跳至主要内容

Remote Access — Tunnel

Overview

A Tunnel is an on-demand reverse port-forwarding session that lets you reach TCP-based services available to a WEDA Node without opening an inbound firewall port or configuring a VPN on the device's network.

When you request a tunnel session, WEDA Node initiates an outbound connection to the WEDA tunnel service. WEDA then forwards traffic from the assigned tunnel endpoint to the customer-specified application host and port. The target can be a service on the WEDA Node itself or another host reachable from the device's local network.

Target Services

WEDA Tunnel forwards TCP traffic according to the application host and port specified by the customer. This allows it to reach a broad range of services without requiring the tunnel to understand the application protocol.

ExampleTypical targetNotes
SSHAn SSH service on the WEDA Node or local networkConnect with a standard SSH client and authenticate with an account configured on the target SSH service.
HTTP or HTTPSA web dashboard or REST serviceTLS, when used, is handled by the target service.
MQTTAn MQTT broker reachable from the deviceConnect with an MQTT client through the assigned tunnel host and port.
Other TCP servicesA customer-specified host and portAvailability depends on the target service and the serviceType values supported by the WEDA release.

Session States

StateDescription
REQUESTEDSession created; WEDA Cloud is instructing WEDA Node to establish the tunnel
ESTABLISHINGWEDA Node is opening the reverse WebSocket connection
ESTABLISHEDTunnel is active; the endpoint is ready to accept connections
RECONNECTINGBrief disconnection detected; WEDA Node is automatically reconnecting
TERMINATINGTermination in progress
TERMINATEDSession closed normally
FAILEDThe session failed to establish, reconnect, or terminate; inspect its health and termination details

The detail response also includes healthStatus (HEALTHY, DEGRADED, UNHEALTHY, or UNKNOWN) and, when applicable, terminationSource and terminationReason.

Operations

OperationAPIDescription
Create Tunnel SessionPOST /api/v1/devices/{deviceId}/tunnels/sessionsCreate and start a new tunnel session
List Tunnel SessionsGET /api/v1/devices/{deviceId}/tunnels/sessionsList tunnel sessions, with optional status, service type, tag, pagination, and sorting filters
Get Session DetailsGET /api/v1/devices/{deviceId}/tunnels/sessions/{tunnelSessionId}Get details and current state of a session
Terminate SessionDELETE /api/v1/devices/{deviceId}/tunnels/sessions/{tunnelSessionId}Request graceful or immediate termination of a tunnel session

Constraints

Creating a session

  • Device must be online and registered
  • serviceType: identifies the intended service category; use a value supported by the WEDA release
  • applicationHost: IP address or hostname reachable from the device's local network (use 127.0.0.1 for services on the device itself)
  • applicationPort: integer 1–65535
  • No other ports are blocked or reserved — including ports below 1024 — as long as the target service is actually listening there
  • purpose and tags are required — used for auditing and filtering

Session lifetime

  • Connection timeout: If no client connects within 120 seconds after creation, the session closes automatically
  • Maximum lifetime: The session closes 3600 seconds (1 hour) after creation, regardless of activity

Terminating a session

  • Sessions in REQUESTED, ESTABLISHING, ESTABLISHED, or RECONNECTING state can be terminated
  • Graceful termination allows existing connections to close cleanly before the tunnel closes
  • Set forceTimeout to a reasonable value (e.g. 30 seconds) to bound the graceful shutdown window

Concurrency

  • There is currently no limit on the number of tunnel sessions per device, user, or organization
  • Overall concurrent tunnels are still bounded by the Tunnel Server's shared capacity
Authentication

The tunnel provides network access to the target service; it does not replace that service's authentication. For example, SSH credentials and the resulting user, root, or sudo privileges remain under the control of the target device's SSH service.

Network Requirements

WEDA Node initiates two outbound connections — it never listens for inbound traffic:

RequirementDetail
Outbound destinationsA Message Broker endpoint (control channel) and a Tunnel Server endpoint (data channel). Both are provided to the device at provisioning time, not hardcoded — the exact hostname varies by environment
Outbound ports / protocolControl channel: TCP/4222 over TLS. Tunnel data channel: typically 443 (WSS — WebSocket over TLS). No inbound ports are required
DNS resolutionRequired — both endpoints are normally provided as hostnames
HTTP/HTTPS proxyNot supported. The device does not read HTTP_PROXY / HTTPS_PROXY / NO_PROXY, and the tunnel client has no proxy configuration. Allow the device to connect outbound directly, or use a transparent proxy / L4 firewall rule — a standard forward proxy will not work
SaaS vs. on-premisesEndpoint addresses differ by deployment (on-premises uses your own broker/tunnel server addresses), but the protocol and port pattern are the same
Tunnel Server address stabilityThe Tunnel Server URL is supplied per session by WEDA Cloud and is not fixed on the device — it can vary by environment or which server is assigned
IP allowlistingAllowlist by FQDN/domain, not by IP — the Tunnel Server address can change, and the platform aims to keep the destination stable at the domain level

If the Tunnel Service Is Unreachable

The POST call still returns 202, and the session progresses REQUESTEDESTABLISHING. If it doesn't establish within the session's timeout, or exhausts its reconnect attempts, the session transitions to FAILED with terminationReason describing the cause — the failure surfaces through session status, not as an error on the original request.

Troubleshooting Checklist

  1. Confirm the firewall allows outbound connections to the Message Broker (4222/TLS) and Tunnel Server (443/WSS)
  2. Confirm DNS resolves both endpoint hostnames
  3. Check for a proxy or DPI device intercepting the WebSocket upgrade — proxies are not currently supported
  4. Confirm the target service (applicationHost:applicationPort) is actually listening on the device's local network

Network-level failures typically surface as session status FAILED.

Scenario

A field engineer needs terminal access to a WEDA Node on a factory floor network to investigate a container issue:

The engineer connects to the host and port in tunnelEndpoint with a standard SSH client and authenticates with an account configured on the target SSH service. No inbound firewall rule or VPN is required on the device's network.


Last updated on Jul-17, 2026 | Version 1.1.0