Pr1 VPN tunnel to full Ignition gateway

Good evening,

I’m battling a connection issue through a groov epic pr1. I am trying to use an openVPN tunnel to access a full Ignition gateway on a different network.

I have the VPN coming into eth0 and I can access the pr1 through it. I have eth1 setup on with the Ignition server at, both subnets I have port forwarding trying to route tun0 on eth0 port to eth1 (see rule below).

Connection: tun0
External port: 8088
Internal IP:
Internal port: 8088

Not sure what I’m doing wrong here, but I can’t seem to make it work. I have tried different external ports that ignition uses with no results.

I have no configuration in Ignition currently. It is a default gateway running in trail. Trying to make the connection and understand it better before deployment.

For reference, I used the link below for the forward config.

Hi Kevan. Welcome to the Opto22 Forums!

What IP address are you using in your browser to try to connect to Ignition?
It will need to be the IP of the VPN interface on the EPIC and the port number you are using to redirect.

Something like VPN IP:port → through EPIC → Ignition gateway IP:port

Thank you for the prompt reply!

I have tried that IP as well as the with no luck. I have also tried the VPN public IP. From what I have read on Ignition, ports 8043 and 8060 are for Ignition edge and 8088 seems right but I’m not exactly sure. However, I did try those ports as well.

I really need the designer to find the gateway, and be able to land o. The gateway page for remote configuration. So far my designer has not found the gateway, and I haven’t been able to land on the gateway page.

Below is the port references I have been working with.

Ignition Designer uses port 8088. Is this port enabled in the firewall for the tun0 interface?

What (error) message do you get in the Ignition Designer when trying to access the PR1?

I think @gerhardK has the answer. You will need to ensure that port 8088 is open for the VPN tunnel so you can come in on port 8088 over the VPN to the EPICs IP address and go out to the designer IP address using port 8088.

Use the VPN IP address that lets you view groov Manage. You said you had that working. Once you can view the groov Manage pages over the VPN, just add :8088 and you should pop out the port redirect to your Ignition computer, and the designer should launch on your PC as expected.

Thanks again for the replies.

I did forget to set the firewall port up :roll_eyes:, but I can not create a rule for 8088. I get an error from the pr1 stating that 8088 is “resvered for opto rules”.

Any work arounds you guys know of for this?

You will need to change port 8088 in the full Ignition and restart it.
I think I heard of a customer doing that for the same reason.

Not sure what I have incorrect here, but still fighting this.


Screenshot 2024-05-15 110228

Port redirection:

Screenshot 2024-05-15 110351

I changed the Ignition server to port 8080 and reset the gateway and still can not connect through the VPN. I know I’m missing something easy here, but just missing it.

Thanks for the screenshots… Backing up a little, are you able to see groov Manage from the VPN browser?

I’m wondering if this is not working because you are on the same network as the EPIC, and the VPN is not looping back correctly.

Yes I can see the groov from the VPN browser.

Also the screen shot for the firewall is incorrect. I have tcp/udp in the protocol at the moment.

Let’s loop @greichert in… I’m thinking I’m missing something on the Ignition Designer side of things…
Its all looking good, right up to the point where it does not work!

I am connected to the internet from a hotspot on my phone, and the pr1 is on our offices network.

I can not land on the Ignition gateway page either.

Screenshot 2024-05-15 111937

Screenshot 2024-05-15 111918

Sorry for the quick sketch, but something like this?


Two quick thoughts.

  1. Is there a firewall on the IGN PC? If so, is open for 8080 and forwarding to Ign?
  2. Can you go into the groov Manage network tools and ping the IGN PC? ie, can the EPIC reach the PC on the most basic method of ping?

I have edited my two earlier posts to clarify that you must use the VPN IP address to view groov Manage and the VPN IP:port to be redirected to the Ignition gateway.

The incoming port (8080) that you are using in the redirect must also be opened to the VPN, which your screenshot shows you do have open (to everything—once you get it working, you can close off all the other interfaces and leave tun0 open).