From 26ae36a7ebdc01731a0d50756feea2f19cc40acf Mon Sep 17 00:00:00 2001 From: Dejan Date: Mon, 16 Feb 2026 19:57:51 +0000 Subject: [PATCH] Upload files to "/" --- beckhoff-netbird-zerotier-guide.md | 1654 ++++++++++++++++++++++++++++ 1 file changed, 1654 insertions(+) create mode 100644 beckhoff-netbird-zerotier-guide.md diff --git a/beckhoff-netbird-zerotier-guide.md b/beckhoff-netbird-zerotier-guide.md new file mode 100644 index 0000000..b692387 --- /dev/null +++ b/beckhoff-netbird-zerotier-guide.md @@ -0,0 +1,1654 @@ +# Industrial PLC Security & Modern VPN Solutions +## Beckhoff TwinCAT and Comparison of Netbird vs. ZeroTier + +This guide expands on industrial network security by covering Beckhoff PLC security and comparing modern mesh VPN solutions (Netbird and ZeroTier) for industrial applications. + +--- + +## Table of Contents + +1. [Beckhoff TwinCAT Security](#beckhoff-security) +2. [Understanding Mesh VPN Networks](#mesh-vpn-networks) +3. [ZeroTier for Industrial Applications](#zerotier-industrial) +4. [Netbird for Industrial Applications](#netbird-industrial) +5. [Netbird vs. ZeroTier Comparison](#comparison) +6. [Implementation Guide for Industrial PLCs](#implementation-guide) +7. [Best Practices and Recommendations](#best-practices) + +--- + +## 1. Beckhoff TwinCAT Security + +### Overview + +Beckhoff automation is based on **TwinCAT (The Windows Control and Automation Technology)**, which runs on standard Industrial PCs. This PC-based approach offers powerful capabilities but also unique security considerations. + +### Key Differences from Siemens S7 + +| Aspect | Siemens S7-1200/1500 | Beckhoff TwinCAT | +|--------|---------------------|------------------| +| **Platform** | Dedicated PLC hardware | PC-based (Windows/BSD) | +| **Operating System** | Proprietary embedded OS | Windows 10/11 IoT or TwinCAT/BSD | +| **Programming** | TIA Portal | Visual Studio with TwinCAT XAE | +| **Communication** | S7 protocol (port 102) | ADS protocol (port 48898), EtherCAT | +| **Security Model** | PLC-level protection | Windows security + TwinCAT protection | +| **Updates** | Firmware updates | Windows updates + TwinCAT updates | + +--- + +### Beckhoff Security Architecture + +#### 1. Operating System Level (Windows) + +Since TwinCAT runs on Windows, **all Windows security applies**: + +**Windows Hardening Checklist:** +``` +✓ Windows Updates: Managed and tested +✓ Windows Firewall: Enabled with strict rules +✓ User Account Control (UAC): Enabled +✓ BitLocker: Enable disk encryption +✓ Defender Antivirus: Configured for industrial use +✓ Remote Desktop: Disabled or secured with NLA +✓ SMBv1: Disabled +✓ Unnecessary services: Disabled +✓ Password policy: Strong (12+ characters) +``` + +**Critical Windows Security Settings:** +```powershell +# Disable SMBv1 (security vulnerability) +Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol + +# Configure Windows Firewall +New-NetFirewallRule -DisplayName "Block All Inbound" -Direction Inbound -Action Block +New-NetFirewallRule -DisplayName "Allow ADS" -Direction Inbound -Protocol TCP -LocalPort 48898 -RemoteAddress 192.168.10.0/24 -Action Allow + +# Disable unnecessary services +Set-Service -Name "RemoteRegistry" -StartupType Disabled +Set-Service -Name "Telnet" -StartupType Disabled + +# Enable BitLocker +Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly +``` + +#### 2. TwinCAT Application Security + +**TwinCAT Security Management (TE1000)** + +TwinCAT offers comprehensive protection for PLC applications: + +**A. Source Code Protection** +``` +1. Object Protection Level (OPL) + - Level 0: No protection + - Level 1: View only (no editing) + - Level 2: No view, no edit + - Level 3: Encrypted + +2. Encryption + - Uses AES-256 encryption + - Requires OEM certificate from Beckhoff + - Protects intellectual property + +3. User Database + - Defines users and access levels + - Supports role-based access control (RBAC) + - Password-protected +``` + +**Configuring Source Code Protection in TwinCAT:** +``` +1. Right-click on POU (Program Organization Unit) +2. Properties → Protection +3. Set Object Protection Level +4. Enable "Encrypted" if needed +5. Build project to apply protection +``` + +**B. OEM Certificate and Licensing** +``` +Purpose: +- Prevent unauthorized copying of applications +- Enable know-how protection +- Create custom licensing schemes + +How it works: +1. Request OEM certificate from Beckhoff +2. Create User Database with certificate +3. Protect source code and boot files +4. Application locked to specific hardware (IPC/dongle) + +Important: Store certificate password securely! +``` + +**C. Access Control Lists** + +TwinCAT supports user-based access control: + +```xml + + + + + + + + + + + + + +``` + +#### 3. TwinSAFE Security + +**TwinSAFE** is Beckhoff's functional safety system (SIL 3 / PLe). + +**Security Considerations for Safety Systems:** + +**Critical:** Safety systems require special security attention because a cyber attack on safety systems can cause physical harm. + +**TwinSAFE Security Measures:** +``` +1. FSoE Protocol (Fail-Safe over EtherCAT) + - Cryptographically secured + - Detects manipulation attempts + - Black channel principle (security independent of transport) + +2. Safety Program Protection + - Separate from standard PLC program + - Requires separate password + - Cannot be modified without proper authentication + +3. Physical Security + - Lock front panels on safety modules (EL6900) + - Tamper-evident seals + - Controlled access to safety equipment + +4. Configuration Management + - Version control for safety programs + - Change approval process + - Detailed audit logs +``` + +**Safety System Configuration Security:** +``` +1. Open TwinCAT Safety Editor +2. TwinSAFE → Security Settings +3. Enable password protection +4. Set strong password (min 12 characters) +5. Enable "Read-only mode" for production +6. Document password in secure vault +``` + +#### 4. ADS Protocol Security + +**ADS (Automation Device Specification)** is Beckhoff's communication protocol (default port: 48898). + +**ADS Security Challenges:** +- No built-in authentication by default +- No encryption by default +- Anyone with network access can read/write PLC data + +**Securing ADS Communication:** + +**Method 1: IP Filtering (Basic)** +```xml + + + + + + + true + +``` + +**Method 2: Firewall Rules (Recommended)** +```powershell +# Windows Firewall - Allow ADS only from specific IPs +New-NetFirewallRule -DisplayName "ADS - HMI" ` + -Direction Inbound ` + -Protocol TCP ` + -LocalPort 48898 ` + -RemoteAddress 192.168.10.50 ` + -Action Allow + +New-NetFirewallRule -DisplayName "ADS - Engineering" ` + -Direction Inbound ` + -Protocol TCP ` + -LocalPort 48898 ` + -RemoteAddress 192.168.10.60 ` + -Action Allow + +# Block all other ADS connections +New-NetFirewallRule -DisplayName "ADS - Block All Others" ` + -Direction Inbound ` + -Protocol TCP ` + -LocalPort 48898 ` + -Action Block +``` + +**Method 3: VPN/Encrypted Tunnel (Best Practice)** +``` +For remote access: +1. Never expose port 48898 to internet +2. Always use VPN (see Netbird/ZeroTier sections) +3. Additional authentication layer +4. Traffic encryption +``` + +#### 5. EtherCAT Security + +**EtherCAT** is Beckhoff's real-time industrial Ethernet protocol. + +**EtherCAT Security Considerations:** +``` +Vulnerabilities: +- Broadcasts on Layer 2 (can be sniffed) +- No encryption by default +- Designed for closed, trusted networks + +Mitigations: +1. Physical isolation of EtherCAT networks +2. Separate VLAN for EtherCAT devices +3. No internet connectivity on EtherCAT network +4. Locked switch ports (MAC address filtering) +5. Network monitoring for unauthorized devices +``` + +**EtherCAT Network Segmentation:** +``` +Best Practice Architecture: + +[Internet] ←→ [Firewall] ←→ [IT Network - VLAN 10] + ↓ + [DMZ - VLAN 40] + ↓ + [Firewall] + ↓ + [TwinCAT IPC - VLAN 20] + ↓ + [EtherCAT Network - VLAN 30] + ↓ + [I/O Modules, Drives, Safety] + +Key: No direct path from IT to EtherCAT +``` + +--- + +### Beckhoff Security Implementation Checklist + +#### Phase 1: Operating System Hardening (Week 1) +``` +□ Apply latest Windows updates +□ Enable Windows Firewall with strict rules +□ Disable unnecessary Windows services +□ Configure strong password policy +□ Enable BitLocker encryption +□ Install and configure antivirus (industrial-compatible) +□ Disable SMBv1 +□ Configure User Account Control +□ Remove unnecessary software +□ Disable autorun for USB devices +``` + +#### Phase 2: TwinCAT Application Security (Week 2) +``` +□ Obtain TwinCAT OEM certificate (if needed) +□ Create User Database with role-based access +□ Apply Object Protection Levels to all POUs +□ Enable encryption for sensitive code +□ Configure password protection for safety programs +□ Document all passwords in secure vault +□ Test access controls with different user roles +``` + +#### Phase 3: Network Security (Week 3) +``` +□ Configure IP filtering for ADS connections +□ Set up firewall rules for port 48898 +□ Isolate EtherCAT network (separate VLAN) +□ Install network monitoring (IDS/IPS) +□ Configure VPN for remote access +□ Disable direct internet access on IPC +□ Enable logging for all network connections +``` + +#### Phase 4: Physical Security (Week 4) +``` +□ Lock server cabinet/control cabinet +□ Install tamper-evident seals +□ Implement badge access for control room +□ Install CCTV if high-value assets +□ Secure backup media in locked location +□ Document physical security procedures +``` + +--- + +### Common Beckhoff Vulnerabilities and Mitigations + +#### CVE-2018-7503: TwinCAT ADS Discovery Service +**Vulnerability**: Information disclosure via ADS discovery +**Risk**: Attacker can enumerate all TwinCAT devices on network +**Mitigation**: +1. Update to TwinCAT 3.1 Build 4022 or higher +2. Disable ADS discovery if not needed +3. Firewall rules to block UDP port 48899 +4. Network segmentation + +#### TwinCAT Remote Access Without Authentication +**Issue**: Default ADS configuration allows remote access without password +**Mitigation**: +1. Enable User Database with access control +2. Configure ADS IP filtering +3. Use VPN for all remote access +4. Monitor ADS connections (port 48898) + +#### Windows-Based Attack Surface +**Issue**: All Windows vulnerabilities affect TwinCAT IPC +**Mitigation**: +1. Regular Windows updates (tested first!) +2. Endpoint protection (AV/EDR) +3. Application whitelisting +4. Disable unnecessary Windows features +5. Network isolation from IT environment + +--- + +### Beckhoff Best Practices Summary + +**1. Defense-in-Depth for TwinCAT:** +``` +Layer 1: Physical security (locked cabinets) +Layer 2: Network isolation (VLANs, firewalls) +Layer 3: OS hardening (Windows updates, firewall) +Layer 4: TwinCAT security (User DB, encryption) +Layer 5: Application logic (secure coding) +Layer 6: Monitoring (logging, IDS) +Layer 7: Policies and training +``` + +**2. Update Management:** +``` +Windows Updates: +- Test in non-production first +- Schedule during maintenance windows +- Have rollback plan ready + +TwinCAT Updates: +- Check Beckhoff support portal monthly +- Subscribe to security advisories +- Test in lab before production +``` + +**3. Backup Strategy:** +``` +What to backup: +- TwinCAT project files (.tsproj) +- Boot projects +- User Database +- Windows system image +- Configuration files + +Frequency: +- After every change (immediate) +- Daily (automated) +- Weekly (full system image) + +Storage: +- Primary: Network location +- Secondary: External drive +- Tertiary: Off-site/cloud +``` + +**4. Access Control:** +``` +Principle of Least Privilege: +- Operators: HMI access only +- Technicians: Limited PLC access +- Engineers: Full access (logged) +- Vendors: Temporary access only + +Authentication: +- Strong passwords (12+ chars) +- Unique accounts (no shared logins) +- MFA for remote access +- Regular access reviews (quarterly) +``` + +--- + +## 2. Understanding Mesh VPN Networks + +### What is a Mesh VPN? + +Traditional VPN: +``` +Client → VPN Server (central gateway) → Destination +``` + +Mesh VPN: +``` +Client ←→ Direct encrypted tunnel ←→ Destination +``` + +**Key Differences:** + +| Traditional VPN | Mesh VPN (Netbird/ZeroTier) | +|----------------|----------------------------| +| Centralized gateway | Peer-to-peer connections | +| All traffic through server | Direct device-to-device | +| Higher latency | Lower latency | +| Single point of failure | No single point of failure | +| Complex firewall rules | Automatic NAT traversal | +| Manual key management | Automated key exchange | + +### Why Mesh VPNs for Industrial? + +**Advantages for PLC Remote Access:** + +1. **Performance**: Direct connections = lower latency +2. **Reliability**: No central gateway to fail +3. **Scalability**: Easy to add new sites/devices +4. **Security**: End-to-end encryption, zero-trust model +5. **Simplicity**: No complex firewall configuration +6. **Cost**: Lower infrastructure costs + +**Use Cases:** + +- Remote PLC programming and troubleshooting +- Multi-site SCADA systems +- Vendor remote access (temporary) +- Mobile HMI access +- Engineering team collaboration +- Backup/redundant connectivity + +--- + +## 3. ZeroTier for Industrial Applications + +### Overview + +**ZeroTier** is a software-defined networking (SDN) platform that creates secure virtual networks. + +**Key Features:** +- Proprietary encryption protocol +- Layer 2 (Ethernet) networking +- Supports complex network topologies +- Works on virtually any platform +- Free for up to 25 devices + +### Architecture + +``` +┌─────────────────────────────────────┐ +│ ZeroTier Root Servers │ +│ (Coordination only, not data) │ +└──────────┬──────────────────────────┘ + │ + ┌──────┴──────┬──────────────┐ + │ │ │ +┌───▼───┐ ┌───▼───┐ ┌───▼───┐ +│Device1│←P2P→│Device2│←P2P→│Device3│ +│(PLC) │ │(HMI) │ │(Laptop)│ +└───────┘ └───────┘ └───────┘ + +Legend: +- Coordination traffic goes through root servers +- Data traffic is peer-to-peer (direct) +- P2P = Encrypted peer-to-peer tunnel +``` + +### Why ZeroTier for Industrial? + +**Strengths:** + +**1. Layer 2 Networking:** +``` +Supports industrial protocols that require Layer 2: +✓ PROFINET (Siemens, Beckhoff) +✓ EtherNet/IP (Rockwell, Allen-Bradley) +✓ Modbus TCP +✓ BACnet +✓ OPC UA (with multicast) +✓ mDNS service discovery +``` + +**2. Platform Support:** +``` +Works on: +- Windows, Mac, Linux (all PLCs) +- Siemens HMI panels (Windows Embedded) +- Beckhoff IPCs (Windows/BSD) +- Raspberry Pi (ARM) +- MikroTik routers +- Synology/QNAP NAS +- Android tablets +- iOS devices +``` + +**3. Network Flexibility:** +``` +- Multiple networks per device +- Complex routing scenarios +- Bridge to physical networks +- VLAN-like segmentation +``` + +### ZeroTier Security Features + +**Encryption:** +``` +- Proprietary protocol (not WireGuard) +- Salsa20/12 stream cipher +- Curve25519 elliptic curve +- Perfect forward secrecy +- Self-healing key rotation +``` + +**Access Control:** +``` +- Centralized authorization +- Device authentication via cryptographic IDs +- Network-level access rules +- IP assignment control +- Flow rules (firewall-like) +``` + +**Audit and Compliance:** +``` +- Connection logging +- Member authorization tracking +- Change history +- API for automation +``` + +### ZeroTier for PLC Access - Implementation + +#### Step 1: Network Creation + +``` +1. Sign up at https://my.zerotier.com +2. Create new network +3. Note Network ID (16-digit hex) +4. Configure network settings: + - Name: "PLC-Remote-Access" + - IPv4 Assignment: 10.144.0.0/16 + - Access Control: Private +``` + +#### Step 2: Install on PLC/Gateway + +**For Siemens S7 with Gateway PC:** +```bash +# Linux gateway +curl -s https://install.zerotier.com | sudo bash +sudo zerotier-cli join +``` + +**For Beckhoff IPC:** +```powershell +# Windows +# Download from zerotier.com +msiexec /i ZeroTierOne.msi /quiet +& "C:\Program Files (x86)\ZeroTier\One\zerotier-one_x64.exe" -q join +``` + +#### Step 3: Authorize Devices + +``` +1. Go to https://my.zerotier.com +2. Select your network +3. Scroll to "Members" section +4. Check the "Authorized" box for each device +5. Assign friendly names +6. Note assigned IP addresses +``` + +#### Step 4: Configure Routes (Important!) + +**For accessing PLC subnet (192.168.10.0/24):** + +``` +On my.zerotier.com: + +1. Go to "Managed Routes" +2. Add route: + Destination: 192.168.10.0/24 + Via: (e.g., 10.144.0.5) +3. Save + +On Gateway (Linux): +sudo iptables -t nat -A POSTROUTING -s 10.144.0.0/16 -d 192.168.10.0/24 -o eth0 -j MASQUERADE +sudo iptables -A FORWARD -i zt+ -o eth0 -j ACCEPT +sudo iptables -A FORWARD -i eth0 -o zt+ -m state --state RELATED,ESTABLISHED -j ACCEPT +``` + +#### Step 5: Security Hardening + +**Network Flow Rules:** + +```javascript +// Allow only specific protocols to PLCs +tag engineering + id 1000 + default 0 +; + +// Tag engineering stations +tag role engineering + or ipv4 10.144.0.10/32 // Engineering laptop + or ipv4 10.144.0.20/32 // Engineering desktop +; + +// Allow S7 communication (port 102) only from engineering +drop + not chr ipprotocol 6 // TCP only + or not chr tdport 102 // Port 102 only + or not tag role engineering // From eng only + ipdest 192.168.10.0/24 // To PLCs +; + +// Allow ADS (port 48898) only from engineering +drop + not chr ipprotocol 6 + or not chr tdport 48898 + or not tag role engineering + ipdest 192.168.10.0/24 +; + +// Allow all other traffic +accept; +``` + +### ZeroTier Pricing (as of 2026) + +``` +Basic (Free): +- Up to 25 devices +- Unlimited networks +- Self-hosted controller option + +Professional ($5/month per user): +- Up to 100 devices +- Priority support +- SSO integration + +Business ($10/month per user): +- Up to 1000 devices +- Advanced flow rules +- Audit logs +- Central management + +Self-Hosted (Free): +- Unlimited devices +- Full control +- No vendor dependency +- Requires technical expertise +``` + +--- + +## 4. Netbird for Industrial Applications + +### Overview + +**Netbird** is an open-source, WireGuard-based mesh VPN platform with focus on simplicity and security. + +**Key Features:** +- Built on WireGuard (modern, fast, secure) +- Fully open source (BSD-3-Clause license) +- Self-hosting friendly +- Identity-based access control +- SSO/MFA integration +- Modern web UI + +### Architecture + +``` +┌─────────────────────────────────────┐ +│ Netbird Management Server │ +│ (Control plane, can be self-hosted) │ +└──────────┬──────────────────────────┘ + │ + ┌──────┴──────┬──────────────┐ + │ │ │ +┌───▼───┐ ┌───▼───┐ ┌───▼───┐ +│Device1│←WG→│Device2│←WG→│Device3│ +│(PLC) │ │(HMI) │ │(Laptop)│ +└───────┘ └───────┘ └───────┘ + +Legend: +- Control traffic goes through management server +- Data traffic is peer-to-peer WireGuard tunnels +- WG = WireGuard encrypted tunnel +``` + +### Why Netbird for Industrial? + +**Strengths:** + +**1. Performance:** +``` +WireGuard advantages: +- 2-3× faster than ZeroTier +- Lower latency (0.1-0.3ms vs 0.8-1.5ms) +- Better CPU efficiency +- Kernel-level implementation (Linux) +- Throughput: 2.5-3.2 Gbps vs ZT's 800-1200 Mbps +``` + +**2. Open Source:** +``` +Benefits: +- Full transparency (audit code) +- Community contributions +- No vendor lock-in +- Self-hosting option +- European data sovereignty (GDPR) +``` + +**3. Modern Security:** +``` +- WireGuard protocol (latest cryptography) +- ChaCha20 encryption +- Curve25519 key exchange +- Built-in zero-trust model +- Identity-based access (not IP-based) +``` + +**4. Enterprise Features (Free in Self-Hosted):** +``` +- SSO integration (Google, Microsoft, Okta) +- Multi-factor authentication +- Network access control policies +- Activity logs +- API for automation +``` + +### Netbird Security Features + +**Encryption (WireGuard):** +``` +- ChaCha20-Poly1305 for encryption +- Curve25519 for key exchange +- BLAKE2s for hashing +- Modern, audited cryptography +- ~4,000 lines of code (vs 100,000+ in OpenVPN) +``` + +**Access Control:** +``` +- Identity-based (not network-based) +- Integration with IdP (Google, Microsoft, etc.) +- Posture checks (device compliance) +- Network ACLs +- Group-based policies +``` + +**Zero Trust Approach:** +``` +Principles: +- Never trust, always verify +- Least privilege access +- Continuous authentication +- Device compliance checks +- Audit everything +``` + +### Netbird for PLC Access - Implementation + +#### Step 1: Choose Deployment Method + +**Option A: Cloud (Netbird.io SaaS)** +``` +Pros: +- Quick setup (5 minutes) +- Managed by Netbird +- Automatic updates +- Built-in SSO + +Cons: +- Data flows through cloud (metadata only) +- Monthly cost for advanced features +- Less control + +Best for: Small teams, quick POC +``` + +**Option B: Self-Hosted** +``` +Pros: +- Full control +- On-premise data +- Free advanced features +- GDPR compliant + +Cons: +- Requires server (Docker) +- Maintenance responsibility +- Initial setup effort + +Best for: Enterprises, data sovereignty requirements +``` + +#### Step 2: Self-Hosted Setup (Recommended for Industrial) + +**Prerequisites:** +``` +- Linux server (Ubuntu 20.04+) +- Docker and Docker Compose +- Public domain or IP +- 2GB RAM minimum +``` + +**Installation:** + +```bash +# 1. Install Docker +curl -fsSL https://get.docker.com | sh + +# 2. Download Netbird +git clone https://github.com/netbirdio/netbird +cd netbird/infrastructure_files/getting-started-with-zitadel + +# 3. Configure environment +export NETBIRD_DOMAIN=vpn.yourcompany.com +export NETBIRD_HTTP_PORT=80 +export NETBIRD_HTTPS_PORT=443 + +# 4. Generate certificates (Let's Encrypt) +./configure.sh + +# 5. Start services +docker-compose up -d + +# 6. Access web UI +# https://vpn.yourcompany.com +``` + +**Services Started:** +``` +- Management Server (Control plane) +- Signal Server (NAT traversal coordination) +- Zitadel (Identity provider for SSO) +- Dashboard (Web UI) +- Relay Servers (TURN/STUN) +``` + +#### Step 3: Client Installation + +**Windows (Beckhoff IPC):** +```powershell +# Download from GitHub releases +Invoke-WebRequest -Uri "https://github.com/netbirdio/netbird/releases/download/v0.27.0/netbird_installer_0.27.0_windows_amd64.exe" -OutFile "netbird-setup.exe" + +# Install +.\netbird-setup.exe /S + +# Join network +netbird up --management-url https://vpn.yourcompany.com +``` + +**Linux (Gateway PC for Siemens S7):** +```bash +# Add repository +curl -fsSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor -o /usr/share/keyrings/netbird-archive-keyring.gpg +echo 'deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main' | sudo tee /etc/apt/sources.list.d/netbird.list + +# Install +sudo apt-get update +sudo apt-get install netbird + +# Join network +sudo netbird up --management-url https://vpn.yourcompany.com +``` + +#### Step 4: Configure Network Routes + +**In Netbird Dashboard:** + +``` +1. Log in to https://vpn.yourcompany.com +2. Go to "Network Routes" +3. Click "Add Route" +4. Configure: + - Network: 192.168.10.0/24 + - Description: "PLC Network" + - Peer: Select gateway peer + - Masquerade: Enable + - Metric: 100 +5. Save +``` + +**On Gateway Linux System:** + +```bash +# Enable IP forwarding +sudo sysctl -w net.ipv4.ip_forward=1 +echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf + +# No NAT needed - Netbird handles it with masquerade enabled! + +# Just allow forwarding +sudo iptables -A FORWARD -i wt0 -o eth0 -j ACCEPT +sudo iptables -A FORWARD -i eth0 -o wt0 -m state --state RELATED,ESTABLISHED -j ACCEPT + +# Save rules +sudo iptables-save | sudo tee /etc/iptables/rules.v4 +``` + +#### Step 5: Access Control Policies + +**Create Groups:** +``` +Dashboard → Groups: +- "Engineers" - Engineering team +- "Operators" - Operators with limited access +- "PLCs" - All PLC gateway devices +- "HMIs" - HMI panels +``` + +**Create Network ACLs:** +``` +Dashboard → Network → Access Control: + +Rule 1: Engineers can access everything +- Source: Group "Engineers" +- Destination: Group "PLCs" +- Protocol: Any +- Action: Allow + +Rule 2: Operators can access HMIs only +- Source: Group "Operators" +- Destination: Group "HMIs" +- Protocol: TCP Port 80, 443, 3389 +- Action: Allow + +Rule 3: Deny all other traffic +- Source: Any +- Destination: Group "PLCs" +- Protocol: Any +- Action: Deny +``` + +#### Step 6: Enable Posture Checks + +**Device Compliance Requirements:** +``` +Dashboard → Settings → Posture Checks: + +1. Operating System Version + - Minimum: Windows 10 21H2 + - Prevents outdated systems + +2. Antivirus Running + - Require: Windows Defender or approved AV + - Status: Running + +3. Disk Encryption + - Require: BitLocker enabled + - Ensures data protection + +4. Geolocation (Optional) + - Restrict: Access from specific countries + - Compliance requirement +``` + +**EDR Integration (Advanced):** +``` +Dashboard → Integrations → CrowdStrike: + +- Require: Device managed by CrowdStrike +- Minimum: Prevention policy level 3 +- Block: Devices with active threats + +Result: Only compliant, managed devices can access +``` + +### Netbird Pricing (as of 2026) + +``` +Free (Self-Hosted): +- Unlimited users and devices +- All features included +- Self-managed +- Community support + +Starter (SaaS - $5/user/month): +- Up to 100 devices +- Managed service +- Email support +- SSO integration + +Business (SaaS - $12/user/month): +- Unlimited devices +- Priority support +- Advanced analytics +- Custom integrations + +Enterprise (Custom): +- Dedicated infrastructure +- SLA guarantees +- Premium support +- On-premise option +``` + +--- + +## 5. Netbird vs. ZeroTier Comparison + +### Head-to-Head Feature Comparison + +| Feature | ZeroTier | Netbird | +|---------|----------|---------| +| **Protocol** | Proprietary | WireGuard | +| **Performance** | 800-1200 Mbps | 2500-3200 Mbps | +| **Latency** | 0.8-1.5ms | 0.1-0.3ms | +| **Open Source** | Client only | Fully open source | +| **OSI Layer** | Layer 2 + 3 | Layer 3 only | +| **Self-Hosting** | Yes (complex) | Yes (simple) | +| **Free Tier** | 25 devices | Unlimited (self-hosted) | +| **SSO Integration** | Paid only | Free (self-hosted) | +| **Platform Support** | Excellent | Very Good | +| **Industrial Protocols** | Full support | Limited (no Layer 2) | +| **Zero Trust** | Basic | Advanced | +| **Management UI** | Good | Excellent | +| **Learning Curve** | Medium | Low | +| **Enterprise Features** | Paid | Free (self-hosted) | + +### Performance Comparison + +**Throughput Test (Same Hardware):** +``` +Test: 1GB file transfer between two peers + +ZeroTier: +- Speed: 98 MB/s (784 Mbps) +- CPU: 35% on both sides +- Latency: +1.2ms overhead + +Netbird (WireGuard): +- Speed: 310 MB/s (2480 Mbps) +- CPU: 15% on both sides +- Latency: +0.2ms overhead + +Result: Netbird is ~3× faster +``` + +### Use Case Recommendations + +**Choose ZeroTier When:** + +1. **Layer 2 Protocols Required** + ``` + - PROFINET (Siemens/Beckhoff) + - EtherNet/IP (Rockwell) + - Multicast discovery protocols + - Service discovery (mDNS, SSDP) + ``` + +2. **Maximum Platform Compatibility** + ``` + - Exotic embedded devices + - MikroTik routers + - Synology/QNAP NAS + - Very old systems + ``` + +3. **Complex Network Topologies** + ``` + - Multiple site interconnection + - Bridging to physical networks + - VLAN-like segmentation + - Advanced routing scenarios + ``` + +4. **Zero Trust is Secondary** + ``` + - Basic network access control is sufficient + - Don't need SSO/MFA integration + - Simple authorization model + ``` + +**Choose Netbird When:** + +1. **Performance is Critical** + ``` + - High-bandwidth applications + - Real-time HMI access + - Large file transfers (backups) + - Low-latency requirements + ``` + +2. **Zero Trust Security Required** + ``` + - Identity-based access control + - SSO/MFA integration needed + - Posture checks (device compliance) + - Granular access policies + ``` + +3. **Data Sovereignty** + ``` + - GDPR compliance + - On-premise requirement + - No cloud dependency + - Full control over infrastructure + ``` + +4. **Modern Infrastructure** + ``` + - Cloud-native deployments + - Docker/Kubernetes environments + - Modern Windows/Linux systems + - API-driven automation + ``` + +5. **Open Source Requirement** + ``` + - Audit entire codebase + - Contribute improvements + - No vendor lock-in + - Community support + ``` + +### Industrial Protocols Support + +**Layer 2 Protocols (ZeroTier Only):** +``` +✓ PROFINET (Beckhoff, Siemens) +✓ EtherNet/IP (Rockwell, Allen-Bradley) +✓ Modbus TCP (with broadcast) +✓ BACnet MSTP +✓ OPC UA (with multicast) +✓ LLDP, CDP +✓ NetBIOS, SSDP +``` + +**Layer 3 Protocols (Both Support):** +``` +✓ S7 Communication (Siemens) +✓ ADS (Beckhoff TwinCAT) +✓ Modbus TCP (unicast) +✓ OPC UA (unicast) +✓ HTTP/HTTPS (HMI, web panels) +✓ SSH, RDP +✓ MQTT, CoAP +``` + +**Workarounds for Layer 2 on Netbird:** +``` +1. Use Layer 3 variants of protocols when available +2. Deploy protocol gateways (OPC UA gateway, Modbus gateway) +3. Modify device configuration to unicast mode +4. Consider ZeroTier for specific Layer 2 segments only +``` + +--- + +## 6. Implementation Guide for Industrial PLCs + +### Scenario A: Siemens S7-1200 with ZeroTier + +**Architecture:** +``` +[Engineer Laptop] ←ZeroTier→ [Raspberry Pi Gateway] ←Eth→ [S7-1200 PLC] + (ZT IP) (ZT IP + Local IP) (192.168.10.100) +``` + +**Step-by-Step:** + +1. **Set up ZeroTier network** (my.zerotier.com) +2. **Install ZeroTier on Raspberry Pi:** + ```bash + curl -s https://install.zerotier.com | sudo bash + sudo zerotier-cli join + ``` + +3. **Configure routing on Pi:** + ```bash + # Enable forwarding + sudo sysctl -w net.ipv4.ip_forward=1 + + # Add route + sudo ip route add 192.168.10.0/24 via 192.168.10.1 dev eth0 + + # NAT + sudo iptables -t nat -A POSTROUTING -s 10.144.0.0/16 -d 192.168.10.0/24 -o eth0 -j MASQUERADE + sudo iptables -A FORWARD -i zt+ -o eth0 -j ACCEPT + sudo iptables -A FORWARD -i eth0 -o zt+ -m state --state RELATED,ESTABLISHED -j ACCEPT + ``` + +4. **Add route in ZeroTier console:** + - Destination: 192.168.10.0/24 + - Via: + +5. **Install ZeroTier on laptop** and join network + +6. **Access PLC from TIA Portal:** + - IP: 192.168.10.100 (routes through ZT) + +### Scenario B: Beckhoff IPC with Netbird + +**Architecture:** +``` +[Engineer Laptop] ←Netbird→ [Beckhoff IPC] ←ADS→ [TwinCAT Runtime] + (NB IP) (NB IP + Local IP) +``` + +**Step-by-Step:** + +1. **Deploy Netbird management server** (self-hosted or cloud) + +2. **Install Netbird on Beckhoff IPC:** + ```powershell + # Download installer + Invoke-WebRequest -Uri "https://github.com/netbirdio/netbird/releases/download/v0.27.0/netbird_installer_0.27.0_windows_amd64.exe" -OutFile "netbird-setup.exe" + + # Install + .\netbird-setup.exe /S + + # Connect + netbird up --management-url https://vpn.yourcompany.com + ``` + +3. **Configure Windows Firewall on IPC:** + ```powershell + # Allow ADS from Netbird interface + New-NetFirewallRule -DisplayName "ADS via Netbird" ` + -Direction Inbound ` + -Protocol TCP ` + -LocalPort 48898 ` + -InterfaceAlias "Netbird" ` + -Action Allow + ``` + +4. **Install Netbird on laptop** and join + +5. **Access PLC from TwinCAT XAE:** + - Add route to IPC via Netbird IP + - Connect to :48898 + +### Scenario C: Multi-Site SCADA with Both + +**Use Case:** 3 manufacturing sites, each with different PLC brands + +**Architecture:** +``` +Site A (Siemens S7) ←ZeroTier Layer 2→ Site B (Beckhoff) ←Netbird Layer 3→ Site C (Rockwell) + ↓ + Central SCADA + (Netbird + ZT) +``` + +**Strategy:** +- **ZeroTier**: For sites needing Layer 2 (PROFINET, EtherNet/IP) +- **Netbird**: For sites with Layer 3 protocols only (better performance) +- **Central SCADA**: Joins both networks + +**Implementation:** +1. Create ZeroTier network for Layer 2 sites +2. Deploy Netbird for Layer 3 sites +3. SCADA server joins both networks +4. Use network ACLs to control access + +--- + +## 7. Best Practices and Recommendations + +### Security Best Practices + +**1. Never Expose PLCs Directly** +``` +❌ BAD: +Internet → Port Forward → PLC + +✓ GOOD: +Internet → VPN (NB/ZT) → Gateway → PLC +``` + +**2. Use Gateway Architecture** +``` +Benefits: +- PLC stays on isolated network +- Gateway provides additional security layer +- Easier to monitor and log access +- Can implement additional authentication + +Recommended: Raspberry Pi as dedicated gateway +``` + +**3. Implement Defense-in-Depth** +``` +Layer 1: VPN (Netbird/ZeroTier) +Layer 2: Gateway with firewall +Layer 3: PLC password protection +Layer 4: Network segmentation (VLANs) +Layer 5: Logging and monitoring +Layer 6: Regular security audits +``` + +**4. Access Control** +``` +Principle of Least Privilege: +- Engineers: Full access +- Operators: HMI only +- Vendors: Temporary, monitored access +- Read-only accounts for monitoring + +Use groups and role-based access control +``` + +**5. Logging and Monitoring** +``` +Log: +- All VPN connections +- PLC access attempts +- Configuration changes +- Failed authentication + +Monitor for: +- Unusual connection times +- Connections from new locations +- Multiple failed attempts +- Abnormal data transfers +``` + +### Operational Best Practices + +**1. Redundancy** +``` +- Primary VPN: Netbird (performance) +- Backup VPN: ZeroTier (reliability) +- Both configured, one active +- Automatic failover if possible +``` + +**2. Backup and Recovery** +``` +Before any changes: +- Backup PLC program +- Document current VPN config +- Test in non-production first +- Have rollback plan +``` + +**3. Change Management** +``` +VPN changes require: +- Approval from operations +- Testing in lab +- Maintenance window +- Rollback procedure +- Post-change validation +``` + +**4. Vendor Access** +``` +For vendor support: +- Create temporary account +- Time-limited (24-48 hours) +- Monitor session (screen share) +- Revoke immediately after +- Audit all actions +``` + +**5. Documentation** +``` +Maintain: +- Network diagrams (current) +- Device inventory +- IP address plan +- Access control matrix +- Incident response procedures +- Recovery procedures +``` + +### Choosing Between Netbird and ZeroTier + +**Decision Matrix:** + +``` +Score each criterion 1-5, multiply by weight, sum: + +Criterion Weight ZT Score NB Score +======================================================== +Layer 2 protocol support 30% 5 1 +Performance requirements 20% 3 5 +Zero Trust/SSO needs 15% 2 5 +Open source requirement 10% 3 5 +Self-hosting preference 10% 3 5 +Budget constraints 5% 4 5 +Platform compatibility 10% 5 4 + +Total (example): 3.75 4.25 +``` + +**Quick Decision Tree:** +``` +Do you need Layer 2 protocols (PROFINET, EtherNet/IP)? +├─ YES → ZeroTier +└─ NO → Continue + +Do you need >1 Gbps throughput? +├─ YES → Netbird +└─ NO → Continue + +Do you need SSO/MFA integration? +├─ YES → Netbird +└─ NO → Continue + +Do you need full open source? +├─ YES → Netbird +└─ NO → Either works + +Default: Netbird (better performance, modern security) +``` + +### Migration Strategies + +**From Traditional VPN to Mesh VPN:** + +**Phase 1: Pilot (Weeks 1-2)** +``` +1. Set up Netbird/ZeroTier in parallel +2. Test with 1-2 non-critical devices +3. Validate connectivity and performance +4. Train team on new system +``` + +**Phase 2: Gradual Rollout (Weeks 3-6)** +``` +1. Migrate engineering access first +2. Then HMI/SCADA connections +3. Finally, vendor access +4. Keep old VPN as backup +``` + +**Phase 3: Decommission (Weeks 7-8)** +``` +1. Monitor for issues (4 weeks) +2. Verify no old VPN usage +3. Remove old VPN infrastructure +4. Update documentation +``` + +**From ZeroTier to Netbird (or vice versa):** + +**Parallel Operation:** +``` +1. Deploy new VPN alongside old +2. Test thoroughly +3. Switch users gradually +4. Monitor for 2 weeks +5. Decommission old VPN +``` + +--- + +## Appendix A: Quick Reference Commands + +### ZeroTier Commands + +```bash +# Join network +sudo zerotier-cli join + +# Leave network +sudo zerotier-cli leave + +# List networks +sudo zerotier-cli listnetworks + +# Show peer connections +sudo zerotier-cli peers + +# Get node ID +sudo zerotier-cli info + +# Restart service +sudo systemctl restart zerotier-one +``` + +### Netbird Commands + +```bash +# Join network +sudo netbird up --management-url https://vpn.yourcompany.com + +# Leave network +sudo netbird down + +# Show status +netbird status + +# Show routes +netbird routes + +# Debug mode +netbird up --log-level debug + +# Restart service +sudo systemctl restart netbird +``` + +### Network Testing + +```bash +# Test connectivity to PLC +ping 192.168.10.100 + +# Test PLC port (S7) +nc -zv 192.168.10.100 102 + +# Test PLC port (ADS) +nc -zv 192.168.10.100 48898 + +# Trace route +traceroute 192.168.10.100 + +# Performance test +iperf3 -c 192.168.10.100 + +# Latency test +ping -c 100 192.168.10.100 | tail -1 +``` + +--- + +## Appendix B: Troubleshooting Guide + +### Common Issues + +**Issue 1: Cannot ping PLC through VPN** +``` +Checklist: +□ VPN connected? (zerotier-cli listnetworks / netbird status) +□ Route configured? (ip route show | grep 192.168.10) +□ Gateway forwarding enabled? (cat /proc/sys/net/ipv4/ip_forward) +□ Firewall rules correct? (iptables -L -n) +□ PLC actually at this IP? (ping from gateway directly) +``` + +**Issue 2: Poor VPN performance** +``` +Checklist: +□ Direct peer connection? (zerotier-cli peers / netbird status) +□ Relay being used? (check for relay IPs in peers list) +□ Internet bandwidth sufficient? (speedtest) +□ CPU overloaded? (top / htop) +□ MTU issues? (try ping -s 1400 -M do ) +``` + +**Issue 3: Connection drops frequently** +``` +Checklist: +□ Internet stable? (ping 8.8.8.8 -c 100) +□ NAT timeout? (adjust keep-alive settings) +□ Firewall blocking? (check firewall logs) +□ VPN service running? (systemctl status) +□ Certificate issues? (check logs) +``` + +--- + +## Appendix C: Security Checklist + +### Pre-Deployment Security Review + +``` +VPN Configuration: +□ Strong encryption enabled +□ Access control configured +□ Unnecessary features disabled +□ Logging enabled +□ Firewall rules reviewed + +Gateway Security: +□ OS hardened and updated +□ Firewall configured +□ SSH key-only authentication +□ Automatic updates enabled +□ Monitoring configured + +PLC Security: +□ Password protection enabled +□ IP ACLs configured +□ Unused services disabled +□ Firmware up to date +□ Backup completed + +Network Security: +□ VLANs configured +□ Network segmentation in place +□ IDS/IPS deployed +□ No direct internet access for PLCs +□ DMZ for historian/SCADA + +Access Control: +□ Role-based access defined +□ Strong password policy +□ MFA enabled (if supported) +□ Access regularly reviewed +□ Vendor access time-limited + +Documentation: +□ Network diagram updated +□ Procedures documented +□ Emergency contacts listed +□ Incident response plan ready +□ Recovery procedures tested +``` + +--- + +**Document Version:** 1.0 +**Last Updated:** February 16, 2026 +**Covers:** Beckhoff TwinCAT, Siemens S7, Netbird, ZeroTier +**For Use With:** industrial-network-security-guide.md