Assigning Tenants
Shared Gateways serve multiple tenants from a single device. Each tenant assignment creates an isolated networking environment on the gateway using VRF (Virtual Routing and Forwarding).
Assigning a Tenant
- Navigate to the Shared Gateway Detail page by clicking on an MTGE from the list.
- Select the Tenants tab.
- Click the Assign Tenant button (disabled if the gateway is at capacity).
- In the modal, configure the assignment:
| Field | Description |
|---|---|
| Tenant | Select a tenant from the dropdown |
| Protocol | Choose WireGuard (default) or IKEv2 for the App VPN tunnel |
| Internet Breakout | Enable or disable direct internet access for the tenant |
- Click Assign to confirm.
WireGuard is the default and provides high-performance tunneling. IKEv2 uses certificate-based authentication via StrongSwan and requires the MTGE to have a WAN IP configured (used as the certificate Common Name). Choose IKEv2 when clients need native OS VPN support (macOS, iOS, Windows).
What Happens on Assignment
When a tenant is assigned to a Shared Gateway, the following resources are automatically provisioned:
| Resource | Details |
|---|---|
| VRF | Allocated with ID = 100 + slot number, providing complete routing table isolation |
| WireGuard Ports | Allocated starting at base_port + (slot × 3), providing dedicated tunnel endpoints |
| IoT Subnet | Assigned from 10.20.{slot}.0/24 range |
| App VPN Subnet | WireGuard: 10.10.0.0/16 shared pool. IKEv2: 10.11.{slot}.0/24 per-tenant isolated pool |
| Configuration Push | Per-tenant configuration is pushed to the MTGE via MQTT |
The tenant's isolated environment is operational within seconds of assignment.
Viewing Assigned Tenants
The Tenants tab displays all currently assigned tenants in a table:
| Column | Description |
|---|---|
| Tenant | Tenant name |
| VRF | The VRF ID assigned to this tenant |
| Slot | The slot number (determines port and subnet allocation) |
| Protocol | WireGuard or IKEv2 badge |
| Tunnel Mode | Full tunnel or split tunnel badge |
| Ports | Allocated port numbers for IoT, Apps, and Peering tunnels |
| Internet | Whether internet breakout is enabled or disabled |
| Onboard | Tenant onboarding status |
| Config | Configuration sync status |
| Actions | Settings (edit), Sync, Remove |
Editing a Tenant Assignment
Click the Settings (gear) icon on a tenant row to open the tenant edit modal. You can modify:
| Setting | Description |
|---|---|
| Protocol | Switch between WireGuard and IKEv2. Switching protocols requires re-provisioning VPN client devices. |
| Tunnel Mode | Switch between full tunnel (all traffic through VPN) and split tunnel (only specified routes) |
| Internet Breakout | Enable or disable direct internet access for the tenant's traffic |
Changes are saved and a configuration sync is triggered automatically.
Changing the App VPN protocol (e.g., from WireGuard to IKEv2) requires all VPN clients for this tenant to re-register. Existing client configurations will stop working after the switch.
Syncing Tenant Configuration
Click the Sync button on a tenant row to push the latest configuration for that specific tenant to the MTGE. This sends a per-tenant batch message via MQTT (VSR/{serial}/batch/{tenantId}).
Removing a Tenant
To remove a tenant from a Shared Gateway:
- On the Tenants tab, locate the tenant you want to remove.
- Click the Remove (trash) icon next to the tenant entry.
- Confirm the removal in the dialog.
Removing a tenant immediately disconnects all devices belonging to that tenant on this Shared Gateway. All VRF routes, WireGuard instances, NAT rules, and StrongSwan configurations for the tenant are cleaned up. VPN client registrations associated with this tenant on this gateway are also removed. This action takes effect immediately.
Removal does not delete the tenant from the platform — it only removes their presence from this specific gateway. The tenant can be re-assigned to the same or a different Shared Gateway later.
WAN Configuration
The MTGE Overview tab shows the gateway's WAN configuration:
- WAN IP — The static WAN IP address
- WAN Gateway — The upstream gateway address
WAN IP is required for IKEv2 protocol support, as it is used as the Common Name in the device certificate. Configure the WAN IP when setting up the MTGE or via the Edit modal.