VPN Client Settings can be found on a page that has the VPN component or under Fleet Manager > Tools > VPN Client. Both have a Details button, which opens the URL https://localhost:9250/ in a new tab. If a user doesn't have access to either one of them, the aforementioned link can also be used directly.
In the VPN Client Settings are configuration options for three specific scenarios:
- VPN traffic is filtered or blocked (use stealth mode)
- Slow VPN connection (VPN connection type)
- A proxy server is used to connect to the internet
VPN traffic is filtered or blocked (use stealth mode)
In some countries, browsing the internet is monitored or regulated for its inhabitants. As a result, using a VPN connection is blocked to enforce this regulation. The same can apply to a company network where using VPN is blocked by its firewall. In both scenarios, Stealth Mode can be used so the VPN Client can still set up a VPN connection. This is achieved by encapsulating the OpenVPN traffic in HTTPS. Instead of using the default HTTPS port 443, port 8443 will be used to connect to the VPN server. The additional settings for the Host (127.0.0.1) and Port (9255) can be left to their defaults.
Stealth Mode on the VPN Client differs from Stealth Mode on the IXrouter. Stealth Mode can be enabled on the VPN Client when it is used in a censored network. Stealth Mode can also be enabled on the IXrouter, by enabling the option under Fleet Manager > select device > Network > VPN. This option needs to be enabled when the IXrouter is located in a censored network. If the VPN Client is used in a censored network and the IXrouter isn't, Stealth Mode only needs to be enabled on the VPN Client. And if only the IXrouter is in a censored network, there is no need to enable Stealth Mode on the VPN Client.
Open the VPN Client settings, as explained in the beginning of the article, and change the "Connection type" to "stunnel" to enable Stealth mode.
- Instead of using Stealth Mode in a company network, it might be better to allow VPN traffic over port 443. However, in some companies, this just isn't allowed.
- Performance might decrease when using Stealth Mode. Therefore, it is advisable to only enable the option if it is really needed.
- Make sure that port 8443 is opened in the company firewall when Stealth Mode is used. For more information on ports and protocols, refer to the article How does the VPN client connect to the IXON Cloud? (ports & protocols).
- Stealth Mode may be required in various countries, including, but not limited to: China, Egypt, Russia, Iran, United Arab Emirates, Oman, Turkey, Iraq, Turkmenistan, Belarus, North Korea, and Uganda.
- It is legal to use Stealth Mode to access a company's own machine network, as VPN is only blocked to regulate or monitor internet access, which the machine network is no part off.
- In some countries, Stealth Mode won't work either. Instead, the VPN connection may need to be registered before a connection is possible, e.g. Pakistan.
- An active VPN connection needs to be disconnected before the change in Stealth Mode is applied.
- Stealth Mode is not available in the IXON Cloud mobile app.
Slow VPN connection (VPN connection type)
This setting will not impact the stability of the VPN connection itself (i.e. VPN disconnects), but máy positively impact your connection to hardware behind the IXrouter (e.g. PLC, HMI, other) in select situations where this connection is either unstable or slow. The only way to determine whether it positively impacts your specific situation is to simply try it out.
Open the VPN Client settings, as explained in the beginning of the article, and change the "Connection type" to UDP.
- UDP does not work in combination with connection type "stunnel" (Stealth mode).
- Connection type UDP uses a different port (1194) than TCP (443). Make sure the device (IXrouter, IXagent) can use this port. More information: How does the VPN client connect to the IXON Cloud?
- An active VPN connection needs to be disconnected before the change to UDP is applied.
- UDP is not available in the IXON Cloud mobile app.
A proxy server is used to connect to the internet
In some corporate networks, a proxy server is used to connect to the internet. In such networks, it is not possible to connect to the internet with an application or device without explicitly configuring a proxy server. This also applies to the VPN Client. The following proxy server settings can be entered under Proxy Server:
- Host: IP address of the proxy server
- Port: Port of the proxy server
- Proxy Type: Only HTTP is available
- Authentication Method: None or basic. The latter requires a Username and a Password
- An active VPN connection needs to be disconnected before the change in Proxy Server is applied.
- The option Proxy Server is not available in the IXON Cloud mobile app.
- A proxy server can also be configured for the IXrouter. This only applies when the network where the IXrouter is located is using a proxy server.