{ "access": "public", "type": "tutorial", "format": "markdown", "title": "SAP Private Connector", "chunked": true, "url": "https://library.datagrout.ai/sap-private-connector", "summary": "**Secure access to on-premise systems without opening inbound firewall ports**", "content_markdown": "# Setting Up a Private Connector\n\n**Secure access to on-premise systems without opening inbound firewall ports**\n\nPrivate Connectors let you route DataGrout tool calls to systems inside your network (SAP, Oracle, Dynamics, custom APIs) through a managed VPN relay.\n\n---\n\n## How It Works\n\n1. You run a VPN server in your network (WireGuard, OpenVPN, or NetBird)\n2. You provide VPN client credentials to DataGrout through the UI\n3. DataGrout provisions a relay in its infrastructure that connects to your VPN\n4. Tool calls are routed through the relay to your internal endpoints\n\n**You manage**: Your VPN server and network access rules.\n**DataGrout manages**: Relay provisioning, scaling, monitoring, and updates.\n\n```\nYour Network DataGrout\n┌─────────────────┐ ┌──────────────────┐\n│ │ │ │\n│ SAP / Oracle │ │ Relay │\n│ ▲ │ │ │ │\n│ │ │ VPN │ VPN Client │\n│ VPN Server ◄──┼─────────────────┼── │ │\n│ │ │ Platform ◄── Agent\n│ │ │ │\n└─────────────────┘ └──────────────────┘\n```\n\nThe VPN connection is outbound from the relay to your server. No inbound firewall rules are required beyond the VPN port.\n\n---\n\n## Prerequisites\n\n- A VPN server in your network (WireGuard recommended)\n- Network access from the VPN server to your internal systems\n- A DataGrout account\n\n---\n\n## Step 1: Set Up Your VPN Server\n\n### WireGuard (Recommended)\n\n```bash\nsudo apt update && sudo apt install wireguard\n\nwg genkey | sudo tee /etc/wireguard/private.key\nsudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key\n```\n\nCreate `/etc/wireguard/wg0.conf`:\n\n```ini\n[Interface]\nPrivateKey = \nAddress = 10.0.0.1/24\nListenPort = 51820\n```\n\nStart:\n\n```bash\nsudo wg-quick up wg0\nsudo systemctl enable wg-quick@wg0\n```\n\n### OpenVPN\n\nUse your existing OpenVPN infrastructure. You'll export a `.ovpn` client profile for DataGrout.\n\n### NetBird\n\n```bash\ncurl -fsSL https://get.netbird.io/install.sh | sh\nnetbird up\n```\n\nCreate a setup key in the NetBird dashboard for the DataGrout relay.\n\n---\n\n## Step 2: Generate a VPN Client Profile\n\nCreate credentials that the DataGrout relay will use to connect.\n\n### WireGuard\n\n```bash\nwg genkey | tee client-private.key | wg pubkey > client-public.key\n```\n\nAdd the client as a peer on your server, then create a client config:\n\n```ini\n[Interface]\nPrivateKey = \nAddress = 10.0.0.2/32\n\n[Peer]\nPublicKey = \nEndpoint = vpn.yourcorp.com:51820\nAllowedIPs = 10.0.0.0/24, 192.168.1.0/24\nPersistentKeepalive = 25\n```\n\nThis file is what you'll provide to DataGrout.\n\n### OpenVPN\n\nExport a `.ovpn` client profile from your OpenVPN server.\n\n### NetBird\n\nCreate a setup key in your dashboard: Settings -> Setup Keys -> \"DataGrout Relay\".\n\n---\n\n## Step 3: Create the Connector in DataGrout\n\n1. Go to **Integrations** -> **Available Integrations**\n2. Find **Private Connector** and click **Add**\n3. Fill in the form:\n - **Name**: e.g. \"Production Connector\"\n - **VPN Type**: WireGuard, OpenVPN, or NetBird\n - **VPN Profile**: Paste the client config\n - **Internal Endpoints**: The hostnames/IPs the relay should be able to reach\n - **Region**: Choose the region closest to your network\n4. Click **Create**\n\nDataGrout provisions the relay and establishes the VPN connection. Status transitions from Provisioning to Active.\n\n---\n\n## Step 4: Add Your Integration\n\n1. Go to **Integrations** -> **Available Integrations**\n2. Select your system (SAP ERP, Oracle, etc.)\n3. Configure the internal hostname/IP, credentials, and client number\n4. Under **Route via**, select your Private Connector\n5. Click **Save**\n\nDataGrout tests the connection through the relay and indexes the available tools.\n\n---\n\n## Step 5: Test\n\nOpen the Playground and try a query:\n\n```\nList SAP purchase orders\n```\n\nOr use the Sandbox tab on the integration to test a specific tool directly.\n\n---\n\n## Multiple Systems\n\nA single connector can route to multiple internal systems. Add separate integrations for each (SAP, Oracle, Dynamics) and point them all at the same connector.\n\n---\n\n## Monitoring\n\nCheck connector status on the Integrations page:\n\n- **Active**: VPN connected, relay healthy\n- **Degraded**: Connected but experiencing issues\n- **Down**: VPN disconnected or relay unavailable\n\n---\n\n## Troubleshooting\n\n**Relay won't connect**: Verify your VPN server is running and the port (UDP 51820 for WireGuard) is reachable from the internet. Double-check the client profile.\n\n**Can't reach internal system**: From your VPN server, confirm the internal hostname resolves and the port is open. Ensure your firewall allows traffic from the VPN subnet.\n\n**Authentication failures**: Verify credentials in the integration settings. Ensure the system account has the required permissions.\n\n---\n\n## Security\n\n- VPN connection is outbound from the relay to your server. No inbound rules required beyond the VPN port.\n- VPN credentials are stored encrypted.\n- Integration credentials are stored encrypted and never logged.\n- Communication between the relay and platform uses mutual TLS.\n- Use least-privilege system accounts (avoid admin/super-user access).\n\n---\n\n## Related\n\n- [Private Connectors](private-connectors) -- Feature overview\n- [Building Workflows](building-workflows) -- Use your on-premise tools in workflows\n- [Using the Playground](playground-guide) -- Test your connector interactively\n" }