Industrial facilities face a fundamental connectivity challenge: legacy SCADA systems and PLCs were designed for isolated networks, but modern operations demand remote access for monitoring, maintenance, and integration. A 5G VPN router bridges this gap, providing cellular connectivity with encrypted tunnel capability for secure remote access.

Whether you're managing oil and gas wellhead sites across remote terrain, maintaining water treatment facilities spread across a metropolitan area, or supporting manufacturing equipment at multiple customer locations, a properly configured 5G VPN router lets your operations team access industrial control systems without exposing them to the public internet.

Why Industrial Networks Need 5G VPN Routers

The shift from wired broadband to cellular connectivity reflects practical realities at industrial sites. T1 and fiber lines require physical infrastructure that may not reach remote well pads, wind farms, or distributed utility assets. Cellular 5G networks provide coverage where wired connectivity is impractical or prohibitively expensive.

Beyond reach, cellular VPN routers offer deployment speed. A wired connection requires 30-90 days for installation in many regions. An InHand IR624 with Verizon, T-Mobile, and AT&T certification can be operational within hours of unpacking. This speed matters when you're restoring connectivity after equipment failure or establishing temporary monitoring during construction projects.

The Shift from Wired to Cellular VPN

Wired VPN termination typically happens at the network edge—your data center or headquarters. Cellular VPN routers establish the encrypted tunnel from the remote site itself, eliminating the need for site-to-site wired backhaul. This architecture simplifies security management because each remote site operates independently.

For industrial applications, cellular VPN routers provide deterministic behavior that public internet paths cannot. The IR624 supports 5G Sub-6 with carrier aggregation, delivering up to 4.67 Gbps downlink in optimal conditions. For SCADA polling with 10-byte read requests and 50-byte responses, this bandwidth exceeds any practical requirement while providing headroom for firmware updates and diagnostic data transfers.

Key Benefits of 5G for Industrial VPN

Security certifications matter for industrial deployments. The IR624 carries FCC certification, PTCRB approval, and carrier-specific certifications for Verizon, T-Mobile, and AT&T networks. These certifications indicate the router's RF emissions, network behavior, and carrier interoperability have been validated—not just self-certified by the manufacturer.

Understanding VPN Protocols for Industrial Use

Two VPN protocols dominate industrial router deployments: IPsec and OpenVPN. Each has characteristics suited to different operational requirements.

IPsec vs OpenVPN: Which to Choose

For SCADA systems and industrial control, IPsec typically delivers better results. The protocol operates at the network layer, which means routing industrial protocols like Modbus TCP, EtherNet/IP, and DNP3 through the tunnel happens transparently. There's no application-layer inspection or modification of packet headers.

OpenVPN adds a TLS layer that can fragment larger industrial packets and introduce latency. For a SCADA historian polling 100 PLCs every 5 seconds with small Modbus reads, this overhead accumulates. IPsec with AES-256-GCM provides equivalent security with hardware acceleration support on the IR624, maintaining throughput during sustained VPN tunnel operation.

Protocol Selection by Use Case

Match your protocol to your primary use case:

Continuous SCADA polling: IPsec. The protocol's low overhead and network-layer operation minimize latency for real-time data acquisition. Configure NAT-Traversal if the router operates behind carrier-grade NAT.

Remote operator access: OpenVPN or IPsec client. Operators connecting from corporate laptops benefit from OpenVPN's easier client configuration and reliable firewall traversal. The IR624 supports both, allowing different tunnel types for different access scenarios.

Site-to-site integration: IPsec with pre-shared key or certificate authentication. Establish permanent tunnels between facilities for ERP integration, MES connectivity, or distributed control system coordination.

Choosing the Right 5G VPN Router for Your Facility

InHand offers three cellular routers suitable for VPN applications, each targeting different deployment scenarios .

IR624: Enterprise-Grade with Multi-Carrier Support

The IR624 targets applications requiring carrier diversity and high availability. With certifications across all three major US carriers, the router can automatically select the strongest signal at any location or fail over between carriers if coverage degrades. This flexibility matters for utilities operating across regions with varying carrier coverage.

For VPN applications, the IR624 supports up to 20 concurrent IPsec tunnels, enabling multiple simultaneous connections for SCADA polling, remote maintenance access, and integration with cloud platforms. The router's dual-SIM slots maintain connectivity during carrier outages or when switching between primary and backup service.

IR315: Compact Solution for Edge Sites

The IR315 provides 5G RedCap connectivity at a more accessible point than the IR624. RedCap (Reduced Capability) is a 3GPP R17 designed for industrial IoT applications that don't require maximum 5G bandwidth but benefit from 5G's improved latency and coverage compared to LTE.

At edge sites with limited space—traffic cabinets, water pump stations, or environmental monitoring installations—the IR315's compact DIN rail form factor simplifies mounting. Five Ethernet ports accommodate local network segments, and serial interfaces support legacy industrial equipment that hasn't transitioned to Ethernet.

IR302: Reliable Entry Point

For applications where 5G isn't yet available or budget considerations dominate, the IR302 delivers LTE Cat-4 connectivity with IPsec VPN capability. The router handles SCADA polling and remote access requirements for monitoring-only applications where 5G bandwidth isn't necessary.

Industrial temperature tolerance and ruggedized enclosure make the IR302 suitable for outdoor cabinets and unconditioned utility buildings. Cost-aware deployments can start with IR302 units and upgrade to 5G routers as applications require higher bandwidth.

Step-by-Step: Configuring IPsec VPN on InHand Routers

The following procedure applies to InHand IR624, IR315, and IR302 routers using the web-based management interface.

Setting Up OpenVPN on Your Industrial Router

OpenVPN suits scenarios requiring easier client configuration or when traversing strict firewalls. The IR624 supports both OpenVPN server and client modes.

OpenVPN Server Mode

Configure OpenVPN server mode when you need to connect remote operators to the industrial network:

OpenVPN Client Mode

Use client mode to connect the router to a corporate VPN concentrator:

Import the corporate CA certificate and client certificate under VPN > OpenVPN > Client. Upload the corporate OVPN configuration file or enter parameters manually. The router will establish the tunnel and route specified traffic through the corporate VPN.

Multi-Carrier Failover: Maintaining VPN Uptime

Industrial operations cannot tolerate extended connectivity outages. The IR624's dual-SIM capability combined with VPN configuration ensures continuous operation even during carrier network issues.

Configuring SIM Failover with VPN

Under Network > Cellular > SIM Settings:

1. Enable SIM Failover: Check "Enable Automatic Failover" and "Enable SIM Switch Back" if you prefer returning to the primary carrier when it recovers.
2. Set Failover Trigger: Configure the failure detection threshold—typically 3 failed ping attempts to detect carrier loss.
3. Configure VPN Persistence: Under VPN > IPsec > Advanced, enable "Initiate tunnel on interface bring-up." This ensures the VPN tunnel automatically re-establishes when the router switches to the backup SIM.
4. Set DPD Interval: Configure Dead Peer Detection to 10 seconds with 3 retries. This detects tunnel failures quickly during carrier transitions.

Carrier Selection Best Practices

Signal strength varies by location and carrier tower distribution. Before deployment, benchmark all three carriers at your site using the IR624's signal diagnostics:

• Navigate to Status > Cellular to view RSRP, RSRQ, and SINR for each available carrier.
• Log signal metrics over 24 hours to capture variations during peak usage periods.
• Prioritize carriers with RSRP above -110 dBm for reliable 5G performance.
• Consider latency to your VPN endpoint, not just signal strength—T-Mobile may have stronger signal but longer routes to your VPN server.

Troubleshooting Common 5G VPN Issues

Connection Drops and Latency

Symptom: VPN tunnel established but drops periodically or exhibits high latency.

Diagnosis: Check cellular signal quality under Status > Cellular. High RSRQ (-10 dB or worse) and low SINR (below 5 dB) indicate interference or weak coverage. For latency, ping your VPN server and compare against cellular latency benchmarks.

Solutions:

• Relocate the router antenna for better signal reception
• Enable carrier aggregation if available in your area
• Switch to a carrier with better coverage at your specific location
• Increase MTU to 1420 if fragmentation is occurring

Authentication Failures

Symptom: IPsec tunnel fails during Phase 1 or Phase 2 negotiation.

Diagnosis: Review logs under Status > Logs > VPN. Common causes include mismatched encryption algorithms, expired certificates, or incorrect pre-shared keys.

Solutions:

• Verify Phase 1 and Phase 2 parameters match the VPN server exactly
• Check certificate expiration dates; renew if expired
• Confirm the pre-shared key matches (no extra spaces or characters)
• Ensure NAT-T is enabled if the router is behind carrier-grade NAT

NAT Traversal Problems

Symptom: Tunnel establishes but no traffic passes, or tunnel drops immediately after establishment.

Diagnosis: This pattern indicates NAT traversal failure. The VPN server may not support NAT-T, or the router's NAT-T implementation conflicts with the carrier's NAT behavior.

Solutions:

• Enable Force NAT-T in VPN > IPsec > Advanced
• Try UDP encapsulation on port 4500 instead of port 500
• Confirm the VPN server supports NAT-T
• For critical deployments, request a dedicated IP from your carrier to eliminate carrier NAT

Security Best Practices for Industrial VPN

VPN connectivity creates a potential attack vector—proper configuration limits exposure while maintaining operational access.

Firewall Rules and Access Control

Configure the firewall with deny-by-default rules, then explicitly permit required traffic:

• Permit only necessary protocols: If your SCADA system uses Modbus TCP (port 502), don't allow all traffic—allow only port 502 from the VPN subnet to the PLC network.
• Implement IP allowlists: Restrict VPN access to known IP ranges for corporate networks. Avoid allowing VPN traffic from any public IP address.
• Segment industrial networks: Place the router's industrial Ethernet ports on a dedicated VLAN, separate from corporate IT networks.

Certificate Management

For IPsec deployments using certificates:

• Use 2048-bit RSA minimum or ECDSA-256 for certificate keys
• Set certificate validity periods appropriate to your security policy (typically 1-3 years)
• Establish a renewal process before certificates expire
• Revoke certificates immediately when personnel leave or devices are decommissioned

Monitoring and Alerts

Configure alerts for VPN events requiring attention:

• Tunnel establishment failures
• Multiple authentication failures (potential brute force attempts)
• Unexpected remote IP connections
• Carrier switch events (may indicate coverage issues)

The InHand Device Manager cloud platform provides centralized monitoring for multi-site deployments, with customizable alerts and VPN status dashboards across your router fleet.

Frequently Asked Questions