VPN Connectivity — Setup and Configuration
Create a dedicated WireGuard tunnel between your plant and Rela AI, download the config tailored to your equipment, and verify the PLC reaches the platform.
VPN Connectivity
A dedicated WireGuard tunnel between your plant and our concentrator. We never enter your network; you open a minimal pipe that only lets traffic through to the OT subnet where your PLC lives.
What it's for
PLCs live behind the plant's firewall. For Rela AI to read their Modbus, OPC UA, S7 or EtherNet/IP registers, it needs a way to cross the firewall without exposing the PLC to the internet. The self-service VPN solves this with a dedicated tunnel — auditable and revocable in seconds — without touching your corporate VPN or opening public ports.
How it works
- Go to
Settings → VPN Connectivityin the dashboard. - Give the tunnel a name (e.g. "Torreón Plant") and click Create.
- We automatically assign you a private
/24subnet within10.200.0.0/16. - You pick your equipment (pfSense, OPNsense, Mikrotik, Ubiquiti, Linux, Windows, Docker) and download the tailored config.
- You paste it into your router/firewall — once.
- On the first handshake (10–30 seconds later), the dashboard shows Connected and you can create Modbus sources pointing at your PLC's private IP.
The private key of your end of the tunnel never leaves your equipment: if you switch providers, you delete it and we can no longer reach your network.
Benefits
| Strict IT/OT isolation | The tunnel only reaches the OT subnet. No ERP, no mail, no printers. IEC 62443 and Purdue Model compliant. |
| Full self-service | The customer pastes a config and that's it — no intervention from our support team, no tickets, no waiting. |
| Instant revocation | Remove the peer in the dashboard or router, traffic stops within seconds. |
| Audit-friendly compliance | Every handshake is logged with public key, timestamp and byte counts. SOC 2, ISO 27001, IEC 62443 all happy. |
| No per-seat licensing | WireGuard is open source. No Cisco AnyConnect or Fortinet invoice per connection. |
Tunnel onboarding — step by step
1. Create the peer in the dashboard
Go to /settings/connectivity and click Create tunnel. Give it a label that identifies the plant (e.g. "Monterrey Plant North"). On creation, the system:
- Assigns a unique private subnet (
10.200.X.0/24). - Generates a WireGuard keypair. The private key is encrypted with GCP KMS and served only once on download.
- Publishes an event to the concentrator to accept your peer.
2. Download the config for your equipment
At the top of the panel, a 7-equipment selector appears. Pick yours:
| Equipment | Downloaded file | How to apply |
|---|---|---|
| pfSense 2.7+ | rela-vpn-pfsense.xml | VPN → WireGuard → Tunnels → Import XML |
| OPNsense | rela-vpn-opnsense.xml | VPN → WireGuard → Endpoints → Import |
| Mikrotik RouterOS 7 | rela-vpn-mikrotik.rsc | Terminal → Paste script line by line |
| Ubiquiti EdgeRouter | rela-vpn-ubiquiti.cfg | SSH → Copy/paste configure...commit...save batch |
| Linux / Raspberry Pi | rela-vpn.conf | sudo wg-quick up rela-vpn + systemctl enable wg-quick@rela-vpn |
| Windows | rela-vpn.conf | WireGuard Tunnel app → Import tunnel(s) from file |
| Docker Compose | docker-compose.yml + rela-vpn.conf | docker compose up -d in the directory |
3. Apply on the router and verify
Once the config is pasted and the interface is up, the tunnel performs a handshake every 25 seconds (PersistentKeepalive). The first one typically arrives in 10–30 seconds.
In the dashboard you'll see the widget change:
- Connection pending (initial state).
- Connected (first handshake arrived — done).
- No recent connection (handshake older than 5 minutes — check your router).
4. Create the Modbus/OPC UA source
Once the tunnel is connected, you can create a source pointing at the PLC's private IP on your internal network. Routing is automatic: any packet to the 10.200.0.0/16 range goes out via the tunnel.
Per-equipment details
pfSense
Open the downloaded XML and copy the contents. In the router's web console:
- VPN → WireGuard → Tunnels.
- Click Import (upload-file icon).
- Paste the XML and Save.
- The interface comes up automatically; Status → WireGuard shows the peer and the latest handshake.
- Verify Firewall → Rules has a rule allowing traffic between your OT LAN and the
rela_vpninterface.
OPNsense
Same idea as pfSense but the menu path is VPN → WireGuard → Instances:
- VPN → WireGuard → Instances → Add.
- Copy the XML values manually (OPNsense doesn't have a direct WireGuard XML importer — use the values from the file).
- VPN → WireGuard → Peers → Add, paste the server's pubkey.
- Activate the interface in Interfaces → Assignments.
Mikrotik RouterOS 7+
Open Terminal (WinBox or SSH) and paste the contents of rela-vpn-mikrotik.rsc line by line. The script creates:
- A WireGuard interface named
rela-vpn. - An address on that interface.
- A peer pointing at the concentrator with
allowed-addressset to our subnet. - A static route to
10.200.X.0/24viarela-vpn.
Then check /interface wireguard peers print — last-handshake should be under 30 seconds.
Ubiquiti EdgeRouter / EdgeOS
SSH to the router and paste the configure... set... commit... save... exit batch. If saving fails, verify you have the WireGuard package installed (EdgeOS 2.x ships it natively; v1.x requires a manual .deb).
Linux / Raspberry Pi
sudo mv ~/Downloads/rela-vpn.conf /etc/wireguard/rela-vpn.conf
sudo chmod 600 /etc/wireguard/rela-vpn.conf
sudo wg-quick up rela-vpn
sudo systemctl enable wg-quick@rela-vpnsystemctl enable ensures the tunnel survives a reboot.
Windows
- Download the official client: wireguard.com/install/
- Add Tunnel → Import tunnel(s) from file → pick
rela-vpn.conf. - Click Activate.
- Windows Services → Run on startup so it reactivates at boot.
Docker Compose
Put docker-compose.yml and rela-vpn.conf in the same directory. Then:
docker compose up -d
docker compose logs -f rela-vpnIf the container dies on capability errors, ensure the host allows NET_ADMIN and SYS_MODULE (any modern Linux does).
Troubleshooting
The handshake never shows up
- Verify outbound UDP 51820 isn't blocked by your firewall or ISP.
- Check the pubkey your router shows matches what the dashboard generated (copy-paste sometimes clips characters).
- If your router is behind NAT, make sure
PersistentKeepalive = 25is active so the NAT mapping doesn't close.
Active handshake but no traffic reaches the PLC
- Check that the PLC and the router are on the same subnet.
- On pfSense/OPNsense: Firewall → Rules → WireGuard interface must have an
Allowrule between your OT LAN and the router. - On Mikrotik:
/ip route printmust show the route10.200.X.0/24 → rela-vpn.
Dashboard says "No recent connection"
- Your router lost the tunnel. Common causes: ISP DHCP rotated your public IP, router rebooted without
systemctl enable, power outage. - Check the router logs. On Linux:
sudo journalctl -u wg-quick@rela-vpn.
Why don't we use your corporate VPN?
This is the most common question from your IT team. The short answer: for security, for compliance, and because your corporate VPN is designed for humans, not machines. The 9 detailed technical reasons are in Why a dedicated tunnel?.
Industrial Protocols (Modbus, S7, EtherNet/IP)
Connect the agent directly to PLCs and VFDs via Modbus TCP, S7comm (Siemens S7-1200/1500) and EtherNet/IP (Allen-Bradley). Read and write with no gateways.
How to test that the VPN works
Technical checklist to validate the WireGuard tunnel with Rela AI end-to-end: from the first handshake to reading the PLC, with copy-paste commands and category-based troubleshooting.