Skip to main content

OPC UA Overview

The OPCUA route enables communication with OPC UA servers, providing a standardized, cross-platform protocol for industrial automation. It supports multiple authentication modes, security policies, and both NodeId and BrowsePath addressing.
OPC UA is vendor-neutral and widely supported by modern industrial equipment. Use it when you need secure, standardized communication across different manufacturer’s devices.

Basic Syntax

DEFINE ROUTE OPCServer WITH TYPE OPCUA
    ADD OPCUA_CONFIG
        WITH ENDPOINT_URL "opc.tcp://192.168.1.100:4840"
        WITH AUTH_MODE '0'
        WITH AUTO_ACCEPT_UNTRUSTED_CERTIFICATES "true"
    ADD MAPPING ProcessData
        WITH EVERY 1 SECOND
        ADD TAG Temperature
            WITH ADDRESS "ns=2;s=Channel1.Device1.Temperature"
            WITH DATA_TYPE "FLOAT"
            WITH SOURCE_TOPIC "opcua/temperature"

Connection Configuration

OPCUA_CONFIG Parameters

ENDPOINT_URL
string
required
OPC UA server endpoint URL (e.g., opc.tcp://localhost:4840).
AUTH_MODE
integer
Authentication mode:
  • 0 - Anonymous (no authentication)
  • 1 - Username/Password
  • 2 - Certificate
Default: 0.
USER
string
Username for authentication (required if AUTH_MODE is 1).
PASSWORD
string
Password for authentication (required if AUTH_MODE is 1).
USE_SECURITY
boolean
Enable security mode. Default: false.
SECURITY_POLICY
integer
Security policy level:
  • 0 - None
  • 1 - Basic128Rsa15
  • 2 - Basic256
  • 3 - Basic256Sha256
  • 4 - Aes128_Sha256_RsaOaep
  • 5 - Aes256_Sha256_RsaPss
Default: 0.
MESSAGE_SECURITY
integer
Message security mode:
  • 0 - None
  • 1 - Sign
  • 2 - SignAndEncrypt
Default: 0.
AUTO_ACCEPT_UNTRUSTED_CERTIFICATES
boolean
Automatically accept untrusted server certificates. Default: false.
SUPPRESS_NONCE_VALIDATION_ERRORS
boolean
Suppress nonce validation errors. Default: false.
TIMEOUT
integer
Connection timeout in milliseconds. Default: 90000.

BrowsePath Mode

For servers that support it, you can use symbolic paths instead of NodeIds:
USE_BROWSE_PATH
boolean
Enable BrowsePath mode - treat all TAG addresses as browse paths instead of NodeIds.
BROWSE_ROOT_PATH
string
Root path for browsing when USE_BROWSE_PATH is enabled. Default: Objects.

BrowsePath Example

ADD OPCUA_CONFIG
    WITH ENDPOINT_URL "opc.tcp://192.168.1.100:4840"
    WITH USE_BROWSE_PATH "true"
    WITH BROWSE_ROOT_PATH "Objects"
ADD MAPPING Tags
    WITH EVERY 1 SECOND
    ADD TAG Temperature
        WITH ADDRESS "Aliases/MyDevice/Temperature"
        WITH DATA_TYPE "FLOAT"
        WITH SOURCE_TOPIC "opcua/temperature"

Security Configuration

For development or trusted networks:
ADD OPCUA_CONFIG
    WITH ENDPOINT_URL "opc.tcp://192.168.1.100:4840"
    WITH AUTH_MODE '0'
    WITH USE_SECURITY "false"
    WITH AUTO_ACCEPT_UNTRUSTED_CERTIFICATES "true"

NodeId Addressing

OPC UA uses NodeIds to identify variables. The format is: ns=<namespace>;s=<identifier> or ns=<namespace>;i=<numeric_id>
FormatExampleDescription
String identifierns=2;s=Channel1.Device1.Tag1Most common, human-readable
Numeric identifierns=2;i=1234More efficient, used by some servers
GUID identifierns=2;g=12345678-1234-1234-1234-123456789012Globally unique identifiers

Finding NodeIds

Use an OPC UA browser tool (like UaExpert, Prosys OPC UA Browser, or similar) to explore the server’s address space and find the correct NodeIds.

Data Types

Data TypeOPC UA TypeDescription
BOOLEANBooleanTrue/False value
SBYTESByteSigned 8-bit integer
BYTEByteUnsigned 8-bit integer
INT16Int16Signed 16-bit integer
UINT16UInt16Unsigned 16-bit integer
INT32Int32Signed 32-bit integer
UINT32UInt32Unsigned 32-bit integer
INT64Int64Signed 64-bit integer
UINT64UInt64Unsigned 64-bit integer
FLOAT / FLOAT32Float32-bit floating point
DOUBLE / FLOAT64Double64-bit floating point
STRINGStringUnicode string

TAG Configuration

Complete TAG Example

ADD TAG ProcessTemperature
    WITH ADDRESS "ns=2;s=Process.Temperature"
    WITH DATA_TYPE "FLOAT"
    WITH SOURCE_TOPIC "opcua/process/temperature"
    WITH SCALING "1"
    WITH OFFSET "0"
    WITH UNIT "°C"
    WITH DECIMAL_PLACES "2"
    WITH MIN_VALUE "-50"
    WITH MAX_VALUE "500"
    WITH DEADBAND "0.5"
    WITH PUBLISH_MODE "JSON"
    WITH WRITABLE "true"
    WITH DESTINATION_TOPIC "opcua/process/temperature/set"
    WITH IS_ARRAY "false"
    WITH DESCRIPTION "Main process temperature sensor"

TAG Parameters

ADDRESS
string
required
OPC UA NodeId (e.g., ns=2;s=MyVariable or ns=2;i=1234) or BrowsePath if USE_BROWSE_PATH is enabled.
DATA_TYPE
string
required
OPC UA data type: BOOLEAN, BYTE, INT16, UINT16, INT32, UINT32, INT64, UINT64, FLOAT, DOUBLE, STRING.
IS_ARRAY
boolean
Indicates if the value is an array. Default: false.
SCALING
double
Multiplier for value transformation. Default: 1.0.
OFFSET
double
Offset added after scaling. Default: 0.0.
DECIMAL_PLACES
integer
Decimal places in output. Default: 2.
MIN_VALUE
double
Minimum allowed value.
MAX_VALUE
double
Maximum allowed value.
DEADBAND
double
Minimum change to trigger publish. Default: 0.0.
SOURCE_TOPIC
string
MQTT topic for read values.
PUBLISH_MODE
string
Output format: VALUE_ONLY or JSON. Default: VALUE_ONLY.
UNIT
string
Engineering unit for documentation.
DESCRIPTION
string
Human-readable description.
WRITABLE
boolean
Allow writing to this node. Default: false.
DESTINATION_TOPIC
string
MQTT topic for write commands.

Event-Based Operations

For on-demand read/write operations: 
ADD EVENT ReadOnDemand
    WITH SOURCE_TOPIC "opcua/commands/read"
    WITH DESTINATION_TOPIC "opcua/responses/read"
    WITH QUERY '{"operation": "READ", "node_id": "ns=2;i=2", "data_type": "INT32"}'

Complete Examples

Simple OPC UA connection with anonymous access:
DEFINE ROUTE OPCServer WITH TYPE OPCUA
    ADD OPCUA_CONFIG
        WITH ENDPOINT_URL "opc.tcp://192.168.1.100:4840"
        WITH AUTH_MODE '0'
        WITH AUTO_ACCEPT_UNTRUSTED_CERTIFICATES "true"
    ADD MAPPING ProcessData
        WITH EVERY 1 SECOND
        ADD TAG Temperature
            WITH ADDRESS "ns=2;s=Channel1.Device1.Temperature"
            WITH DATA_TYPE "FLOAT"
            WITH SOURCE_TOPIC "opcua/temperature"
            WITH UNIT "°C"
        ADD TAG Pressure
            WITH ADDRESS "ns=2;s=Channel1.Device1.Pressure"
            WITH DATA_TYPE "FLOAT"
            WITH SOURCE_TOPIC "opcua/pressure"
            WITH UNIT "bar"
        ADD TAG Status
            WITH ADDRESS "ns=2;s=Channel1.Device1.Status"
            WITH DATA_TYPE "INT32"
            WITH SOURCE_TOPIC "opcua/status"

Security Best Practices

Always enable security for production deployments:
WITH USE_SECURITY "true"
WITH SECURITY_POLICY '3'  // Basic256Sha256
WITH MESSAGE_SECURITY '2'  // SignAndEncrypt
In production, properly configure certificate trust:
WITH AUTO_ACCEPT_UNTRUSTED_CERTIFICATES "false"
Instead, exchange certificates between client and server during commissioning.
Prefer username/password or certificate authentication over anonymous:
WITH AUTH_MODE '1'  // or '2' for certificate
WITH USER "operator"
WITH PASSWORD "strong_password_here"

Troubleshooting

  • Verify endpoint URL is correct
  • Check firewall allows TCP port (usually 4840)
  • Ensure server is running and accessible
  • Try increasing TIMEOUT value
  • Verify security policy matches server configuration
  • Check certificate trust (may need to accept in server)
  • For testing, try WITH AUTO_ACCEPT_UNTRUSTED_CERTIFICATES "true"
  • Ensure client certificates are properly configured
  • Use OPC UA browser to verify correct NodeId
  • Check namespace index (ns=) is correct
  • Verify node exists in server’s address space
  • Try BrowsePath mode if NodeId is unclear
  • Verify username and password
  • Check user has appropriate permissions
  • Ensure AUTH_MODE matches server requirements
  • Verify DATA_TYPE matches server variable type
  • Check IS_ARRAY setting for array values
  • Verify SCALING and OFFSET calculations

Next Steps

Siemens S7

Direct connection to Siemens PLCs.

ADS (Beckhoff)

Connect to TwinCAT systems.