Home Wiki Networks & Communications Practical Networking: VPN, DNS, and Firewalls for Secure Factory Connectivity
Networks & Communications

Practical Networking: VPN, DNS, and Firewalls for Secure Factory Connectivity

9 min read Networks & Communications

VPN: Connecting Factory to Office Securely

Factory equipment often sits behind a private network, unreachable from outside. Engineers need to access SCADA dashboards, update firmware, and check logs — without exposing industrial systems to the public internet.

A VPN creates an encrypted tunnel between two networks. Traffic flows as if both sides are on the same local network, but encrypted end-to-end. Common uses include connecting factory floor networks to cloud dashboards, remote engineer access, linking multiple factory sites, and securing Raspberry Pi gateway communications.

WireGuard: The Simplest and Fastest VPN

WireGuard is a modern VPN protocol built into the Linux kernel. It uses fewer than 4,000 lines of code, making it faster and simpler than OpenVPN.

Installation and Key Generation

sudo apt update && sudo apt install -y wireguard
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
chmod 600 /etc/wireguard/private.key

Server Configuration (Cloud VPS)

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <FACTORY_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

Client Configuration (Factory Gateway)

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = <FACTORY_PRIVATE_KEY>

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = vps.drmachine.io:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25

sudo systemctl enable --now wg-quick@wg0
sudo wg show

DNS: Translating Names to Addresses

Instead of remembering IP addresses, DNS lets you use human-readable names.

Local DNS with /etc/hosts

10.0.0.1    vps.factory.local
10.0.0.2    gateway.factory.local
192.168.10.100  plc-line-a.factory.local

CoreDNS in Docker

services:
  coredns:
    image: coredns/coredns:latest
    ports:
      - "53:53/udp"
      - "53:53/tcp"
    volumes:
      - ./coredns:/etc/coredns:ro
    command: -conf /etc/coredns/Corefile

# coredns/Corefile
factory.local {
    hosts /etc/coredns/factory.hosts
    log
}
. {
    forward . 8.8.8.8 1.1.1.1
    cache 30
}

Advanced Firewall: iptables Rules

For factories connected via VPN, control precisely which traffic flows between networks:

sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i wg0 -s 10.0.0.0/24 -d 192.168.10.0/24 -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -s 10.0.0.0/24 -d 192.168.10.0/24 -p tcp --dport 3000 -j ACCEPT
sudo iptables -A FORWARD -j DROP

Persist and Rate-Limit

sudo iptables-save > /etc/iptables/rules.v4
sudo apt install -y iptables-persistent
# SSH brute-force protection
sudo iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name ssh -j DROP

Encryption: HTTPS and Let's Encrypt

Every web-facing service must use HTTPS. Let's Encrypt provides free auto-renewing TLS certificates.

services:
  nginx:
    image: nginx:alpine
    ports: ["80:80", "443:443"]
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - certbot-data:/etc/letsencrypt
      - certbot-webroot:/var/www/certbot
  certbot:
    image: certbot/certbot
    volumes:
      - certbot-data:/etc/letsencrypt
      - certbot-webroot:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done'"
volumes:
  certbot-data:
  certbot-webroot:

server {
    listen 443 ssl;
    server_name monitor.drmachine.io;
    ssl_certificate /etc/letsencrypt/live/monitor.drmachine.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/monitor.drmachine.io/privkey.pem;
    location / { proxy_pass http://factory-app:8080; }
    location /grafana/ { proxy_pass http://grafana:3000/; }
}

Practical Example: Connecting a Factory to a Cloud Server via WireGuard

# === On the VPS (10.0.0.1) ===
sudo apt install -y wireguard
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
# Create /etc/wireguard/wg0.conf with server config
sudo systemctl enable --now wg-quick@wg0
sudo ufw allow 51820/udp

# === On the Raspberry Pi (10.0.0.2) ===
sudo apt install -y wireguard
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
# Create /etc/wireguard/wg0.conf with client config
sudo systemctl enable --now wg-quick@wg0

# === Verify from both sides ===
ping 10.0.0.2   # From VPS
ping 10.0.0.1   # From RPi
curl http://10.0.0.1:3000  # Access Grafana through VPN

The PersistentKeepalive = 25 setting keeps the tunnel alive behind NAT routers.

Summary

Secure networking is the backbone of remote industrial management. WireGuard provides a fast, modern VPN to connect factory networks to cloud infrastructure. DNS translates addresses into readable names, iptables rules enforce access control, and HTTPS with Let's Encrypt encrypts all web traffic. In the next lesson, you will learn backup strategies and security practices to protect your industrial data.

VPN WireGuard firewall DNS iptables encryption الشبكة الافتراضية الجدار الناري التشفير الاتصال الآمن الشبكات الربط
Previous System Monitoring: Prometheus and Grafana for Server and Application Health