Remote SCADA monitoring Part 2: Ignition - WireGuard VPN Setup

July 14, 2024  •  by Abraham Ouma

Introduction

  • In the previous walkthrough, we set up a WireGuard server and connected one or more clients to the tunnel. We confirmed two-way connectivity between the server and the client by running ping tests on both ends, all successful.
  • The WireGuard setup was configured to allow devices connected to the VPN to communicate as if they were on the same subnet.
  • In this follow-up, we’ll enable clients connected to the WireGuard server to access the Ignition Gateway securely through the same VPN tunnel.



Ignition access through WG VPN

Ignition gateway port

By default, Ignition runs its HTTP service on port 8088 and HTTPS on port 8043. In this guide, we will be using the HTTP port: 8088.

Ignition is configured to bind to all available network interfaces unless restricted. This means if your gateway server’s IP is 192.168.121.12 and it’s on the 192.168.121.0/24 subnet, and there are no inbound firewall restrictions on port 8088, the gateway should be accessible to all devices within the same subnet, as well as from localhost.

For example, within the local subnet, you can access the gateway by visiting:

http://192.168.121.12:8088

Note:
To harden your SCADA system, access to the Ignition Gateway should ideally be restricted to authenticated VPN users only. This creates two layers of protection:

  1. Ignition’s own user login system.
  2. VPN authentication, ensuring only devices with valid tunnel credentials can reach the gateway.

Accessing the Gateway on Windows

Local subnet:

Server IP: 192.168.100.13

Client IP: 192.168.100.4

Server IPClient IP

If no firewall rule exists to allow incoming traffic on port 8088, the gateway will be inaccessible to the client despite being on the same subnet. Site access error

Use this command (run as Administrator) to allow HTTP access to Ignition:

netsh advfirewall firewall add rule name="Allow Ignition HTTP" dir=in action=allow protocol=TCP localport=8088

Once this rule is added, the client can access the gateway via:

http://192.168.100.13:8088

 

Accessing gateway over the VPN tunnel:

To securely access the gateway through the VPN:

  • Ensure that the WireGuard tunnel is active on both the server and client.
  • Verify connectivity by pinging the WireGuard server’s VPN IP (e.g., 10.128.0.3).
  • Remove the general firewall allow rule on port 8088 to restrict public/subnet access:
netsh advfirewall firewall delete rule name="Allow Ignition HTTP"

Then, explicitly allow access only from the VPN subnet:

netsh advfirewall firewall add rule name="Allow Ignition 8088 from VPN" dir=in action=allow protocol=TCP localport=8088 remoteip=10.128.10.0/24

Finally, block all other traffic on port 8088 that doesn’t originate from the VPN subnet:

netsh advfirewall firewall add rule name="Block Ignition 8088 from other sources" ^ 
dir=in action=block protocol=TCP localport=8088 remoteip=any

In this example, the Ignition gateway server was at 10.128.0.3 and was only accessible to clients inside the VPN subnet (10.128.0.0/24).

Access the gateway on Linux

On Linux systems like Ubuntu, use the UFW (Uncomplicated Firewall) to restrict access similarly:

Allow VPN access on port 8088:

sudo ufw allow from 10.128.10.0/24 to any port 8088 proto tcp

Deny all other access on port 8088:

sudo ufw deny proto tcp from any to any port 8088

Conclusion:

  • Always verify that the WireGuard tunnel is active before testing Ignition access.
  • The VPN subnet (10.128.0.0/24 or similar) should match the IP addresses configured in your WireGuard server and peer configuration.
  • This setup allows secure and restricted access to Ignition SCADA, eliminating the need for public IP exposure or port forwarding.