Whether a client’s home automation system has internet access for remote control, monitoring or maintenance, Simon Buddle explains how to use a VPN to protect the connection.
Just returned from a fantastic week of skiing. It’s been a vacation in the making for over two years; canceled several times due to Covid-19. We thought, once again, that we had been foiled by the closure of the French borders to the British, but we found a port that was still open, and we jumped there. The Swiss let us in.
Much has been said about smart home systems and cyberattacks. When you think of the world of computers these days, they are all interconnected in one form or another. We are connected via routers to the Internet, our office PCs are all connected over the local network, and countries are connected via huge fiber optic bundles that often rest on the seabed. It’s a completely connected, truly global, machine-to-machine world, connected by thousands of miles of wires.
Whether it’s a frontier or a router, people will always try to exploit a weakness, and with the right knowledge – which many people have – it’s easy to hack into a machine or system at home. other side of the world.
Opening TCP port 3671 has always been used to provide remote access to a KNX system. It also opens a connection to the client’s local network and can be used for malicious purposes. It’s actually a window on a house, which has been left wide open, and if you know where to look and how to get to it, you can enter without any security check requirements.
That said, we now have an arsenal of excellent KNX devices that can provide secure tunnels to the system. The Jung KNX IP router and the Gira S1 are two obvious examples. These establish a link away from the property without creating unsecured access routes to the customer’s home PC network. But you can choose from a large number of manufacturers, including Basalt, Weinzierl, Siemens, Schneider and ABB, all of which offer products to solve this puzzle.
virtual private network
Chances are the KNX system or bus is not the only device we may need to connect to remotely, and that poses a subtly different challenge. How can I connect to the Siemens PLC that manages the technical room? Or the Intesis AC, Modbus or BACnet interfaces?
The most obvious and secure solution here is to use a VPN (Virtual Private Network). But how can we set this up, and is it secure? Let’s answer the second part first. It’s very secure (assuming your passwords etc are too). It creates a secure virtual point-to-point tunnel over the Internet between your computer and the customer’s LAN. Once connected, your computer appears on the customer’s network.
To create a VPN without using software like OpenVPN or NordVPN, there are two basic requirements:
1) a fixed Internet IP address or a DNS-enabled router.
2) a router that supports VPN connections.
1) The fixed IP address or the router that supports DNS
Imagine being a postman delivering mail, day after day. Except that the house numbers change every day, so number 32 is now at twenty houses. This is analogous to your Internet IP address. Each time your router restarts, it receives a new IP address from your Internet Service Provider (ISP). This means that we no longer know where you live, so to speak. Thus, the fixed IP address solves this problem. The other way is to provide a DNS (Dynamic Name System). DNS essentially provides an Internet address lookup service. Whenever your router’s Internet IP address changes, the router sends the new address to the DNS server so that your record can be updated. You can then use the DNS name (which does not change), for example [email protected].
This is the first part of the VPN configuration covered. You can now always find the client’s router on the Internet using a DNS service.
2) The router that supports VPN connections
There are two steps to creating a VPN. First, you need to create a ‘user’. Username and password will be required when connecting via VPN. The second item is to configure the VPN connection protocol. Common protocols are PPTP, IPSec, L2TP and SSL Tunnel. PPTP has weak security and is no longer supported by Apple devices. The most commonly used is L2TP with a “pre-shared” key. Most DrayTek routers support DNS and VPN configuration and allow easy access to the customer’s LAN.
Now all you have to do is configure the VPN profile on your laptop or desktop using the same connection criteria. Help is at hand here as DrayTek also offers a small VPN client software package that makes it simple. Of course, Cisco, Unifi, and hundreds of other router manufacturers offer the same features. Those that are not are BT, Sky and Virgin, i.e. all those offered by ISPs. So, if you want to access the customer’s network via VPN, you will definitely need to provide a router to do the job.
Imagine when you get that phone call from a customer who says, “Such and such has stopped working” and you can say, “I’ll log in right away and check what’s going on.” It must be a valuable service that is truly invaluable to your customers. With the right router and an hour of your time, learning how to set up a VPN connection is easy. This hour will save countless hours of going back and forth to the site.
However, if there is a way to access your customer’s system from the outside world, it is imperative to ensure that it cannot be exploited by malicious people.
For me, setting up a VPN is one of the most valuable skills I’ve learned. You can sit at your desk and view all real-time data as it happens, have multiple PCs connected to the same house monitoring every system signal, all without getting out of your pajamas. And even better, you can integrate this skill into a remote monitoring and maintenance offering, which will earn you money.
Simon Buddle CEng MIET, is a consultant for Future Ready Homes, specialist in the design of BMS and ELV service systems.