taken back to the "Overview" tab. Here you will see an overview of the
IP addresses.
Note Only relevant when using the application example in routing mode.
A static route lets you specify the routes through which data can be exchanged between the
various subnets.
To store a static route in the SCALANCE device, proceed as follows:
1. Open the menu "Layer 3 > Static Routes".
© Siemens AG 2023 All rights reserved
Result
The static route for the module has been set up. A new entry is created in the table.
The "Manual System Time Setting" window will open and you will be in the "Manual Setting"
tab.
3. Tick the "NTP Client" box and click the "Set Values" button.
5. In the "NTP Server Address" column, enter the address of the NTP server.
When you run the application example in routing mode, one address you can use is
"pool.ntp.org". The "pool.ntp.org" project is a network of time servers that provide simple,
reliable time synchronization over NTP.
Note
When you run the application example in bridging mode, then you will need an NTP server in
the LAN network of the SCALANCE device.
© Siemens AG 2023 All rights reserved
Result
The time synchronization protocol has been set up.
Enter DNS
Note Only relevant when using the application example in routing mode.
The SCALANCE device requires a DNS server address to resolve the name of the NTP server.
Follow these steps:
1. Open the menu "System > DNS".
The "Domain Name System (DNS) Client" window opens and you will be in the "DNS
Client" tab.
© Siemens AG 2023 All rights reserved
2. In the "DNS Server Address" column, enter the IP address of the local DNS server or of a
public server, e.g. "1.1.1.1".
Click the "Create" button.
Result
The DNS server in the SCALANCE device has been set up.
Note Only relevant when using the application example in bridging mode.
Description
The "Inter-VLAN bridge" function is required when different VLANs need to communicate with
one another.
© Siemens AG 2023 All rights reserved
The layer 2 OpenVPN connection is established via a virtual network interface, which is referred
to as the TAP device. The TAP device is connected to the actual network via a network bridge
(the inter-VLAN bridge). The layer 2 OpenVPN connection must be assigned to a bridge at all
times; it cannot be used directly on a VLAN.
Proceed as follows to set up the inter-VLAN bridge:
1. Open the menu "Layer 2 > Inter-VLAN Bridge".
The "Inter-VLAN-Bridge Overview" window opens and you will be in the "Overview" tab.
2. Enter a number between 1 and 255 as the Bridge ID in the "Bridge-ID" input field (here: "1").
Click the "Create" button.
The "Configuration" tab opens. On this page, you will define the VLANs between which a
bridge will be established; and you will define which VLAN will be used as the master VLAN.
6. Activate the inter-VLAN bridge for the Bridge ID that you created (here: "1").
To apply your settings, click on the "Set Values" button.
© Siemens AG 2023 All rights reserved
Result
You have created an inter-VLAN bridge. Master is "vlan1".
PC
The PowerShell script is run on the configuration PC.
PowerShell script
This application example provides you with the already finished PowerShell script
"Cert_gen.txt".
You can find the text file on the HTML page of this article in the "Download" section (see
chapter 4.3).
Overview
The PowerShell automatically performs the following tasks:
• A certificate authority (CA) is generated.
• The certificates necessary for the VPN client and VPN server are created. The certificates
are protected with a password.
• The certificates are saved in a ".pfx" archive file and exported.
© Siemens AG 2023 All rights reserved
Open PowerShell
You will run script with PowerShell. Proceed as follows to open PowerShell:
2. Save the text file. Select the entire contents of the text file (for example with the keyboard
combination <CTRL + A>) and copy it to the clipboard (for example with the keyboard
combination <CTRL + C>).
2. Press Enter to execute the script. The following tasks will be performed in succession:
– A CA will be generated.
– Based on this CA, X.509 certificates for the VPN server and VPN client will be
generated and exported in password-protected format to the directory you specified
(see "$mydir" variable in Table 2-6). The file has the name "<Servername>.pfx" or
"<Clientname>.pfx".
– The certificates are deleted from the internal certificate store on the PC because this PC
is only used to generate the certificates, not as a VPN client.
In case of an error, the script will stop running and the cause of the error will be displayed in
PowerShell. The script will also create a log file with the error messages at the same time.
You can find the log file "logfile.txt" in the specified directory (here: "D:\VPN_Cer").
If an error occurred, look for the error message and remedy the error.
Result
If the script ran without errors, then all the necessary certificates will be located in the folder you
specified (here: "D:\VPN_Cer").
If you gave the VPN participants other names (variable "$cert_n"; see Table 2-6), then the
Note appearance of the file names will differ.
© Siemens AG 2023 All rights reserved
For more details on the files contained in the folder, refer to the Table below:
Table 2-7
File Meaning
CA_private.pfx The private key of the certificate authority. It is needed if you wish to add
more VPN clients at a later time.
<Clientname>.pfx Certificate for the VPN client. This certificate contains:
(here: Win10.pfx) • The private key
• The public certificate signed by the CA
• The public certificate of the CA
<Servername>.pfx Certificate for the VPN server. This certificate contains:
(here: SCALANCE.pfx) • The private key
• The public certificate signed by the CA
• The public certificate of the CA
CAUTION Always keep the private key of the certificate authority in a safe place.
Copy files
This application example uses a different PC for the VPN client.
Copy the files needed for the VPN client to a storage device. The files are the following:
• The client certificate <Clientname>.pfx (here: "Win10.pfx")
• The configuration file "Client.ovpn". You can find the file on the HTML page of this article in
the "Download" section (see chapter 4.3).
Preparation
The SCALANCE module is set up using the configuration PC and the WBM. To access the
WBM, the following requirements must be met:
• You will need an Ethernet connection between the configuration PC and the SCALANCE
(Zone INT; LAN port: P1 to P4).
• The configuration PC has an IP address in the network of the SCALANCE device, for
example 192.168.1.100/24.
Overview
The following settings are relevant for this application example:
• Load certificate
• Set up VPN connection
• Configure firewall
Load certificates
In chapter 2.3.1, you utilized PowerShell to generate the necessary certificates and keys for
each VPN participant.
The WBM offers the option of loading data (for example, the certificates necessary for
© Siemens AG 2023 All rights reserved
The window "Load and Save via HTTP" opens and you will be in the "HTTP" tab.
4. In the "Password" and "Password Confirmation" column for the "X509Cert" row, enter the
password that you assigned for the server certificate (see "$cert_pw" variable in Table 2-6).
7. To load the certificate, click on the "Load" button in the "X509Cert" line.
© Siemens AG 2023 All rights reserved
8. Navigate to the folder that you selected as the save location for the certificates (see
"$mydir" variable in Table 2-6; here "D:\VPN_Cer").
Select the X.509 certificate in "<Servername>.pfx" format that was generated for the VPN
server (here: "SCALANCE.pfx") and then confirm the upload with "Open".
© Siemens AG 2023 All rights reserved
9. When the certificate has been uploaded successfully, a message will appear that you
should confirm with "OK".
Result
The certificate has been uploaded. You can see the certificates in the menu "Security >
Certificates > Overview". Check whether the certificates have the status "valid".
If the certificates appear with the status "expired", then make sure that the time in the
Note
SCALANCE device is correct.
The "OpenVPN General" window opens and you will be in the "General" tab.
The "Connections" tab opens. Here you will configure the basic settings for the OpenVPN
connection.
3. Enter a unique name for the OpenVPN connection. Click the "Create" button to create a
connection.
The connection will be created and a new table row will be added.
The "Authentication" tab opens. Here you will define how the VPN connection partners
authenticate with one another.
The "Server" tab opens. Here you will configure the OpenVPN server.
7. In the "Server Name" field, enter a unique name for the OpenVPN server (here:
"MyServer").
Click the "Create" button.
The server will be created and a new table row will be added.
The "Connections" tab opens. You can start the connection here.
The "General" tab opens. Here you will enable the OpenVPN functionality.
Result
The OpenVPN connection in the SCALANCE device has been set up in routing mode and the
server certificates are assigned to the OpenVPN connection. The SCALANCE device waits for
the VPN client to establish a connection.
The "OpenVPN General" window opens and you will be in the "General" tab.
The "Connections" tab opens. Here you will configure the basic settings for the OpenVPN
connection.
3. Enter a unique name for the OpenVPN connection. Click the "Create" button to create a
connection.
The connection will be created and a new table row will be added.
4. Select the Bridge ID in the "Bridged" column (here: "1"); this Bridge ID is the one that will
carry the layer 2 OpenVPN connection (see chapter 2.2.3).
To apply your settings, click on the "Set Values" button.
The "Authentication" tab opens. Here you will define how the VPN connection partners
authenticate with one another.
The "Server" tab opens. Here you will configure the OpenVPN server.
8. In the "Server Name" field, enter a unique name for the OpenVPN server (here:
"MyServer").
Click the "Create" button.
The server will be created and a new table row will be added.
9. For the "Connection" table columns, select the connection your created in Step 3 (here:
"OpenVPN_Conn").
Leave all the other columns in the table at their default settings.
To apply your settings, click on the "Set Values" button.
© Siemens AG 2023 All rights reserved
The "Connections" tab opens. You can start the connection here.
The "General" tab opens. Here you will enable the OpenVPN functionality.
Result
The OpenVPN connection in the SCALANCE device has been set up in bridging mode and the
server certificates are assigned to the OpenVPN connection. The SCALANCE device waits for
the OpenVPN client to establish a connection.
The "Firewall General" window opens and you will be on the "General" tab.
The "Predefined" tab opens. This tab contains predefined IP packet filter rules.
3. For the "vlan2 (EXT)" interface in the IP version "IPv4", enable the "OpenVPN" protocol.
To apply your settings, click on the "Set Values" button.
Result
OpenVPN has been allowed in the firewall for the external interface.
Create IP rule
Note Only relevant when using the application example in bridging mode.
In bridging mode, you establish a VPN connection on the layer 2 level. Layer 3 data packets, for
example access to the WBM, or a PING test, are by definition not possible.
IP packet filter rules have already been predefined (and some of them enabled) in the
SCALANCE device for the WBM and the PING command. You can use them and optionally
define other IP rules.
Proceed as follows:
1. Activate the WBM for the VPN connection.
To apply your settings, click on the "Set Values" button.
© Siemens AG 2023 All rights reserved
Result
The firewall has been set up so that layer 3 data packets from the layer 2 VPN connection can
reach the SCALANCE device.
Preparation
In the final step of chapter 2.3.1, you copied the following files from the configuration PC to a
storage device:
• The X.509 certificate for the VPN client in the format <Clientname>.pfx (here: "Win10.pfx")
• The configuration file "Client.ovpn". You can find the file on the HTML page of this article in
the "Download" section (see chapter 4.3).
Now copy these files from the storage device to a folder of your choice on the Microsoft
Windows 10 PC (VPN client) (here, the folder is: "D:\VPN_Cer").
2
© Siemens AG 2023 All rights reserved
3
4
Table 2-8
No. Description
1. Name of the virtual network interface "TAP-Windows Adapter V9"; this was set up while installing
OpenVPN.
2. OpenVPN mode:
• tun: OpenVPN operates in routing mode (layer 3)
• tap: OpenVPN operates in bridging mode (layer 2)
Note: A semicolon at the start of the line disables the line.
3. Network protocol used
4. IP address and port at which the VPN server can be reached.
5. Encryption information.
Must match the algorithms in the VPN server.
6. Save location of the client certificate (here: "D:\VPN_Cer\Win10.pfx")
In Windows, you must enter a double backslash to represent a backslash when specifying folder
paths in the configuration file (here: "D:\\VPN_Cer\\Win10.pfx").
3. In the Microsoft Windows network settings, check whether the name of the virtual network
interface matches the name entered in the configuration file. If necessary, modify the name
of the virtual interface in the configuration file.
© Siemens AG 2023 All rights reserved
4. When operating in routing mode, activate the line "dev tun" and deactivate the line "dev
tap".
When operating in bridging mode, deactivate the line "dev tun" and activate the line "dev
tap".
© Siemens AG 2023 All rights reserved
To activate the line, remove the semicolon at the start of the line.
Note
To deactivate the line, add a semicolon at the start of the line.
5. In place of "<IP_ADDRESS>", enter the IP address where the VPN server can be reached.
– In routing mode: WAN IP address of DSL-Router2.
– In bridging mode: IP address (zone EXT; LAN port) of the SCALANCE device
6. If the client certificate is not in the folder specified here, then change the path.
3 Operation
For the Microsoft Windows 10 PC (VPN client) and the SCALANCE SC646-2C (VPN server) to
establish a VPN connection, the following requirements must be met:
• You have used the PowerShell script to generate certificates on the configuration PC,
exported them, and transferred the necessary data to the Windows 10 PC (VPN client).
• The client certificate has been saved on the Windows 10 PC (VPN client) and the
configuration file has been adapted.
• You have configured the SCALANCE device and the certificates in the SCALANCE appear
as "valid".
• All participating components of this solution are interconnected (see chapter 2.1.2).
• The VPN connection is not blocked on the Windows 10 PC (VPN client) by a firewall or
similar measure.
If you also used the Microsoft Windows 10 PC (VPN client) to set up the SCALANCE device
Note and generate the certificates, then remove the additional IP address, located in the internal
network of the SCALANCE device, e.g. 192.168.1.100/24.
If there are errors in the configuration file, you will receive a corresponding error message.
Note
Remedy the error and re-import the configuration file.
© Siemens AG 2023 All rights reserved
5. Select "Connect".
6. You will be prompted to enter the password for the client certificate.
Enter the password (see "$cert_pw" variable in Table 2-6) and tick the box for "Save
password".
Click "OK".
© Siemens AG 2023 All rights reserved
Result
The VPN tunnel will be established. The current status appears as "Connected".
In routing mode, you will also see which virtual tunnel IP address that VPN client has received
(here: "172.17.0.2").
To check the VPN connection status in the SCALANCE device, proceed as follows:
2. Change to the "Information > OpenVPN" menu, then go to the "Server" tab.
Here you can see which VPN clients have connected with the SCALANCE device.
© Siemens AG 2023 All rights reserved
4 Appendix
4.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire service and support
know-how and portfolio.
The Industry Online Support is the central address for information about our products, solutions
and services.
Product information, manuals, downloads, FAQs, application examples and videos – all
information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent support regarding
all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
siemens.com/SupportRequest
© Siemens AG 2023 All rights reserved
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog web page:
support.industry.siemens.com/cs/sc
The Siemens Industry Mall is the platform on which the entire siemens Industry product portfolio
is accessible. From the selection of products to the order and the delivery tracking, the Industry
Mall enables the complete purchasing processing – directly and independently of time and
location:
mall.industry.siemens.com