Secure and Scalable Remote Access Tunnels for the IIoT: An Assessment of openVPN and IPsec Performance

  • Frederic PohlEmail author
  • Hans Dieter Schotten
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10465)


Nowadays, industrial production already benefits from an increased level of interconnection involving various heterogeneous production assets. Future development in the area is likely to lead to a scenario often referred to as the Industrial Internet of Things (IIoT), a promising factor in achieving unseen productivity goals. One of the key IIoT use cases is remote access, which can drastically reduce the requirement for on-site presence of technicians and thus eliminate a large cost factor. In this paper, we present a detailed examination of two widespread Virtual Private Network (VPN) remote access frameworks and analyse their suitability for IIoT remote access facilities. We introduce a cloud architecture that seamlessly integrates with existing highly segmented and firewalled industrial networks, yet providing secure connectivity through the use of openVPN and IPsec technology. With scalability being a key factor for a cloud architecture, we give an analysis of our favoured protocols in order to derive potential performance bottlenecks. We finally verify our assumptions by providing empirical performance measurements.


Industrial Internet of Things Network security Remote access Virtual Private Networks IPsec openVPN 



This work has been supported by the Federal Ministry of Education and Research of the Federal Republic of Germany (Förderkennzeichen KIS4ITS0001, IUNO). The authors alone are responsible for the content of the paper.


  1. 1.
  2. 2.
    Performance co-pilot.
  3. 3.
    QEMU, the fast! processor emulator.
  4. 4.
    strongSwan, opensource IPsec-based VPN solution.
  5. 5.
    FIPS PUB 197, Advanced Encryption Standard (AES) , U.S. Department of Commerce/National Institute of Standards and Technology (2001)Google Scholar
  6. 6.
    FIPS PUB 180–2, secure hash standard, U.S. Department of Commerce/National Institute of Standards and Technology (2002)Google Scholar
  7. 7.
    Bogdanov, A., Lauridsen, M.M., Tischhauser, E.: AES-based authenticated encryption modes in parallel high-performance software. IACR Crypt. ePrint Arch. 2014, 186 (2014)Google Scholar
  8. 8.
    Brunner, T.: IKEv2 mediation extension. Internet-Draft draft-brunner-ikev2-mediation-00, IETF Secretariat , April 2008.
  9. 9.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008.
  10. 10.
    Duque Antón, S., Fraunholz, D., Zemitis, J., Pohl, F., Schotten, H.D.: Highly scalable and flexible model for effective aggregation of context-based data in generic IIoT scenarios. In: Kopp, O., Lenhard, J., Pautasso, C. (eds.) 9th Central European Workshop on Services and Their Composition, Central European Workshop on Services and Their Composition (ZEUS-2017), CEUR Workshop Proceedings, 13–14 February, Lugano, Switzerland, pp. 51–58 (2017). 4Google Scholar
  11. 11.
    Kagermann, H., Wahlster, W., Helbig, J.: Recommendations for implementing the strategic initiative INDUSTRIE 4.0: securing the future of German manufacturing industry. Forschungsunion (2013)Google Scholar
  12. 12.
    Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: Internet key exchange protocol version 2 (IKEv2). RFC 7296, RFC Editor, October 2014.
  13. 13.
    Kent, S., Seo, K.: Security architecture for the internet protocol. RFC 4301, RFC Editor, December 2005.
  14. 14.
    Khanvilkar, S., Khokhar, A.: Virtual private networks: an overview with performance evaluation. IEEE Commun. Mag. 42(10), 146–154 (2004)CrossRefGoogle Scholar
  15. 15.
    Kotuliak, I., Rybár, P., Truchly, P.: Performance comparison of IPsec and TLS based VPN technologies. In: 2011 9th International Conference on Emerging eLearning Technologies and Applications (ICETA), pp. 217–221. IEEE (2011)Google Scholar
  16. 16.
    Migault, D., Palomares, D., Guggemos, T., Wally, A., Laurent, M., Wary, J.P.: Recommendations for IPsec configuration on homenet and M2M devices. In: Proceedings of the 11th ACM Symposium on QoS and Security for Wireless and Mobile Networks, Q2SWinet 2015, pp. 9–17, NY, USA (2015).
  17. 17.
    Novickis, T.: Protocol state fuzzing of an openVPN (2016)Google Scholar
  18. 18.
    Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.J., Lear, E.: Address allocation for private internets. RFC 1918, RFC Editor, January 1996.
  19. 19.
    Sadeghi, A.R., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6. IEEE (2015)Google Scholar
  20. 20.
    Srisuresh, P., Egevang, K.: Traditional IP Network Address Translator (Traditional NAT). RFC 3022, RFC Editor, January 2001.

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.Intelligent Networks Research GroupGerman Research Center for Artificial IntelligenceKaiserslauternGermany

Personalised recommendations