1. Glossary

1.1. Abbreviations

VPN

Virtual Private Network

OTA

Over the Air

SSH

Secure Shell

AWS

Amazon Web Services

REST

Representational State Transfer

API

Application Programming Interface

UI

User interface

CLI

Command Line interface

NM

NetModule

FQDN

Fully Qualified Domain Name

HMI

Human Machine Interface

1.2. System architecture network overview

The following figure shows the main components that constitute the Connectivity Suite and its associated networks. Please refer to the Section 1.3 in the subsequent chapter for a short description of these components.

_images/networkarchitecture.jpg

Fig. 1.1 Main components network architecture

1.3. Terminology

1:1 NAT: 1:1 NAT (Network Address Translation) is a mode of NAT that maps one internal address to one external address each. 1:1 NAT is used on every Tenant; it can also be enabled on a Device if required. 1:1 NAT on Tenants allows using the same address space for multiple Tenant subnets. 1:1 NAT on a Device behaves likewise, thus making it possible to access its End Devices via the Connectivity Suite VPN network (Service Access).

Configuration: Refers to the configuration package of a NM router, this package contains at least a user-config.cfg file which contains the main configuration parameters. A configuration package can also contain certificates, user-defined scripts and more. What we commonly refer to as a “router configuration” or simply “configuration” is a ZIP file consisting of

  • a text file (user-config.cfg) containing the actual NM router configuration parameters

  • a tar archive containing, amongst others, keys and certificates, VPN configurations, SDK scripts

It’s the same format you get when you download a NM router configuration via the web interface of the NM router.

Connectivity Suite: The software consists of several microservices, each of which is running as an individual Docker container.

Core Network: The Core Network is used for Docker Networks, the Provisioning Server network, and the Home Server network.

Device: Refers to a NM router, third party routers can currently only be monitored through the Connectivity Suite by integrating them as a Generic Device. Configuration or software updates for third party routers are not supported.

Docker Network The network that connects the Docker containers. It also links these containers to the Home Network (see Section 7).

End Device: Every Device which runs behind a NM router and is directly connected to it.

Generic Device: Every Device which can run as an OpenVPN client and is not a NM router.

Gitlab repository: This is the repository from where the Connectivity Suite software can be downloaded to be installed.

Home Network: A VPN subnet consisting of all Tenants. A Connectivity Suite instance has exactly one Home Network (see Section 7).

Home Server: A VPN server which defines the Home Network (see Section 7).

Job: Can be used to deploy complete Configurations, Snippets or Software to Devices. The execution of a Job can be flexibly scheduled.

Service Access: The Service Access is the established VPN tunnel to directly access the End Devices and Devices in the network. The Connectivity Suite allows the user to download VPN configurations and certificates for establishing VPN connections to the Home Server, the Provisioning Server and any Tenant Server. Once a connection from the user’s VPN client to the Provisioning or Tenant Server is established, he can access any Device and Generic Device connected to the subnet of the relevant VPN server. If 1:1 NAT is enabled on a Device, End Devices behind this Device can be accessed this way as well. As every Tenant is attached to the Home Server, a user with a VPN connection to the Home Server has access to every Device and End Device, whatever Tenant they are assigned to.

Snippet: Refers to a subset of configuration parameters taken from a user-config.cfg file. Snippets can be used for configuring specific features of a NM router without having to upload a complete configuration package. A Snippet can consist of one or more configuration parameters.

Software: The software which will be uploaded to the Devices as a software image.

Standard Configuration: A standard configuration is always bound to a specific physical Device. It contains Device-specific information like VPN certificates and SSH keys, therefore it cannot be deployed to any other Device.

Provisioning Configuration: A Provisioning Configuration contains no Device-specific information and can be deployed to an arbitrary number of Devices. A Device equipped with a Provisioning Configuration has the required VPN configuration and certificates to establish a VPN connection to the Provisioning Server.

Provisioning Network: A VPN subnet consisting of Devices newly detected by the Connectivity Suite but not assigned to a Tenant yet. A Connectivity Suite instance has exactly one Provisioning Network.

Provisioning Server: A VPN server which defines the Provisioning Network.

Task: A Job can contain multiple Tasks. A Task is the execution of a deployment per Device.

Tenant: Short term for Tenant Network.

Tenant Network: Name of a VPN subnet consisting of Devices and Generic Devices. Tenants can be used to group Devices. Role privileges for Connectivity Suite users are granted per Tenant. The certificates used for establishing VPN connections are created in an automated fashion (see Section 7).

Tenant Server: A VPN server which defines a Tenant Network.