VPNX - Secure Managed MultiPoint VPN Overlay Service


VPNX is L3n's Managed Overlay VPN Service.

Built with the customer's customer network in mind, VPNX will allow you to seamlessly remotely access and manage your equipment while it does it's job behind your customer's network.

The service consists of multiple VPNX End Points (VEPs are secure, encrypted, Linux-based network routers), sited remotely behind your customer's network. These VEPs connect out using the latest VPN protocols to a cloud-based, secure server running an included Network Management System. The server then securely inter-connects the VEP traffic to produce a Multipoint, Managed, Secure, Overlay VPN Service.

The included Network Management System monitors and manages all of the components of the VPNX Service and optionally, your CPE equipment if required. It can even go to the extent of managing your customers network equipment if that's what you require.

So if your business requires the flexibility of a managed remote access service without compromising security, VPNX allows fast, secure and managed connectivity via a multipoint, secure private network, to your equipment that may be:

  • behind existing third-party or customer firewalls or security devices – in fact anywhere where one entity needs secure access into or behind another entity's network or infrastructure, e.g. venture capitalists needing to ensure the contractual obligations for investment are being observed, or for building management and maintenance.
  • in temporary or mobile locations using wifi, mobile or local Internet access – perfect for building sites, property development and other fast, temporary secure access requirements. For example, the system could allow secure connectivity from a remote site back to your head office: carrying CCTV coverage at night and secure Internet access during the day (allowing you to apply your policy to the Internet access) with zero touch installation and robust lightweight hardware. The VPNX Endpoints (VEPs) can even support encrypted system data partitions accessed via a hardware key so the VEP cannot be accessed or used by thieves if stolen.
  • at remote locations – e.g. outside broadcast, secure alarm systems or just facilitating Internet access from remote locations – but pushed securely back to your head office, enabling your corporate security policy to be applied even to the remote traffic.
  • behind satellite broadband connectivity – L3n's testing of multipoint protocols running over satellite broadband indicates that IPsec doesn't work as well as our lighter weight encryption protocols
  • requiring remote serial console access - the on-site VEP allows you to gain remote serial console access to your equipment, allowing "last gasp" remote rescue in the case of an emergency. The Network Management System included with the VPNX service is particularly useful in this case as you can be confident that the rescue system is ready for action if needed.

and many other applications where a secure, managed, network service is required.

How does it work?

To use the VPNX system, a managed VPNX EndPoint (VEP) hardware unit is simply connected to a wired Internet connection or is set to access a mobile/wifi connection – even inside a network, behind a firewall or other security device. The VEP will automatically call OUT to an allocated VPNX server using our industry standard modern encryption protocols.

The system relies on security keys to ensure that the VEP is allowed to join the VPNX server (and the VEP can be sure that the VPNX server is the correct one). Once connected, the VEP has secure, encrypted connectivity to any other validated VEPs on that same VPNX server.

Due to the automated access to the central VPNX server, the VEPs are therefore 'zero touch' installations. The box is simply connected to an Internet link with DHCP address allocation and powered up.

The VPNX system has been tested to work well with IP, voice and video in addition to normal data within the limits of the available bandwidth.

The VPNX server

The VPNX server itself is based on a modern industry standard operating system and is hosted in a data centre under L3n control. The server is protected using TWO strong software firewalls that only allow valid data and protocols to travel in and out of the server. The server is controlled by L3n via encrypted access and the firewalls prevents access from anywhere else.

Each customer or VEP network has its own individual VPNX server. There is no multi-tenant sharing here.

VPNX Endpoints – VEPs

There are several types and sizes of VEPs depending on the power and throughput required: the most common is the smaller, mobile unit. The mobile unit runs an embedded copy of the Linux operating system and is very robust as it benefits from:

  • solid state storage.
  • a fanless motherboard for silent operation.
  • a tough, light ,aluminium encasement.
  • three simple LEDs for diagnostics – from left to right, one shows a heartbeat that shows the unit is running, two shows untrust traffic flow and three shows the state of the VPN tunnel. Two and three also flicker with activity.
  • zero touch installation.
  • logical protection by a software firewall – control is only via the secure VPNX service itself.

VPNX Management System

The VPNX management system software runs on the VPNX server and checks the status of each VEP. It can alert you the customer and/or L3n to any problems. As the management system runs from the VPNX server itself, it uses the secure encrypted VPNX service to manage the VEPs. The management system also monitors the server upon which it runs and alerts L3n to the need for OS updates and/or security patches, thus ensuring the server is running with optimum security.

Network Solution Auto-build/Re-build

Using industry standard system infrastructure automation software, our VPNX service is built completely automatically from bare OS. We also rebuild the entire network solution on a regular basis to automatically implement additions and deletions to the solution.

Secure Serial Console Access via VEPs

With the addition of USB to serial adapters the VEPs can be used to gain secure serial 'out of band' access to equipment serial ports. When your equipment has a problem or has been accidentally mis-configured then sometimes the ONLY way back in is via it's serial console port. Using VPNX and VEPs, we can offer that 'Last Gasp' access to restore your network.

Serial console access via the VPNX service is also proving very successful when being used to configure new equipment remotely.

This has saved time and money for our customers when deploying entire racks of brand new equipment and allowing 100% remote configuration and control.

High Availability VEPs

By using two VEPs onsite and implementing industry-standard dynamic routing protocols such as BGP and OSPF and also redundancy protocols such as VRRP, we can now offer VEPs in HA pairs.

Combined with using the USB to Serial adapters mentioned above we can cross connect the serial consoles on the VEPs to allow a very robust, redundant, secure access methodology where one VEP can even access it's partners serial console in order to restore service to the HA pair network and then on to the site equipment itself.

This is proving extremely useful for remote 'bare metal' installations with unproven ISPs etc.

Wireless VEPs

We can now offer VEPs with 3G/4G mobile adapters which will then allow secure access to the VPNX network via an appropriate mobile network.

Just 'drop' in a VEP, power up, connect to the VPNX network and use the secure SSLVPN access to the VEP with no wired Internet access in sight.

Combine this with the serial console access and you have a very powerful remote management system particularly suited to remote access industrial applications.


Solution pricing is custom based on number of VEPs and level of hardware management that you would require.

Please feel free to contact L3n for a quote.