A VPN (Virtual Private Network) is a technology that creates an encrypted communication tunnel over a public network — such as the internet — so that remote users or devices can securely access a private network as if they were directly connected to it. In industrial OT environments such as factory automation, power substations, and smart transportation, VPN is a foundational layer for IEC 62443-compliant remote access to SCADA systems, PLCs, and field devices. This article explains how VPNs work, compares the three most common protocols — OpenVPN, IPSec, and PPTP — and provides a decision guide for industrial network engineers.

How VPN works

When a device establishes a VPN connection, it first authenticates with the VPN server using credentials, certificates, or pre-shared keys. Once authenticated, all data between the device and the server is encrypted and encapsulated inside a VPN tunnel. To the underlying network, the traffic appears as ordinary encrypted packets — the original source IP, destination, and payload are hidden from intermediate nodes.

VPNs provide three core security properties:

  • Confidentiality — data is encrypted so intercepted packets cannot be read without the decryption key.
  • Integrity — cryptographic checksums detect any tampering in transit.
  • Authentication — both endpoints verify each other's identity before the tunnel opens.

VPN protocols compared: OpenVPN, IPSec, and PPTP

Three protocols dominate industrial and enterprise VPN deployments. The table below shows how they differ on the criteria that matter most for OT networks:

FeatureOpenVPNIPSec (IKEv2)PPTP
Encryption AES-256 via SSL/TLS AES-256 / ChaCha20 MPPE 128-bit (weak)
Authentication Certificates, username/password Certificates, PSK, EAP MS-CHAPv2 (vulnerable)
Firewall traversal Excellent (runs on TCP 443) Moderate (UDP 500/4500) Good (TCP 1723)
Throughput High (software) Very high (hardware acceleration) High (but insecure)
IEC 62443 suitable? ✅ Yes ✅ Yes ❌ No — deprecated
Recommended for industrial OT? ✅ First choice ✅ First choice ❌ Avoid

OpenVPN — flexible, firewall-friendly, open-source

OpenVPN is an open-source VPN protocol that uses the SSL/TLS stack for encryption and mutual authentication. It runs in user space, making it highly portable across Windows, Linux, macOS, Android, and embedded industrial operating systems. OpenVPN is particularly well suited for industrial deployments because it can operate over TCP port 443 — the same port as HTTPS — allowing it to traverse restrictive firewalls and NAT (Network Address Translation) gateways without special configuration.

Key characteristics of OpenVPN in industrial use:

  • AES-256-GCM encryption with TLS 1.3 authentication — meets IEC 62443-3-3 encryption requirements
  • Certificate-based mutual authentication prevents man-in-the-middle attacks
  • Supported natively on ORing cellular routers for remote SCADA and PLC access
  • Open-source codebase — independently audited, no vendor lock-in

IPSec — high-throughput, hardware-accelerated, site-to-site

IPSec (Internet Protocol Security) is a suite of protocols defined by the IETF that operates at Layer 3 of the OSI model, securing IP packets directly rather than wrapping them in an application-layer tunnel. IPSec is the preferred choice for site-to-site VPN connections — for example, linking a factory floor to a central operations centre — because dedicated network hardware (routers, firewalls) can offload IPSec encryption to hardware ASICs, delivering higher throughput than software-based solutions.

IPSec operates in two modes:

  • Transport mode — encrypts only the data payload; the IP header remains visible. Used for host-to-host connections within a trusted network.
  • Tunnel mode — encrypts the entire original IP packet and encapsulates it inside a new IP packet. Used for site-to-site and remote-access VPNs, which is the standard configuration for industrial deployments.

Modern IPSec deployments use IKEv2 (Internet Key Exchange version 2) for key negotiation, which provides faster reconnection after network interruption — important for mobile industrial equipment and field routers.

PPTP — legacy protocol, not recommended for new deployments

PPTP (Point-to-Point Tunneling Protocol) is one of the oldest VPN protocols, developed in the 1990s. It was widely adopted due to its simplicity and native support in Windows operating systems. PPTP operates at the data-link layer (Layer 2), using a TCP control channel on port 1723 and a GRE (Generic Routing Encapsulation) tunnel to carry PPP traffic.

However, PPTP is no longer considered secure. The MS-CHAPv2 authentication mechanism it relies on has known cryptographic weaknesses that allow offline dictionary attacks. For industrial and enterprise environments — especially those targeting IEC 62443 compliance — PPTP should not be used for new installations. If legacy equipment in your facility only supports PPTP, isolate it behind a dedicated firewall segment and prioritise protocol migration to OpenVPN or IPSec.

Which VPN protocol should industrial engineers choose?

For most industrial OT deployments, the decision comes down to use case:

  • Remote access to SCADA or PLC over internet → OpenVPN on an ORing cellular router. Best firewall traversal, easiest client deployment.
  • Site-to-site link between two facilities → IPSec IKEv2. Higher throughput, hardware acceleration, faster reconnection.
  • Legacy system only supports PPTP → Isolate behind a firewall; migrate to OpenVPN or IPSec as soon as operationally possible.

ORing's industrial cellular routers and secure routers support both OpenVPN and IPSec, and are certified for harsh-environment deployment at -40 to 70°C with redundant SIM slots. See the ORing Cellular Router product page for supported VPN configurations.

Frequently asked questions

What is the difference between industrial VPN and consumer VPN?

Consumer VPNs prioritise privacy and geo-unblocking for personal internet use. Industrial VPNs are deployed in OT networks to provide encrypted remote access to SCADA systems, PLCs, and field devices. They must handle extended temperature ranges, DIN-rail installation, redundant power inputs, and comply with cybersecurity standards such as IEC 62443.

Which VPN protocol is recommended for industrial OT networks — OpenVPN or IPSec?

Both OpenVPN and IPSec are suitable for industrial OT networks; PPTP should be avoided due to known security vulnerabilities. OpenVPN is preferred when firewall traversal and cross-platform flexibility are priorities. IPSec is preferred for site-to-site connections requiring hardware-accelerated throughput and native OS integration. For IEC 62443-compliant deployments, both protocols meet the encryption requirements when correctly configured.

Does ORing support VPN on its cellular routers?

Yes. ORing's industrial cellular routers support OpenVPN and IPSec (IKEv2) for encrypted remote access to OT networks. They are designed for harsh environments with -40 to 70°C operating range, redundant SIM slots, and IEC 62443 cybersecurity features. See the Cellular Router product page for full specifications.

Is PPTP safe to use in a factory or substation network?

No. PPTP has known cryptographic vulnerabilities and is not recommended for new industrial deployments. Use OpenVPN or IPSec instead. If legacy equipment only supports PPTP, isolate it behind a dedicated firewall and plan for protocol migration.

Related resources