Setting up the OpenVPN function on Nexto Xpress

Article translated with the assistance of AI tools. Images and parts of the content will still be reviewed.

This tutorial provides guidance to enable the user to establish communication between MasterTool installed on a PC and the PLC on the same network, using a tunnel configured in OpenVPN Cloud.

Components

PLC: XP340; Firmware 1.14.20.0

Software: MasterTool IEC XE 3.62; OpenVPN Connect

Tutorial Sections

1. ARCHITECTURE

2. DEVELOPMENT

   2.1. Creating an Account on OpenVPN

   2.2.  Configuring Cloud Connexa 

   2.2.1  Group Configuration 

   2.2.2.  Creating the devices

   2.2.3.  Configuring the network

   2.3.  Downloading the file on the network

   2.4. PLC Web Page Configuration and VPN Connection

3. TESTING

1. ARCHITECTURE

By using OpenVPN Cloud to create a virtual tunnel between MasterTool and the PLC, we enable remote and secure interaction between both, regardless of their physical location, as long as they are connected to the internet and have the same network configured.

2. DEVELOPMENT

2.1. Creating an account on OpenVPN

To create an account on CloudConnexa, follow these steps:

1. Click the link: SIGN-UP
2. Create an Account
3. Select CloudConnexa

1. Fill in your user information 

2. Set the network name. In this example, the URL https://suportealtus.openvpn.com/ was created.

3. Select the plan. For this tutorial, we chose the Free plan, which offers up to 3 free users.

2.2. Configuring Cloud Connexa

In the menu and tab named Users, we use the user that was automatically created in OpenVPN, as the network owner, to be the VPN Client. This will be accessed through the OpenVPN Connect software using the same username and password set during account creation:

If you want to create a new user, follow the steps below:

1. In the side menu, click Users
2. Click Add User
3. Fill in the required fields: User Name, Roles, and Group.

Click Add User.

2.2.1 Group Configuration

Once you have one or more users created, check which group they belong to. In the example above, both users belong to the same group, called Default.

Navigate to the management tab at Users > Group. In this tab, you can create new groups (by clicking Add Group) or edit existing ones (by clicking the pencil icon), as shown in the image:

For XP3xx and NX3008 controllers to function properly, it is necessary to set the Connect Auth parameter of the user group to No. When this parameter is set to Every time (default value), the system requires the username and password to be entered every time you attempt to connect via OpenVPN. By setting it to 'No', this requirement is removed, allowing automatic and continuous connection for users in that group.

Click the edit button on the right, highlighted by the arrow in the image below. In this tab, you can edit the group's information:

The group region should be set to the one closest to you, in our case, São Paulo. Additionally, set the “Connect Auth” parameter to “No”:

 Click Update Group. 

2.2.2. Creating the devices

For device creation, it is recommended to already have your login open on your computer.

In the Users menu, click Devices, then Add Devices:

Enter a name for this Device and associate it with the previously created user:

NOTE: The Client UUID will be blank and will be filled in automatically in the next steps.

Click Add Device.

To download the device file, which will connect with the OpenVPN Connect application installed on the computer initially, click the icon indicated by the arrow in the image above, select the .OVPN format file.

In the window that opens, select the region and click Download:

NOTE: It is important to note that every time a change is made, a new file download must be performed and the old one should be deleted to avoid conflicts.

Access the OpenVPN Connect application and click "+", then Upload File and Browse:

 Select the file that was downloaded in the previous step, corresponding to the client, and from here you can already connect to the VPN. To do so, click Connect.

When you return to Cloud Connexa, you will notice that it has already identified the computer and auto-completed the UUID.

2.2.3. Configuring the Network

In the Network menu, click Networks and then ADD Network, as highlighted in the image:

In this example, we created a site-to-site type network scenario, as shown in the image below:

Click Continue. 

Add a name for the network and the connector, as shown in the image:

Click Next.

Set the connector type. In this example, we defined the model OpenVPN COMPATIBLE ROUTER – Other:

Click Next. 

After clicking Next, the above message will appear on the screen, click Proceed Without Testing. 

In Network Configuration, click Next:

In Add Application, click Next:

In Add IP Services, define the subnet and what types of connections and protocols are allowed to pass through this network (Remember to set the IP according to the network being used - 192.168.x.0/24).

Fill in the name and network as per your application, in this example we used:

Click Add IP Service.

NOTE: Make sure to use an IP range that has internet access. For this, consult your IT department and check which is the router IP responsible for your company's internet connection. This information will also be necessary when configuring the gateway IP of the project in MasterTool and the network settings of the machine where OpenVPN Connect is installed. 

Check if the access group has everything allowed and click Finish:

2.3. Downloading the network file

To download the recently configured network file, click on the Networks menu, in the Connectors tab, click Deploy, then select Download Profile in .ovpn format, as shown in the image:

The generated file will have the following format: 

Note: If network changes occur and you need to download again, check if the file kept its original name. Renamed files may cause issues during execution. 

2.4. Configuring the PLC web page

To access the PLC web page, enter its IP in your browser.

Confirm that the firmware is equal to or newer than version 1.14.20.0, as shown in the image:

Click on the Management tab and log in using username and password, which by default are both admin.

Click Login. 

In the OpenVPN menu, click “import”, select the Network file generated by OpenVPN, and click open:

Then, change the Protocol to “UDP”, select the Enabled icon and click Apply:

On the Web page, after clicking Enabled and Apply, the status should change to current state “Running”, and the Connection status as “Connected” as shown in the image below.

Using the OpenVPN Connect software, you need to connect to the user created in CloudConnexa:

In MasterTool, create a project according to your application. Make sure the project gateway has the IP of the router that connects your company to the internet.

It is important to note that the date and time must be updated on the PLC for the certificate to be valid. In MasterTool, with the gateway active, update the date and time on the clock, either precisely using the computer's information or manually, as shown in the image:

3. TESTING

With the previous configurations completed, the computer and the PLC will already be able to communicate via VPN. Below, we show a test performed in the Command Prompt, using the ping command to verify communication with the PLC:

NOTE: To perform a more comprehensive test, if you are locally on the same network, you can connect to a network with internet outside the PLC network, for example by tethering your computer to your cell phone's 4G signal.

You can check the connection of the equipment on the OpenVPN website itself, in the Status tab. If there is a connection in the Network and the User, communication is properly established.