Control Network Newsletter
Understanding Port Forwarding and VPNs
The Internet provides the flexibility to monitor and maintain systems from the convenience of your home or office. The two most common methods for implementing a remote network connection are via port forwarding or a virtual private network (VPN). In this article, these two methods will be discussed and compared.
Routers connect two IP networks together—passing appropriate traffic while blocking all other traffic—using either a wired or wireless connection. One network is the local-area-network (LAN); the other is the wide-area-network (WAN). Many IP routers, such as Contemporary Control's Skorpion IP routers, feature a built-in stateful firewall that passes communication initiated on the LAN-side while blocking WAN-side initiated communication. Firewalls present a challenge when you want to access your LAN from a remote location because they block messages that originate from the Internet. With port forwarding, you can open up selected ports in the firewall so LAN-side devices can be accessed from the Internet (WAN).
The only WAN-side requests that will be forwarded through the IP router are those that specify both the router's WAN address and a destination IP port number that exists in the router's IP port forwarding table. When this match is made, the message is forwarded to the indicated IP address on the LAN side. Each port typically only allows remote access to one LAN-side device. In most cases, you'll want to access multiple devices and will need to set up your firewall to perform port forwarding for each port.
Generally, port 80 is used for web browsers, port 47808 for BACnet communications, port 22 for Secure Shell (SSH), and port 23 for Telnet. However, many Internet connections have changing IP addresses. To maintain this system, you must educate yourself on the range of ports used by each application, and constantly monitor IP address updates and alter your router's IP port forwarding table when adding any new devices.
IT professionals often decline a request to open ports in firewalls in the first place as this can compromise the security of their networks. Without support from the IT department, your remote access options are limited.
One solution is to incorporate a virtual private network (VPN). A simple VPN can exist between two end points, called clients. One client is you at your home or office, and the other client is the remote job site. Communication is encrypted, so only authorized devices can communicate over the VPN. Once the VPN connection is established, messages can originate from either side, eliminating the need for port-forwarding. You do not need to change firewall configurations nor expose your devices to the Internet.
Contemporary Controls' offers a RemoteVPN subscription service that provides secure communication and the convenience of remote access without having to maintain the VPN server. Hosted on the Internet and maintained by Contemporary Controls, RemoteVPN incorporates a cloud-based OpenVPN® server, OpenVPN clients for workstations and iOS and Android mobile devices, and OpenVPN routers installed at job sites.
Communications pass through firewalls up to the RemoteVPN server. All that is needed is an account on the server to utilize the RemoteVPN service. OpenVPN is open-source and incorporates SSL/TLS security with encryption. Any IP program (TCP or UDP) can communicate via RemoteVPN. OpenVPN clients are easy to obtain and can be downloaded from OpenVPN.net, Google Play for Android devices, or the Apple App Store for iOS devices. An added benefit is that each PC or mobile device client can be configured to communicate with one or more router clients independent of each other.
In addition to the RemoteVPN subscription service, Contemporary Controls offers Self-HostedVPN and BridgeVPN solutions which allow users to set up and maintain their own secure remote access without subscription fees and without the need for a cloud-based VPN server.
For more information, go to Remote Access.