Testing Different VPNs for ICS - Paiet/Capstone GitHub Wiki

Introduction: When it comes to connecting to peers in a secure manner, there are several VPN options to consider. The choice of VPN protocol depends on several factors, including the peer's support for a particular protocol and the user's preference for a specific protocol. In this capstone project, we explored different VPN protocols and evaluated their performance to determine the best-performing and easiest-to-use protocols for securing Industrial Control Systems.

VPN Options: There are several VPN options to consider when connecting to peers. OpenVPN was once the standard for DN42 because of its relatively simple configuration compared to IPsec, which is faster. However, with the rise of Wireguard, it has become the de-facto standard. Tunneling protocols such as GRE are simpler in theory but lack authentication features, which limits their use on the network.

Protocol Evaluation: The best-performing VPN protocols were evaluated using two VMs with 2 Ryzen cores and 2GB of RAM connected using a VirtIO paravirtualized networking adapter. The subset of the networks tested was based on their usage in DN42, their support across network devices, and how easy they are to configure. The tests were conducted without a VPN, using GRE, Wireguard, and OpenVPN.

Results: The results showed that Wireguard is the most widely supported VPN protocol due to its speed, simplicity, and consistent platform support. OpenVPN also has good support but lags far behind, and simple tunneling protocols like GRE show a fair amount of support. Other VPN protocols were willing to be used upon request.

Conclusion: In conclusion, when securing Industrial Control Systems, it is crucial to choose the right VPN protocol to ensure the security and efficiency of the network. Wireguard is the most promising option for securing Industrial Control Systems due to its speed, simplicity, and consistent support across platforms.