Enertex ENA Quick guide
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 2 von 33
Without prior written approval y Enertex® Bayern Gm H, the contents of this document may not e re-
produced, transferred, distri uted or stored in any form, either in whole or in part.
Enertex® is a registered trademark of Enertex® Bayern Gm H. Other product and company names which
are mentioned in this manual can e marketing or tradenames of their respective owners.
This manual can e changed without notification or announcement, and does not claim to completeness
or accuracy.
Inhalt
Note................................................................................................................................................................ 3
Function Description...................................................................................................................................4
Remote Maintenance............................................................................................................................... 4
Secure Connection to your Home............................................................................................................4
On Demand (nur iOS)............................................................................................................................... 5
Secure Internet Connection.....................................................................................................................5
General view............................................................................................................................................ 5
Specifications............................................................................................................................................... 7
K X.......................................................................................................................................................... 7
Installation and Connection........................................................................................................................8
Commissioning............................................................................................................................................8
Quick Guide.............................................................................................................................................. 8
Web Interface................................................................................................................................................ 8
etwork.................................................................................................................................................... 9
Time Server..............................................................................................................................................................9
Dynamic D S........................................................................................................................................... 9
Experts Options......................................................................................................................................................10
Public-Key-Infrastructure........................................................................................................................ 10
Operating Mode......................................................................................................................................................11
Import......................................................................................................................................................................11
Chrome.............................................................................................................................................................12
Firefox..............................................................................................................................................................12
iOS...................................................................................................................................................................12
Expert-Options........................................................................................................................................................12
HTTPS Reverse Proxy...........................................................................................................................12
User Administration................................................................................................................................................13
Connecting Domain Name ....................................................................................................................................13
OpenVP ............................................................................................................................................... 13
User Administration................................................................................................................................................13
Download of Configuration Data Files...................................................................................................................13
iOS VPN "on demand"...........................................................................................................................................14
Experts Options......................................................................................................................................................14
Connection Settings.........................................................................................................................................14
Automatically Unlink Connection.....................................................................................................................14
OpenVPN Client Setup...........................................................................................................................................14
iOS 8.3.............................................................................................................................................................14
Android 5.1.......................................................................................................................................................20
Windows 7........................................................................................................................................................25
K X Connection.....................................................................................................................................29
KNXnet/IP Connection...........................................................................................................................................29
OpenVPN-KNX connection....................................................................................................................................30
Administration......................................................................................................................................... 31
Changing Login Details for We admin Surface.....................................................................................................31
Restart....................................................................................................................................................................31
Restore Factory Defaults.......................................................................................................................................31
Refresh Firmware...................................................................................................................................................31
Save the Configuration...........................................................................................................................................31
Restore Configuration............................................................................................................................................31
nderungsverzeichnis...............................................................................................................................32
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 3 von 33
Note
•Installation and assem ly of electrical equipment must e carried out y qualified electri-
cians.
•Connecting KNX/EIB interfaces requires specialized knowledge y KNX™ trainings.
•Non-o servance of the instruction can entail damange to the implement, fire or other ha-
zards.
•This instruction is component of the product and has to remain at the end user.
•The producer takes no responsi ility for charge or damage which are accured y using
this device to the user or third person, misusing or distur ance of the connection, distur-
ance of the device or devices of participants.
•The opening of the case other unauthorised changes and or re uilding of the device
leads to the expiration of the warranty!
•The producer is not in charge for not designated use!
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 4 von 33
Function Description
KNX and IT are connected more closely in Smarthome. There y the aspect of security of attacks
y third parties reaches a new dimension. Often this aspect is neglected ecause the electrician
has to maintain the complete system and the functionality of security reduces su stantially the
comfort of operating unit e.g. y cum ersome password entries.
The solution: The electronic network defense – ENA - of Enertex® Bayern Gm H.
Remote Maintenance
A remote maintenance of the system without functionality of security entitles IT-specialised crimi-
nals each posi ility to open electric pivots and doors et cetera. Via targeted attacks the entire IT
network of the whole family can e hacked.
With the ENA the otherwise extensively configurating function of security can e made easily
switcha le for the user via the visualisation or via the KNX utton. If you want to the remote
maintenance access can e opened or can e turned off. And you recognise if this is used –
simply at your KNX switches.
A ildung 1: Remote mainteance
Secure Connection to your Home
When you are in your home network the operation of visualisation, LAN devices are comforta le
accessi le via a specific APP.
The same comfort should e ensured too if you are on move, ut what is not possi le without a
secure connection.
With the ENA the secure aspect is guaranteed without resigning the user comfort.
A ildung 2: Secure connection to your home
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 5 von 33
On Demand (nur iOS)
The Enertex ENA offers secure access via internet to your home network. With the „on demand“
- technology optimal secure is guaranteed, without cum ersome password entries.
Just click on your APP. ENA and your iPhone deal the rest (tested with iOS 8 and 9).
Secure Internet Connection
With ENA you make your Internet connection safer in transit: You dial in via a pu lic internet ac-
cess in your home network and than you surf exclusively and securely via your private connenc-
tion.
A ildung 3: Secure internet connection
General view
The Enertex ENA offers secure access via Internet to your home network.
The setup of the equipment is possi le in a few steps in the simplest way:
•Easy configuration via a We rowser
◦Basic configuration
◦Applying security patches
◦Backup / restore of configuration
•Management of dynamic DNS (DDNS) a out following suppliers:
◦Dyn.com
◦FreeDNS
◦Gira DNS
◦No IP
•HTTPS reverse proxy with four redirects (2048 ite key)
•OpenVPN-Server
◦User management
◦User authentication using an encrypted PKCS#12 file
◦Encrypted data transfer at the highest level (AES-256)
•Creating the OpenVPN configuration files for:
◦iOS
◦Android
◦PC systems (Windows/OSX/Linux)
•Optional integration into the KNX system (KNXnet/IP interface or router required):
◦Opening and closing of the access authorisation of a user via KNX 1 it group ad-
dress i.e. Display whether a user actually uses the OpenVPN connection.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 6 von 33
◦Display of connection status via KNX 1 ite group address i.e. Display whether a
user actually uses the OpenVPN connection.
◦Turn on/off of the OpenVPN server cia KNX 1 ite group address
•OpenVPN experten options – configura le easily
◦OpenVPN „on demand“ for Apple iOS
◦Lead external Internet connection via your own home network via VPN, if you e.g.
registered in a pu lic WLAN.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 7 von 33
Specificati-
ons
Hardware
Dimensions Rail, 6 TE
Power supply 20 ... 30 V DC
Performance input 1,2 – 1,7 W (depends on LAN activity)
Interface Ethernet 10/100 M it/s
Software
Operating system Linux
OpenVPN Any num er of users
16 users controlla le via KNX
2048 ite RSA key
Transmission encryption AES-256
Perfect Forward Secrecy
HTTPS Reverse Proxy 4 forwarders
2048-Bit RSA key
Transmission encryption AES-256 Perfect For-
ward Secrecy
Dynamic DNS Administration of 4 Domains
Note
Some of the encryption methods depend on the capa ilities of the used link partners ( rowser,
OpenVPN Client, operating system).
KNX
An interface which is required to operate on the EIB/KNX system is not included in the delivery,
and may need to e procured separately.
We recommend:
• Enertex® KNXNet/IP Router
• Enertex® KNXNet/IP Interface
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 8 von 33
Installation and Connection
For the operation of the Enertex® ENA is required:
•A power supply with at least 2W output power: Safety extra-low voltage 20 to 30 VDC (direct
current)
•A 10/100 M yte compati le Ethernet connection
•An Internet connection for the remote control and port transmission in the router and access
to DNS server and NTP server
Please note:
The external safety extra-low voltage is connected via the device to the earth potential of the
LA . For this reason exists any isolation to earth, if the LA shield is grounded. To establish a
separation we advise to use an external low voltage power supply only for the Enertex® E A.
Commissioning
The oot time when engaging amounts to ca 60 seconds. The preadjustment for the network is
DHCP.
As soon as the green LED starts flashing, you can access ENA. You have to determine the IP
address of the device y using the router. Alternatively, the network can e scanned for devices
y smartphone. Thereto we recommend the APP „Fing“ (Android/iOS). The MAC address set to
work on 00:50:C2:79.
You enter the IP address in a We rowser and get that way to the We interface of the ENA.
Note
At the first startup ENA generates security certificates. Meanwhile there are not all settings
availa le in the We interface.
Quick Guide
1. Log on with the rowser of the ENA We interface: User admin, Password admin
2. Network: Configured IP addresses. Ensure ENA access to a DNS server an a NTP
server.
3. Dynamic DNS: Activate DDNS administration, choose DDNS provider, specify and apply
data of access and domain names. Wait and see till the PKI su system has finished.
4. Pu lic Key Infrastructur: Download the CA certificate and import it in rowser (Firefox,
Chrome) or operating system (Android/iOS).
5. HTTPS Reverse Proxy: Apply user name und password, connect the external DDNS
domains with HTTP hosts in LAN. Send Port 443 (TCP) on ENA.
6. OpenVPN: Add user and wait till PKI su system has ended. Download the matching
configuration on your terminal device. Send Port 1194 (UDP) on ENA.
7. Specify IP address of KNXnet/IP interfaces. Specify group addresses respectively for
start/stop and status of OpenVPN server. The same for each OpenVPN user.
Web Interface
Start page
On the start page you can chose etween the admin area (we admin) and pu lic area. Pu lic
area is disa led y default.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 9 von 33
Webadmin
The admin area of the we interface of ENA is access protected. The standard login is:
User: admin
Password: admin
Network
The network settings of ENA can e made here.The ENA supports the automatic configuration
via DHCP or the static allocation of the network settings.
Picture 4: Network Settings
Note
For the OpenVPN operation it is o ligatory necessary, that ENA as an OpenVPN server is loca-
ted in a su system with another network address, as the accessed OpenVPN clients. Therefore
it is recommended, that ENA is not located in a su net with widely-used network addresses
192.168.0.0 or 192.168.1.0 or 192.168.2.0. For iOS VPN on demand a DNS server in the local
network is required. Add it as DNS server 1.
Time Server
The ENA synchronises its time with a time server. Which time server should e used, can either
e choosed via a specified location list (synchronisation via Internet) or can e defined manual.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 10 von 33
Dynamic DNS
Dynamic DNS or DDNS is a technic to refresh dynamically domains in the Domain Name Sys-
tem. The purpose is that a computer is changing automatically the depending domain entry after
the change of its IP address. So the computer is always accessi le under the same domain
name, even if the actual IP address is unknown for the user.
The ENA is a le to self administrate and to refresh up to four DDNS domain names. Activate for
this the DDNS administration and choose one DDNS provider out of the list.
Picture 5: DDNS Administration activated
The ENA checks cyclically the own pu lic IP address and refreshes the DNS entries for all spe-
cified DDNS domains at DDNS provider.
Alternative another device (e.g. Internet router) can refresh the DNS entries respectively can e
accessed via fixed IP address to the ENA. In this case the domains respectively the IP address
has to e pu licised to the ENA under which it is accessi le from the Internet.
Picture 6: Access via fixed IP address
Experts Options
If the DDNS administration is refreshed, in the expert options can e fixed in which term the
own, pu lic IP address can e checked and if changing it can e transferred to the DDNS provi-
der. Furthermore it is possi le to specify an own we side with which the pu lic IP address will e
identified. The output of the we side has to contain the IP address in the HTML format.
Please compare page myip.enertex.de.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 11 von 33
Note
For GiraDNS you have to use username/password as DDNS credentials, that are marked in the
screenshot!
Public-Key-Infrastructure
Pu lic-Key-Infrastructure (PKI) named a system in the cryptology. This system can construct,
give out, check digital certificates. It is ased on a certification authority (CA) in the ENA. CA
creats and signs certificates for HTTPS and OpenVPN server. The certification authority has to
e initialized on the ENA (this happens automatically) and the associated certificate has to e
imported in the rowser or operating system.
Operating Mode
The PKI system works as follows (simplistically):
•The certification authority (CA) creats and signs certificates for the HTTPS Reverse
Proxy and the OpenVPN server and the iOS Profile Generator.
•The certificates are not secret. The respective server certificate is sended to the client
while connecting (HTTPS/OpenVPN). Therewith the server is identifying itself to the cli-
ent.
•If the client knows the certification authority (CA), he is a le to check the realness of the
signature from the server certificates and therefore to ensure that he is not talking to an
attacker.
Import
The pros of the import of the CA certificates (ca.crt) in the rowser (or operating system) are:
•The connection to the HTTPS Reverse Proxy can e known as safe and there is no
need for adding exception rules. So it is ensured, that a real connection to ENA is as -
sem led and not to potential attacker.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Picture 7: Gira DynDNS credentials
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 12 von 33
(Picture 8).
Picture 8: Chrome shows the identity of we side
as confirmed
•The origin of the profile can e checked while importing to OpenVPN profile via iOS. (Pi-
cutre 9)
Picture 9: iOS Profile: Origin checked
Chrome
The CA certificate can e imported via Chrome (version 39) as follows: „Settings → Show addi-
tional settings → HTTPS/SSL → Manage certificates → Certification authorities → Import...“.
Then choose ca.crt. With the question if you can trust the certification authority you have to
choose „Trust this certificate of identification of we sides“.
Firefox
The CA certificate can e imported via Firefox (version 35) as follows: „Settings → Extended →
Certificate → Show certificate → Certification authorities → Import“. Then choose ca.crt. With
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 13 von 33
the question for what purpose the certification authority should e trusted you have to choose
„Trust CA for identifying we sides“.
iOS
With iOS (version 8 and 9) the certificate can e downloaded directly with Safari, the dialog of
import starts automatically.
Expert-Options
In the expert options the certification authority can e new initialised. There y all former created
certificates and OpenVPN entries are invalid! All existing OpenVPN connections will e unlinked!
HTTPS Reverse Proxy
Via the Reverse Proxy you can access to a host in the local net from outside using a domain
name. From the user's view is this compara le with the port forwarding of a firewall. The Rever-
se Proxy encrypts however the connection and the access is password controlled. You can only
access the HTTP/HTTPS services via the local net.
Note
In the Internet router a port from outside has to e transferred to the ENA final port 443 (TCP) for
using the HTTPS Reverse Proxy.
User Administration
The login details are here fixed for the access of the HTTPS Reverse Proxy.
Connecting Domain Name
For the access of a host in the local network an already configurated DDNS domain name has to
e connected. Not more Reverse Proxys than existing DDNS domain name can e used.
(Picture 10).
Picture 10: Example of a HTTPS Reverse Proxy connection to a synology diskstation
OpenVPN
OpenVPN is a program which can assem le a virtual private network (VPN) via an encrypted
TLS connection. For the encryption the OpenSSL li rary is used.
Note
In the internet router a port from outside has to e transferred to ENA final port 1194 (UDP) for
using the OpenVPN.
User Administration
The ENA can administrate a lot of optional OpenVPN user. But only ten users can e connected
at the same time. If a OpenVPN user is added, the PKI su system creates a PKCS#12 data and
together with a configuration data for OpenVPN client offered to download. The PKCS#12 data
file is encrypted with a specified password and therewith the client is a le authenticate to the
server. The creation of the PKCS#12 data file takes upto two minutes.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 14 von 33
Download of Configuration Data Files
In order to download the configuration data files for the OpenVPN clients you have to act as fol-
lows:
•Choose the favoured user from Drop Down Menue
•Do not unlink: If this option is activated, the OpenVPN connection of the client persists
indefinitely. This could e an option for stationary clients (PCs). If you do not activate
this option the OpenVPN connection is finished automatically after a timeout. Generally
is this desired for mo ile Clients (Android/iOS) ecause the attery life is negatively in-
fluenced y the OpenVPN connection in perpetuity.
•Internet: Is this option activated, the OpenVPN client tries to detour the whole internet
traffic via the VPN. This is e.g. reasona le, if you are locked in a pu lic WLAN and you
might prevent that the user of the WLAN or a third person can o serve the internet traf-
fic. Note: If the internet connection to the ENA is interrupted, it could happen that the in-
ternet without VPN is continued via the normal connection.
•Push the utton for the favourite configuration data file. The following data files are
availa le:
◦Client Config.: The configuration data file can e used to current operating systems
(Windows/Mac OS/Linux/Android) for the standard clients.
◦IOS Config.: A VPN profile can e imported very easily in iOS via iOS mo ile con-
fig. Note: At first import the CA certification in iOS and install the App „OpenVPN
connect“!
◦PKCS12: The PKCS12 data file contains only the certification with which the user
can e identified towards the VPN server. This data file is additionally necessary for
some clients.
iOS VPN "on demand"
With Apple iOS it is possi le the start the VPN connection automatically as needed. This hap-
pens as soon as you access the configured destination addresses (Picture 11). The destination
addresses have to e domain names, it is not allowed to use IP addresses. The domain names
have to e resolved y a DNS server (e.g. Fritz ox) in your local network and they may contain *
as prefix wildcard (e.g. *.fritz. ox). When using the wildcard the VPN is started for all addresses
in the destination network, e.g. ei pc.fritz. ox., nas.fritz. ox or homeserver.fritz. ox.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 15 von 33
Picture 11: The VPN is automatically connected on access to these addresses
Furthermore the automatic VPN connection start can e disa led in WiFi networks with defined
names (SSIDs). It is recommended to enter the SSID of your local network, so VPN is disa led
when you are coming home.
Note
These settings do not change the configuration of the OpenVPN server ut only the downloada-
le configuration data files for the clients. If here something is changed the configuration data file
has to e re-imported to the client.
Experts Options
Connection Settings
If another pu lic port than the standard port is sent while port forwarding in the internet router so
the port has to e indicated. As OpenVPN server address the first DDNS domain is automatical-
ly used.
Automatically Unlink Connection
The connection is automatically unlinked if in a certain time (in seconds) not more than a certain
data volume (kBytes) was transferred.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 16 von 33
OpenVPN Client Setup
iOS 8.3
Depending on iOS version the procedure can differ from the manual.
First install the app „OpenVPN Connect“ from Apple app store.
Open the ENA we interface with the Safari rowser (don't use alternative rowsers!).
On the page „Pu lic Key Infrastructure“ press the utton „Download CA certificate“.
A dialog to install the certificate is opened automatically. The installation has to e confirmed
with the telephone code. Follow the instructions:
You are prompted to install the certificate. Enter the phone code.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 17 von 33
Press „Install“ Again confirm with „Install“
The certificate has een installed. Press
„Done“
Go to the page „OpenVPN, chose the desired user and press the utton „iOS config“:
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 18 von 33
It automatically opens a dialog to install the configuration. The installation must e confirmed
with the phone code. Follow the instructions. You must also specify the password with which the
user has een created on the ENA:
Step 1: You will e prompted to install the VPN
profile. It is displayed as "Trusted".
Enter your phone code
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 19 von 33
Step 2: This note specifies that the network
traffic is passed through the ENA . Press
"Install" and ...
… confirm again with „Install“.
Step 3: Enter the password that was assigned
when creating the VPN user in the ENA...
… and press „Next“.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Hand uch-ENA-en-11.odt, 2017-04-21 Seite 20 von 33
The VPN profile has een installed. Press
„Done“.
Test the connection in the iPhone settings at
„General → VPN“ (not at „VPN“ in the main
menu!).
As soon as the VPN is connected, you can
check the connection details in the „OpenVPN
Connect“ app.
Enertex® Bayern Gm H – E ermannstädter Straße 8 - 91301 Forchheim - Deutschland - mail@enertex.de
Table of contents
Popular Server manuals by other brands
Supero
Supero SUPERSERVER 7047R-3RF4+ user manual
Sun Microsystems
Sun Microsystems Sun Fire V215 Getting started guide
Fujitsu
Fujitsu SPARC Enterprise T5440 Server user manual
Supermicro
Supermicro SuperServer SYS-621BT-DNTR user manual
Bull
Bull Escala Power 5 Hardware Information
Dell
Dell External OEMR R320 owner's manual
