- Integration guides for Windows, MAC and Linux
- Differences between OpenVPN and IPSec
- Protocols and encryption
- OpenVPN limitations
- How can I change from UDP to TCP?
- VPN leaders for eu-west-1 (VPN) breakout
- Are OpenVPN traffic negotiations going to add up to my data usage?
- Can I setup multiple VPN connections?
Integration guides for Windows, MAC and Linux
Please check our integration guides for Windows, Linux and MacOS:
Differences between OpenVPN and IPSec
EMnify offers different types of VPN:
- The OpenVPN should be used to remotely access devices using EMnify SIM cards from any computer. We have guides to do so for Windows, Linux and MacOS.
- IPSec can be used to create a direct connection between an application server and devices connected to the Internet using EMnify SIM cards. With an IPSec, all traffic to and from the devices to and from the application server will go through the tunnel, be encrypted and secured without using the public Internet. It enables the devices to directly access the application within the same network. With the Cloud-Connect feature, EMnify offers quick IPSec configuration. For AWS users, they can use the Transit Gateway feature and keep all traffic within AWS.
Protocols and encryption
We support both UDP and TCP. The UDP protocol is set as the default one, if you want TCP please click here. Moreover, we do not support GRE as well as PPTP due to the fact that it is outdated and has many well-known security issues.
At EMnify we have configured OpenVPN to be encrypted as follow:
OpenVPN's default encryption algorithm BF-CBC (Blowfish, block-cipher) with a 128-bit (variable) key size.
Message authentication is what's referred to as HMAC. Using a HMAC is to ensure the encrypted data hasn't been altered in transit. OpenVPN's default setting is SHA-1.
TLS stands for Transport Layer Security which is a cryptographic protocol used to increase security over computer networks. TLS is the successor of SSL although is sometimes still referred to as SSL.
By default, we don't block any port for OpenVPN but can do whitelisting for Port and IP upon customer request.
How can I change from UDP to TCP?
As mentionned before, EMnify's OpenVPN configuration supports both protocols and clients can choose the one they want to use. The standard protocol used is UDP. To change the protocol, you first need to download the configuration file in the EUI:
Log in your account and click on the link symbol on the upper right corner called "Tokens, IPs and VPNs setup". Find the category "VPN configuration" and download the configuration that fits with your OS and Regional Internet Breakout.
Once you have downloaded the configuration file, you can edit it with a text editor (we advise you to use Notepad++): open the file ".openvpn" for windows" and ".conf" for Linux and look for "proto udp" (3rd line). Change it to "proto tcp" if you want to switch to TCP.
Linux users also need to change the 7th line from "explicit-exit-notify 3" to ";explicit-exit-notify 3" By adding ";" you disable this function.
VPN leaders for eu-west-1 (VPN) breakout
For the eu-west-1 (VPN) breakout, all our PGWs now support VPN with 2 VPN leaders. Breakout IP 22.214.171.124 as the primary with failover to 126.96.36.199 and breakout IP 188.8.131.52 as primary with failover to 184.108.40.206.
Depending on the endpoint IP range, it will either connect using the breakout IP 220.127.116.11 or 18.104.22.168. Depending on its availability--endpoint IPs could belong to different ranges, if you are managing a server where the breakout IP must be whitelisted, you could either whitelist only 22.214.171.124/126.96.36.199 or 188.8.131.52/184.108.40.206 or whitelist all the breakout IPs for the EU breakout if you are managing a large number of endpoints.
Endpoint IP range 10.192.0.1 - 10.199.255.254 and 100.96.0.1 - 100.96.255.254 will connect using the breakout IPs 220.127.116.11/18.104.22.168 and endpoint IP range 10.200.0.1 - 10.207.255.254 and 100.64.0.1 - 100.95.255.254 will connect using the breakout IPs 22.214.171.124/126.96.36.199.
Are OpenVPN traffic negotiations going to add up to my data usage?
No. OpenVPN traffic negotiation (e.g. keepalive) between the OpenVPN client and the OpenVPN server do not contribute to your data usage
Can I setup multiple VPN connections?
If multiple users within a company wish to access their devices via VPN at the same time, they can. In our integration guides for Windows, Mac and Linux we describe how to setup the VPN connection. Two authentication methods are available:
- Org ID + Application Token
- Username + password
In order to setup several VPN connections at the same time for one account, the second authentication methods needs to be used: Username + password as credentials. You cannot use the Organization ID more than once at the same time to authenticate.
Users need to have administrator rights on their server to use the VPN.