Contact Us

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Moderator
Moderator

OpenVPN Integration Guide for Windows

SAP IoT Connect 365 customers can create their own Virtual Private Network for their mobile IoT/M2M devices fitted with SAP IoT Connect 365 SIMs. Data traffic will be exchanged between the devices and the application server through an OpenVPN tunnel, enabling direct communication with the IPs of the mobile devices (no NAT applied).

 

The tunnel is established between the SAP IoT Connect 365 Core Network and the customers VPN gateway or server.

 

OpenVPN1.jpg

 

Any traffic exchanged with the mobile devices is encrypted before transmitted over the public internet, therefore adding an additional layer of security and privacy. For that no VPN software needs to be installed on the device or any configuration changes to be done, the default SAP IoT Connect 365 APN does also support VPN flows.

 

Setting Up OpenVPN Client on Windows

 

Install OpenVPN Software

Download the installation file according to your Windows machine at OpenVPN Downloads.

 

Download and Install VPN Configuration File

Log in with your user account on the SAP IoT Connect 365 UI and select the Tokens, IPs and VPN Setup icon   in the top right corner. Scroll down to the section Setting up OpenVPN on Windows and download the configuration that corresponds to the Regional Internet Breakout you selected for your Service Profile. 

 

OpenVPN2.jpg

 

The pre-built configuration file names are either:

  • sap-eu-west-1.ovpn
  • sap-us-east-1.ovpn
  • sap-ap-southeast-1.ovpn.

Please store the file on your server in the folder \OpenVPN\config.

 

Create Credentials for Authentication

Next, create a file titled, for example,  credentials.txt in the folder \OpenVPN\config. This will contain the information to authenticate your session, either using your SAP user credentials or with an application token (recommended).

 

Authentication with User Credentials

The contents of the credentials.txt file should only have two lines as follows:

username@domain.com

YourPassword

 

Authentication with Application Token

When you run the OpenVPN client on a VPN gateway or application server it is recommended to use a dedicated application token. In that case, the first line in the credentials.txt file needs to be filled with your organisation identifier and the application token instead of the password.

 

You can create application tokens in the SAP IoT Connect 365 UI, same section you downloaded the configuration file from. Select "Create New Application Token" and Copy+Paste the token into the credentials file. Your organisation ID is also available there.

OrgId

Application Token

 

Correct Credentials File Path in Client Configuration File

Find the following line in client.ovpn and insert the complete file path from credentials.txt:

auth-user-pass "(...)\\OpenVPN\\config\\credentials.txt

In case you do not want to store your credentials, you can choose to enter them each time the VPN tunnel is established. For that, please comment the line above with ";".

 

Starting and Monitoring the OpenVPN connection

You can start the OpenVPN GUI application and connect the client tunnel through the icon in the taskbar notification area.

 

To monitor the connection, go to \OpenVPN\log\client.txt. If everything has worked successfully, you should see something similar to the following:

Fri Nov 04 10:03:35 2016 Successful ARP Flush on interface [20] {BD06804E-FC58-480D-B6A5-13E0EAE98940}

Fri Nov 04 10:03:40 2016 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up

Fri Nov 04 10:03:40 2016 MANAGEMENT: >STATE:1478250220,ADD_ROUTES,,,

Fri Nov 04 10:03:40 2016 C:\WINDOWS\system32\route.exe ADD 10.64.0.1 MASK 255.255.255.255 10.64.24.122

Fri Nov 04 10:03:40 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4

Fri Nov 04 10:03:40 2016 Route addition via IPAPI succeeded [adaptive]

Fri Nov 04 10:03:40 2016 C:\WINDOWS\system32\route.exe ADD 10.193.104.0 MASK 255.255.252.0 10.64.24.122

Fri Nov 04 10:03:40 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4

Fri Nov 04 10:03:40 2016 Route addition via IPAPI succeeded [adaptive]

Fri Nov 04 10:03:40 2016 Initialization Sequence Completed

Fri Nov 04 10:03:40 2016 MANAGEMENT: >STATE:1478250220,CONNECTED,SUCCESS,10.64.24.121,52.209.29.183

 

In this sample, the static private IP address of your VPN client is 10.64.24.122.

 

Testing the Successful Data Connectivity

If the VPN tunnel is successfully established, you will be able to connect directly to the private IP addresses of your mobile devices. For testing, you can choose any for your endpoints that has currently an active data session (marked as ONLINE in the SAP IoT Connect 365 UI) and retrieve the assigned IP address from the details section.

 

Using the command Prompt (cmd application on Windows), ping the chosen IP address from your device:

C:\>ping 10.193.104.2

Pinging 10.193.104.2 with 32 bytes of data:

Reply from 10.193.104.2: bytes=32 time=1158ms TTL=62

Reply from 10.193.104.2: bytes=32 time=391ms TTL=62

Reply from 10.193.104.2: bytes=32 time=413ms TTL=62

Reply from 10.193.104.2: bytes=32 time=1307ms TTL=62

 

For this to work your device needs to run an IP stack that is responding to ICMP echo request, this might not be the case for embedded devices that do implement only partial IP stack functionality.

 

John Candish Product Manager, SAP IoT Connect 365
0 Kudos