Setting Up a Private Connector

Secure access to on-premise systems without opening inbound firewall ports

Private Connectors let you route DataGrout tool calls to systems inside your network (SAP, Oracle, Dynamics, custom APIs) through a managed VPN relay.

How It Works

1. You run a VPN server in your network (WireGuard, OpenVPN, or NetBird)
2. You provide VPN client credentials to DataGrout through the UI
3. DataGrout provisions a relay in its infrastructure that connects to your VPN
4. Tool calls are routed through the relay to your internal endpoints

You manage: Your VPN server and network access rules. DataGrout manages: Relay provisioning, scaling, monitoring, and updates.

Your Network                          DataGrout
┌─────────────────┐                 ┌──────────────────┐
│                 │                 │                  │
│  SAP / Oracle   │                 │     Relay        │
│       ▲         │                 │       │          │
│       │         │     VPN         │  VPN Client      │
│  VPN Server  ◄──┼─────────────────┼──     │          │
│               │                 │  Platform ◄── Agent
│                 │                 │                  │
└─────────────────┘                 └──────────────────┘

The VPN connection is outbound from the relay to your server. No inbound firewall rules are required beyond the VPN port.

Prerequisites

• A VPN server in your network (WireGuard recommended)
• Network access from the VPN server to your internal systems
• A DataGrout account

Step 1: Set Up Your VPN Server

WireGuard (Recommended)

sudo apt update && sudo apt install wireguard

wg genkey | sudo tee /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Create /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820

Start:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

OpenVPN

Use your existing OpenVPN infrastructure. You’ll export a .ovpn client profile for DataGrout.

NetBird

curl -fsSL https://get.netbird.io/install.sh | sh
netbird up

Create a setup key in the NetBird dashboard for the DataGrout relay.

Step 2: Generate a VPN Client Profile

Create credentials that the DataGrout relay will use to connect.

WireGuard

wg genkey | tee client-private.key | wg pubkey > client-public.key

Add the client as a peer on your server, then create a client config:

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/32

[Peer]
PublicKey = <server_public_key>
Endpoint = vpn.yourcorp.com:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25

This file is what you’ll provide to DataGrout.

OpenVPN

Export a .ovpn client profile from your OpenVPN server.

NetBird

Create a setup key in your dashboard: Settings -> Setup Keys -> “DataGrout Relay”.

Step 3: Create the Connector in DataGrout

1. Go to Integrations -> Available Integrations
2. Find Private Connector and click Add
3. Fill in the form:
   • Name: e.g. “Production Connector”
   • VPN Type: WireGuard, OpenVPN, or NetBird
   • VPN Profile: Paste the client config
   • Internal Endpoints: The hostnames/IPs the relay should be able to reach
   • Region: Choose the region closest to your network
4. Click Create

DataGrout provisions the relay and establishes the VPN connection. Status transitions from Provisioning to Active.

Step 4: Add Your Integration

1. Go to Integrations -> Available Integrations
2. Select your system (SAP ERP, Oracle, etc.)
3. Configure the internal hostname/IP, credentials, and client number
4. Under Route via, select your Private Connector
5. Click Save

DataGrout tests the connection through the relay and indexes the available tools.

Step 5: Test

Open the Playground and try a query:

List SAP purchase orders

Or use the Sandbox tab on the integration to test a specific tool directly.

Multiple Systems

A single connector can route to multiple internal systems. Add separate integrations for each (SAP, Oracle, Dynamics) and point them all at the same connector.

Monitoring

Check connector status on the Integrations page:

• Active: VPN connected, relay healthy
• Degraded: Connected but experiencing issues
• Down: VPN disconnected or relay unavailable

Troubleshooting

Relay won’t connect: Verify your VPN server is running and the port (UDP 51820 for WireGuard) is reachable from the internet. Double-check the client profile.

Can’t reach internal system: From your VPN server, confirm the internal hostname resolves and the port is open. Ensure your firewall allows traffic from the VPN subnet.

Authentication failures: Verify credentials in the integration settings. Ensure the system account has the required permissions.

Security

• VPN connection is outbound from the relay to your server. No inbound rules required beyond the VPN port.
• VPN credentials are stored encrypted.
• Integration credentials are stored encrypted and never logged.
• Communication between the relay and platform uses mutual TLS.
• Use least-privilege system accounts (avoid admin/super-user access).

Related

• Private Connectors – Feature overview
• Building Workflows – Use your on-premise tools in workflows
• Using the Playground – Test your connector interactively