VPN Settings

The VPN tab allows you to connect your WiCAN Pro to a remote secure network using either Tailscale or standard WireGuard.

This feature is incredibly powerful if you want to securely route your vehicle's telemetry data to a home server (like Home Assistant) over a cellular hotspot, or if you want to remotely access the WiCAN's Web UI from anywhere in the world without opening ports on your router.

1. Setting up Tailscale (Recommended)

Tailscale is a Zero Trust mesh VPN built on top of WireGuard. It is the easiest and most secure way to remotely connect to your WiCAN Pro because it requires absolutely no port forwarding, DDNS, or firewall configuration.

When connected, Tailscale assigns your WiCAN Pro a private 100.x.x.x IP address that is globally accessible from any of your authenticated devices.

Connecting the WiCAN Pro

  1. Log in to your Tailscale Admin Console.
  2. Navigate to Settings > Keys and generate a new Auth Key (a reusable or non-expiring key is recommended for embedded devices).
  3. On the WiCAN Pro, change the VPN dropdown to Tailscale.
  4. Paste your Auth Key into the provided field and click Submit.
  5. Once authenticated, the WiCAN's Network tab will display its live status as connected (tailscale) and reveal its newly assigned 100.x.x.x IP address!

🏠 Integration: Home Assistant

Tailscale is the ultimate solution for piping live vehicle telemetry to Home Assistant while driving.

  1. In Home Assistant, go to Settings > Add-ons and install the official Tailscale add-on.
  2. Start the add-on and log in using the exact same Tailscale account you used to generate the WiCAN's Auth Key.
  3. Open your Tailscale Admin Console and verify both Home Assistant and the WiCAN Pro are listed under "Machines" with green connected dots.
  4. In your Home Assistant MQTT or REST integrations, simply use the WiCAN's 100.x.x.x Tailscale IP address as the target. They are now securely networked together, no matter where the vehicle drives!

2. Setting up WireGuard (Advanced)

If you prefer to manage your own keys and routing, the WiCAN Pro fully supports native WireGuard connections.

The Easy Way: Importing a Config File

The simplest way to configure WireGuard is to generate a configuration file on your VPN server (using tools like wg-easy, PiVPN, or your router's VPN dashboard).

  1. Change the VPN dropdown to WireGuard.
  2. Scroll down to the Configuration File section.
  3. Click Choose File and select the .conf file generated by your server.
  4. The WiCAN Pro will automatically parse the file and fill in all the Interface and Peer fields for you.

Manual Configuration

If you prefer to enter the details manually, the fields are broken down into standard WireGuard structures:

  • Interface: Represents the WiCAN Pro itself.
    • Private / Public Key: The cryptographic keys identifying the device.
    • Address: The internal IP address assigned to the WiCAN on the VPN (e.g., 10.2.2.3/32).
  • Peer: Represents your VPN Server.
    • Public Key & Preshared Key: The cryptographic keys of the server.
    • Allowed IPs: Defines what traffic goes through the VPN. Setting this to 0.0.0.0/0 routes all WiCAN traffic through the VPN.
    • Endpoint: The public IP address or hostname and port of your server (e.g., 198.51.100.1:51820).
    • Persistent Keepalive: Sends a ping every X seconds to keep the connection alive.

!WARNING
Cellular Hotspot Users: Mobile carriers use strict NAT (CGNAT) and will aggressively kill idle UDP connections. If you intend to use a mobile hotspot while driving on a standard WireGuard tunnel, you must set your Persistent Keepalive to 15. If left blank or set to 0, your VPN tunnel will silently drop.

3. Testing and Verifying the Connection

  • For Tailscale: Check the Network tab on the main dashboard. If the key is valid, the UI will dynamically fetch and display your Mesh IP. If authentication fails or the key is rejected, it will actively warn you with a connecting / invalid key status.
  • For WireGuard: Click the Test Connection button on the VPN settings page. The WiCAN Pro will attempt a live handshake with your server, and a success or failure notification will appear.

4. VPN Debug Tools

If your connection fails, the VPN Debug section at the bottom of the page provides low-level diagnostics to help you pinpoint the issue.

  • Refresh: Updates the live status panel. Pay attention to the Gating row—it will tell you if prerequisite requirements are met (e.g., ensuring Wi-Fi is connected and the device's clock is synced via NTP, which cryptographic tunnels require to function).
  • Resolve Endpoint: Forces the WiCAN to look up the DNS record of your Peer Endpoint to ensure your router/cellular hotspot is properly resolving the server's address.
  • Resolve NTP: Verifies that the WiCAN can reach the global time servers (time.windows.com and pool.ntp.org) required to set its internal clock.

5. Seamless Mobile Hotspot Roaming

If you plan to have the WiCAN Pro automatically switch from your Home Wi-Fi to your Mobile Hotspot as you drive away from your house, the firmware handles this transition natively using active signal monitoring and dynamic VPN teardowns.

How "Sticky Client" Roaming Works

The WiCAN actively monitors its connection to your Home Wi-Fi. If the signal drops to an unusable level (-92 dBm for 15 consecutive seconds) as you drive down the street, it will aggressively disconnect. This triggers the VPN manager to instantly purge stale UDP sockets and immediately scan your Fallback Network list for your Mobile Hotspot, resulting in a lightning-fast VPN reconnection.

!TIPPro Tip for the Fastest Hand-Off: For the ultimate seamless experience, set your mobile hotspot's SSID and Password to be exactly identical to your Home Wi-Fi. This allows the ESP32's internal hardware to handle the hand-off dynamically before the Wi-Fi connection even formally drops!

Table of Contents