Peliqan allows you to securely connect to on prem (on premise) data sources such as locally installed databases (SQL Server, MySQL, Postgres etc.), on prem business applications and on prem servers using one of the following methods:
- Scenario 1: Open up a port on your on-prem firewall and apply IP Whitelisting
- Scenario 2: Set up a VPN tunnel between your on-prem environment and the Peliqan data cloud by installing the Peliqan VPN client (mesh)
- Scenario 3: Set up an IPSec site-to-site VPN tunnel
Scenario 1: IP Whitelisting
In this scenario, we assume you have an on-prem firewall, you open up a port on the firewall for access by Peliqan, and you whitelist the Peliqan IP addresses so that no one else can connect to the given port. More info:
IP whitelistingScenario 2: Peliqan VPN tunnel (mesh)
Peliqan supports self-service activation of the NetBird VPN, a secure software-only VPN that establishes a peer to peer mesh connection between your on-prem server and the Peliqan data cloud. Once the VPN tunnel is active, you can add e.g. a database connection in Peliqan, using the local IP address of your server.
Peliqan also supports a wide range of other protocols and VPN vendors, please contact support to request the setup of your custom VPN, examples:
- WireGuard
- OpenVPN
- IPSec
- WatchGuard VPN
- Fortinet VPN (FortiClient/FortiGate)
- TailScale VPN
- Sophos
- And others
About NetBird
NetBird is an open-source, secure, peer-to-peer private network built on top of WireGuard. It enables encrypted connections between devices across different networks without the need for complex VPN setups or static IPs. Ideal for secure connectivity to internal services, NetBird simplifies private networking using a modern control plane.
How it works
NetBird uses a centralized management service (self-hosted or cloud) to coordinate peer connections and distribute WireGuard keys. Once connected, peers communicate directly using encrypted WireGuard tunnels.
Security
- End-to-end encryption with WireGuard (ChaCha20, Curve25519)
- Granular access control and group-based permissions
- Device authorization, NAT traversal, and zero-trust principles
Supported Server operating Systems
- Linux (including server distributions)
- macOS
- Windows (from Windows 10)
More info: https://www.netbird.io/
Peliqan VPN (NetBird) setup guide
This guide applies to installing the NetBird client on both Windows servers and Linux servers.
Sign up for a new account on NetBird.io.
Ideally do this in a browser directly on the on-prem server that you want to connect with Peliqan.
Select peer-to-peer network:
Download and install the NetBird client, on the on-prem server that you want to connect to Peliqan:
After installing, in the NetBird client, click on “Connect”. This will open a browser window, login with your NetBird account:
Authorize access:
Close the browser window:
You can also connect using the command line:
netbird up
Or using a Setup Key:
netbird up --setup-key <YOUR SETUP KEY>
Go back to your NetBird account on https://app.netbird.io:
You will now create a Setup Key for Peliqan.
Click on “Install with a Setup Key”. If an Installation popup opens, close it.
If you are in the NetBird Dashboard, click on Setup Keys in the left pane and click on “Create Setup Key”.
Use following settings for the Setup Key:
- Name: “Peliqan”
- "Make this key reusable" needs to be checked
- Usage Limit: 5 peers (or more)
- Expires in: Unlimited
- Ephemeral Peers: not enabled (unchecked)
Copy the Setup Key and click on Close:
Share the following details with Peliqan Support:
- Setup key created for Peliqan
- Netbird IP address of your on-prem server
- Port of your on-prem database
You can find the Netbird IP address of your server in Netbird under Peers, see for example 100.107.11.28 in the screenshot below:
Peliqan will configure its client and confirm connectivity to your on-prem server.
Important! Make sure to disable Peer Session Expiration in Netbird, under Settings > Authentication, to make sure your connection does not get disconnected:
Once Peliqan Support confirms that the VPN is active: in Peliqan go to Connections > Add Connection > Search e.g. for “SQL Server”. Enter the connection details, and use the internal hostname that you received from Peliqan Support. Example:
Troubleshooting
If needed, run the command netbird status and check if the response includes Signal:connected.
Connect to an on-prem SQL Server (Windows server)
Make sure TCP/IP is enabled in your SQL Server Configuration Manager:
Running the VPN client on a separate machine
If you run the VPN Client (NetBird) on the same machine as your local on-prem DB (or other data source), you can directly connect from the Peliqan Cloud to the on-prem resource, using the IP address of the VPN network and the correct port of the DB:
If you run the VPN Client (NetBird) on a separate server or virtual machine (VM), you have to set up port forwarding on that machine, to the server with the on-prem DB (or other data source):
Set up port forwarding on Linux with IP Tables.
Set up port forwarding on Windows Server using netsh.
Example to add a port forwarding for SQL Server with port 1433:
netsh interface portproxy add v4tov4 listenport=1433 listenaddress=0.0.0.0 connectport=1433 connectaddress=10.10.0.xTo list all port forwardings:
netsh interface portproxy show allTo delete a port forwarding:
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=1433Scenario 3: set up an IPSec site-to-site VPN tunnel
Use this scenario if you already have a VPN gateway, for example Fortigate. You can use the below settings for your tunnel:
IPSec Site-to-Site VPN | Peliqan settings | Customer settings |
VPN Brand | AWS IPSec Site-to-Site VPN | E.g. Fortigate |
VPN Gateway IP | Will be provided by Peliqan Support | Provide this to Peliqan |
VPN type | Route based (static) | Route based (static) |
IKE Phase 1 | ||
IKE version | version 2 | version 2 |
PSK | Will be provided by Peliqan (securely) | Will be provided by Peliqan (securely) |
Hashing algorithm | SHA512 | SHA512 |
Encryption algorithm | AES-256 | AES-256 |
DH Group | Group 21 | Group 21 |
Key timeouts | 28800 seconds | 28800 seconds |
IPSec phase 2 | ||
Hashing algorithm | SHA512 | SHA512 |
Encryption algorithm | AES-256 | AES-256 |
PFS | Group 20 | Group 20 |
Lifetime | 3600 seconds | 3600 seconds |
Routed subnet | 10.0.16.0/20 | Provide this to Peliqan |
Please provide following information to Peliqan support:
VPN tunnel | |
VPN Brand | E.g. Fortigate |
VPN Gateway IP | xx.xx.xx.xx |
Routed subnet | xx.xx.xx.xx/20 |
IT Technical Contact | |
Company name | |
Contact name | |
Email | |
Phone | |
Timezone / working hours | |
On-prem data source | |
Type | e.g. SQL Server |
Host (internal IP address) | xx.xx.xx.xx |
Port | e.g. 1433 |
Credentials (e.g. login & password) | Send using e.g. OneTimeSecret |
Once Peliqan has received this information, Peliqan will set up a VPN customer gateway and provide a setup file to you, based on your VPN Gateway brand (e.g. Fortigate).
Optional configuration (please inform Peliqan if you want to configure any of these settings):
- BGP (dynamic routing) instead of static routes
- Set up a second (fallback) tunnel