Introduction
VPNs are a complex topic and involve a deep understanding of networking, IP addresses, router configuration, and security.
Before proceeding:
you should have experience in setting up VPNs, or support from an IT professional who does.
you will need a Wireguard VPN infrastructure to connect to. You should already be able to test your infrastructure works using a laptop/PC using standard Wireguard clients. From a troubleshooting perspective, you should be able to confirm that your infrastructure and VPN configuration are correct, before investigating any potential issues with your encoder configuration.
you should have planned out what/any devices and services you want to use over the VPN, and the IP Addressing you will use
While Digitial Barriers can provide general VPN support, we can not assist in setting up your VPN infrastructure. There is nothing specific to EdgeVis in creating a Wireguard infrastructure and you may need to consult a third-party IT provider to assist in your general VPN infrastructure if you do not have the necessary networking resources available within your organisation.
Don't have a VPN infrastructure set up yet?
While we can't help you set it up, we have a list of steps you can refer to that you should follow before enabling VPN on your encoder.
EdgeVis Requirements/rules for using a Wireguard VPN
You must be using firmware version 8.6 or newer
You can't use a backup communications method
You can only specify one Wireguard peer
You can't use Post-Up or Post-down rules in your config
You must create a public/private key pair for your encoder on another PC
Enabling VPN
Log in to your encoder's local web interface, and then enter the Communications settings page:
You should configure your primary comms method so that it is connected to your network.
Click the Disabled link next to the VPN section.
Is the VPN section missing?
The VPN section (and links) will not be available if you have set up a secondary comms methods. To resolve, click on your secondary comms methods and remove it as a communications method.
You will be presented with a warning of the constraints of using a Wireguard VPN that you must accept:
The next decision is where your encoder should connect to EdgeVis Server:
There are two options:In many deployment scenarios, you will place EdgeVis Server behind a VPN (so that it is not accessible from the internet). The IP address you have for your EdgeVis Server will be an internal IP address. In this scenario, you will select Yes, it's on the VPN in the above dialog. The connection to EdgeVis Server will be across the VPN and must be in line with the Wireguard configuration you supply.
Your EdgeVis Server is in a different location than your VPN backend. For example, you are using a cloud-based EdgeVis Server. In this scenario you will select No, it's not on the VPN in the above dialog. The traffic to EdgeVis Server will be transmitted outside the VPN.
On the next page, you enter the details of your Wireguard VPN connection:
Wiregurd is commonly configured using a configuration file (often called wg0.conf). This is a plain text file with a simple syntax (external reference documentation).
While creating your Wireguard config file, one of the tasks you must perform is to generate a public/private key pair for your encoder.
Once you have your configuration file, this page displayed allows you to import a configuration file (using the Choose File button). The file contents will be displayed in the Configuration text box, where you have the chance the edit it. Once you are happy to proceed, Confirm your VPN configuration.
At this point the encoder will perform a validity check on your configuration to ensure it follows the rules listed above - if this check fails you will be returned to the configuration page, with the appropriate error listed.
Next steps
Once your configuration has been validated and saved, the encoder will now pass the configuration file to the built-in Wireguard client, which will now attempt to initialise a VPN connection.