1. Introduction The Qiubin Wastewater Treatment Plant in Jinhua City is a key project in Zhejiang Province that went into operation in July 2002. The supporting facility, the Jinlongwan Booster Pumping Station, was completed in January 2005, approximately 7 kilometers from the plant. The Qiubin Wastewater Treatment Plant is located in the western suburbs of the city, while the Jinlongwan Booster Pumping Station is located in the city center. Laying fiber optic cables would not only be costly but also cumbersome to construct. Wireless communication would not offer high security and reliability. Considering that the Jinhua Municipal Water Supply Company already has a firewall (the Qiubin Wastewater Treatment Plant has already adopted a VPN connection to the firewall), and that the Modicon Compact series PLC used by the Jinlongwan Booster Pumping Station has a built-in Modbus port, a Modbus OPC server is used to obtain real-time operating data from the pumping station, dialing up to ADSL broadband, and then using a secondary VPN to dial up to the Water Supply Company's firewall. The host computer in the Qiubin Wastewater Treatment Plant's central control room monitors the pumping station's operation using the OPC interface. 2. Implementation of Secure Private Virtual Network (VPN) 2.1 Introduction to VPN VPN, or Virtual Private Network, is a logical network that uses IP networks to transmit private information, providing users with highly secure resource sharing and interconnection services at a lower cost than leased lines. It possesses the same security, priority characteristics, ease of management, and stability as the customer's existing private network. It can meet customers' requirements for seamless connectivity between their existing corporate LAN and remote offices/mobile users, extending network connectivity to customers, suppliers, partners, and key users to form an extranet, thereby reducing business operating expenses and improving service quality (including improvements in speed, ease of use, and confidentiality). Common tunneling protocols used in VPN implementation include Layer 2 tunneling protocols MPLS and L2TP, and Layer 3 tunneling protocols such as IPsec. Common VPNs include MPLS VPN, VPNDN, and IPsec VPN. Since a VPN is a secure, private virtual network temporarily established on the internet, it saves the cost of leasing a dedicated line. In terms of operating expenses, apart from purchasing VPN equipment, the only expense is paying a certain amount of internet access fees to the local ISP. This is why VPNs are inexpensive. 2.2 Water Supply Company Firewall Configuration The water supply company uses a Huawei 3Com 100F firewall with a 10M fiber optic connection to the internet and a fixed IP address. It has been decided to use an IPsec VPN with the L2TP protocol. Partial configuration is as follows: `sysname quidway # l2tp enable // Enable L2TP DVPN service enable // Enable VPN service # local-user abcde // Create mobile user account and password simple abcde service-type ppp # interface virtual-template4 // Create virtual port 4 for the booster pump station VPN ppp authentication-mode pap // Set authentication mode IP address 192.168.40.1 255.255.255.0 // Specify the booster pump station IP remote address 192.168.40.2 # add interface virtual-template4 // Add virtual port 4 set priority 5 // Set priority # l2tp-group 5 undo tunnel authentication // Cancel tunnel authentication mandatory-lcp` //lcp auto-negotiation allow l2tp virtual-template 4 remote jhwsjlw //Accepts L2TP requests from the computer with network identifier jhwsjlw (i.e., the booster pump station computer) and binds it to virtual port 4 # 2.3 Creating a VPN connection The computer at Jinlongwan Booster Pump Station uses the Win2000 SP4 operating system, which comes with VPN dialing functionality. The usage method is as follows: (The setting method is similar in XP system) (1) Add the following subkey to the registry and then restart HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetServices\Rasman\Parameters "prohibitipsec"=dword:00000001 (2) "Network and Dial-up Connections" - "New Connection" - "Connect to a private network (v) via the Internet" - "Dial this initial connection first" (select ADSL dialer) - "Host name or IP address" (enter firewall IP), then enter the VPN connection name. (3) After creation, you also need to set up the virtual connection. Select the connection and go to "Properties": ● Set the dialing and redial options in the General tab; ● Select "Advanced" in the Security tab and click the "Settings" button to enter "Advanced Security Settings"; ● Select "Optional Encryption" for the "Data Encryption" option (because encryption is not used in the firewall) and check "Unencrypted Password (PAP) (U)"; ● Network tab settings: select L2TP IPsec VPN. (4) VPN connections created by this method cannot access the external network, which greatly ensures the security of data and computers. 2.4 Advantages of VPNs VPNs enable dynamically dialed computers to obtain a fixed IP address on the local area network, which not only ensures the security and reliability of data transmission, but also saves costs. Combined with software such as PC Anywhere, remote maintenance is achieved, which greatly facilitates maintenance work. 3 Process Control Interface OPC 3.1 Introduction to OPC, or OLE for Process Control, has built a bridge between Windows-based applications and field process control applications. In the past, in order to access data information from field devices, each application software developer needed to write dedicated interface functions. The sheer variety of field devices and their continuous upgrades often place a heavy workload on users and software developers. This often fails to meet actual work needs, prompting system integrators and developers to urgently require a plug-and-play device driver that is efficient, reliable, open, and interoperable. In this context, the OPC standard emerged. Based on Microsoft's OLE technology, the OPC standard was developed by providing a standard OLE/COM interface. In short, OPC is a specialized COM interface defined as an industry standard. COM stands for Component Object Model, the foundation of all OLE mechanisms. COM is a standard designed to implement programming language-independent objects, allowing two applications to communicate through an object-oriented interface without needing to know how the other is created. Under Windows NT 4.0, the COM specification was extended to access objects beyond the local machine; objects used by an application can be distributed across a network. This extension of COM is called DCOM (Distributed COM). Through DCOM technology and the OPC standard, it is entirely possible to create open and interoperable control system software. OPC standardizes interface functions, allowing clients to access field devices in a unified way regardless of their form, thus ensuring software transparency and freeing users from low-level development. This improves system openness and interoperability, and OLE automation standard interfaces are typically used in system design. 3.2 DCOM Configuration When an OPC client connects to an OPC server, the OPC server computer needs to authenticate the OPC client application computer. If both computers belong to the same computer domain, authentication can be performed by the domain controller. However, currently, most control computers running in automated control systems do not belong to a computer domain but run in a workgroup. According to Windows security mechanisms, users on computers not belonging to a computer domain generally cannot be authenticated. The only exception is if two computers have the same username and password, allowing mutual authentication. Therefore, it is necessary to add a user with the same username (e.g., opc-user) and password (e.g., password) on both the OPC server and OPC client computers, and have both users log in as that user. After completion, enter dcomcnfg in "Start" - "Run" to enter the DCOM security mechanism settings: (1) First, enable distributed COM. (Both the server and client need to be configured) See the attached table for other settings. (2) If the OPC server is using the WinXPSP2 operating system, the firewall also needs to be configured. That is: add the TCP port 135 named dcom in the exception column; and remove the blocking of the OPC server and the OPCNum program. No other settings are required for the OPC client computer. 3.3 Development of OPC Client The configuration software used by the host computer in the central control room of Qiubin Sewage Treatment Plant is InTouch 8.0, which comes with OPCLink. However, during the use, it was found that OPCLink has a big problem: it cannot enumerate remote OPC servers! Taking my plant as an example, the IP address of the computer at the booster pump station is 192.168.40.2, and the IP address of the computer in the wastewater treatment plant's control room is 192.168.2.2. A client written in VB can successfully enumerate the remote OPC server. However, when using OPCLink, the program becomes unresponsive as soon as the node name is entered and the "Browse" button is clicked. The same applies to FS Gateway. Therefore, I decided to develop my own OPC client in VB, utilizing DDE and InTouch for communication. DDE is a communication protocol developed by Microsoft that allows applications under Windows to exchange data. The server application responds to the data requests of the client application and sends the corresponding data. Many applications (such as Excel and VB) can act as both DDE servers and DDE clients. Considering the large amount of data to be collected, using VB's built-in label controls for DDE communication is inefficient and requires a large amount of code. Therefore, I developed my own dynamic link library for the DDE server. The mechanism is quite complex and will not be described in detail here. Interested parties can contact me. Generally, OPC server providers will provide VBClient code, so the code for connecting to the OPC server and adding OPC groups will not be described here. In OPC client development, the following issues need to be noted: (1) Since there are many OPC tags, all tags should be added at once, as shown in the following example: (The parameters in "[]" are optional, and myopcgroup is the OPC group to be added, the same below) call myopcgroup.opcitems.additems(numitems as long, itemids() as string, clienthandles() as long, serverhandles() as long, errors() as long, [requesteddatatypes], [accesspaths]) (2) In order to improve the efficiency of data transmission, the OPC client can use the subscription method to collect data and write it asynchronously, as shown in the following example: myopcgroup.isactive = true //Activate the OPC group myopcgroup.issubscribed = true //Collect data by subscription myopcgroup.asyncwrite(numitems as long, serverhandles() as long, values() as variant, errors() as long, transactionid as (3) To facilitate debugging and maintenance, a listview control can be used to list all OPC tag names, values ​​and quality tags. At this time, the OPC group has already adopted the subscription method to collect data. In order to ensure the efficiency of writing to the listview and avoid being affected by the datachange event, the following method can be used: dim withevents callbackgroup as opcgroup // After the listview is finished writing, set callbackgroup = myopcgroup and then use the datachange event of callbackgroup. (4) There is another very important problem. Since the data is collected by subscription, once the VPN connection is abnormally disconnected, the OPC client does not give a corresponding notification and still thinks the communication is normal! A better solution is to set a bit in the PLC, whose value jumps between 0 and 1 at regular intervals (usually 1 second). The program only needs to monitor this value. The DDE related parts will not be described here. 4 Conclusion With the development of urban construction, the number of sewage treatment plant booster pump stations is increasing, and most of them are distributed in various parts of the city. Due to various reasons, it is difficult to lay optical cables to the sewage treatment plant area. Communication with wastewater treatment plants typically relies on wireless methods, which are susceptible to interference and data security cannot be guaranteed. Methods like GPRS cannot provide stable transmission of large amounts of data. In this situation, a VPN+OPC approach is a more ideal choice. VPNs offer advantages such as low cost, security, stability, and ease of management; OPC provides high-speed data transmission, a distributed COM security management mechanism, and is simple to develop. Applications developed using both methods have minimal code and can be remotely maintained, making them very suitable for users in similar circumstances. The project is currently operating normally in the central control room of the Qiubin Wastewater Treatment Plant in Jinhua City.