Deploying the Gateway
The Breakwater Gateway combines Collector (discovery/monitoring) + Channel (secure remote access) + Coastal IDS in a single on-site appliance. It is designed for DIN-rail mounting inside control panels alongside industrial equipment.
Hardware Options
Bosch ctrlX CORE
The Breakwater Gateway runs on Bosch Rexroth ctrlX CORE — an industrial-grade, DIN-rail mountable compute platform purpose-built for OT environments. Part of the ctrlX AUTOMATION ecosystem, it provides a hardened Linux-based OS with CE, UL, and IEC 61131 certifications.
| Model | Form Factor | Target | Coastal IDS | Price |
|---|---|---|---|---|
| Gateway X3 | ctrlX CORE X3 Compact | Small/medium sites (up to 200 devices) | Yes | $1,699 |
| Gateway X5 | ctrlX CORE X5 Modular | Large/enterprise sites (200+ devices) | Yes | $4,599 |
Both models include all protocol licenses (OPC UA, EtherNet/IP, EtherCAT) and the Container Engine for running Breakwater services.
| Feature | Gateway X3 | Gateway X5 |
|---|---|---|
| Platform | ctrlX CORE X3 Compact | ctrlX CORE X5 Modular |
| Form Factor | DIN-rail mount | DIN-rail mount (modular expansion) |
| OS | ctrlX OS (hardened Linux) | ctrlX OS (hardened Linux) |
| Protocols | OPC UA, EtherNet/IP, EtherCAT | OPC UA, EtherNet/IP, EtherCAT |
| Coastal IDS | Included | Included |
| Container Engine | Included | Included |
| Environment | Industrial temp, vibration-resistant | Industrial temp, vibration-resistant |
BYOD Requirements
Run the Gateway software on your own hardware:
- CPU: x86_64
- Memory: 4 GB+ RAM
- Storage: 64 GB+
- Network: 2+ network interfaces
- OS: Ubuntu 22.04 / 24.04 or Debian 12 (other glibc ≥ 2.28 distros likely work — RHEL 8+, Debian 10+, Ubuntu 18.04+)
- Outbound firewall: UDP 51820 (encrypted tunnel) + HTTPS 443. No inbound ports required.
Pair the Gateway in 3 Steps
Breakwater uses a pairing-code flow that mirrors what you'd expect from a modern device: install the agent, it shows a short code, you type that code into the portal, done. The agent generates its own WireGuard keypair locally — the private key never leaves the gateway.
Step 1: Install the agent
Gateway X3 / X5 (ctrlX CORE): Power on and connect to your network. The Breakwater app is pre-loaded; skip to Step 2.
BYOD (Linux):
curl -fsSL https://breakwater.techgonecoastal.com/downloads/install.sh | sudo bash
That's the entire install command — no flags, no copy-pasting secrets. The installer:
- Drops the agent at
/opt/breakwater-gateway - Creates
breakwater-gateway.service(native systemd unit) - Brings the agent up in setup mode, which opens a small local web UI on
:9080 - Logs to
journalctl -u breakwater-gateway
The agent then generates a fresh WireGuard keypair on the device, registers its public key with the cloud, and displays a 6-character pairing code formatted ABC-123.
Step 2: Find the pairing code
Open a browser on the same network as the gateway and visit:
http://<gateway-ip>:9080
The pairing code is displayed prominently. Codes expire after 15 minutes — if you wait too long, just refresh the page to generate a new one.
The agent then long-polls the cloud, waiting for the code to be claimed.
Step 3: Claim the code in the Breakwater portal
In the Breakwater portal:
- Channel → Gateways → Add Gateway
- Type the 6-character code (e.g.
K7B-XQ4) - Select the Site the gateway belongs to
- Click Pair
The cloud allocates a tunnel IP from 10.200.0.0/16, adds the gateway's public key as a WireGuard peer, and writes the gateway record. The agent's next poll (within ~2 seconds) receives the peer details, writes /etc/wireguard/wg0.conf, and brings up the tunnel.
The local :9080 UI flips to "Connected ✓" and the gateway status in the portal flips from Provisioning to Connected. The supervisor then exec's the main agent automatically.
- The pairing-register call is unauthenticated (the agent can't prove it's "yours" yet), but the claim call requires an authenticated admin in your org — so an attacker who happens to register a stale code can't bind it to your tenant.
- The WireGuard private key is generated on the gateway and is never transmitted or stored centrally. Re-pairing always rotates the keypair.
- Pairing codes use the alphabet
A-Z 2-9(32 chars, no0/O/1/Iconfusables) and are formatted with a hyphen for legibility.
Step 4: Verify
# Tunnel up?
sudo wg show wg0
# Agent running?
systemctl status breakwater-gateway
# Reach the cloud?
ping -c 3 10.200.0.1
# Recent logs
journalctl -u breakwater-gateway -n 50 --no-pager
Step 5: Register Devices
Add OT devices accessible through this gateway in the Channel UI:
- Device name and IP address
- Allowed protocols
- Recording policy
Re-pair / Reset
If you need to wipe enrollment and start fresh — moving the gateway to a different site, after a hardware swap, or recovering from a misconfiguration:
sudo systemctl stop breakwater-gateway
sudo rm -f /etc/breakwater/config.yaml /etc/wireguard/wg0.conf /var/lib/breakwater/wg-private.key
sudo systemctl start breakwater-gateway
The agent will generate a new keypair, register a new pairing code, and the :9080 UI will be ready for a fresh claim.
Operations
sudo systemctl status breakwater-gateway
sudo systemctl restart breakwater-gateway
sudo systemctl stop breakwater-gateway
sudo journalctl -u breakwater-gateway -f
Network Configuration
Recommended Network Layout
Internet
│
[Firewall] ← Allow UDP 51820 + HTTPS 443 outbound only
│
[OT Network Switch]
├── Port 1: Gateway (management interface)
├── Port 2: Gateway (OT network interface)
├── Port SPAN: → Gateway (IDS mirror port)
├── PLC 1
├── PLC 2
├── HMI
└── ...
Firewall Rules
The gateway needs outbound only — no inbound ports:
| Direction | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
| Outbound | UDP | 51820 | 207.246.81.247 | Encrypted tunnel |
| Outbound | TCP | 443 | breakwater.techgonecoastal.com | API + telemetry |
| Internal | UDP | 161 | OT devices | SNMP polling |
Pairing setup also needs short-term LAN access to the gateway's :9080 UI from your admin workstation — that port is local-only and not reachable from the internet.
Coastal IDS
On all Gateway models (X3 and X5), Coastal IDS monitors OT traffic passively:
Rulesets
- ET Open — General ICS/SCADA rules (Modbus, DNP3, S7, EtherNet/IP)
- Custom Coastal — Site-specific rules generated from your Manifest inventory
- CISA-derived — Rules auto-generated from ICS-CERT advisories via Lookout
SPAN Port Configuration
Configure your OT switch to mirror traffic to the gateway's IDS interface:
! Cisco example
monitor session 1 source interface Gi1/0/1 - 24
monitor session 1 destination interface Gi1/0/48
IDS alerts flow into the Lookout module for correlation with CVE data and threat actor profiles.
Advanced: Legacy Enrollment (provision-then-paste)
Earlier versions of the gateway used a flag-driven enrollment where the cloud generated keys + tunnel config and the operator pasted them into the install command. This path is still supported for automation use cases (Ansible / Terraform), but the pairing-code flow above is the recommended path for interactive installs.
# Legacy: provision in portal first, copy values, then:
curl -fsSL https://breakwater.techgonecoastal.com/downloads/install.sh | sudo bash -s -- \
--gateway-id YOUR_GATEWAY_ID \
--tunnel-ip YOUR_TUNNEL_IP \
--server-pubkey YOUR_SERVER_PUBKEY \
--endpoint 207.246.81.247:51820 \
--mode gateway
The legacy path generates the WireGuard private key in the cloud (transmitted once over TLS); the pairing-code path generates it on-device. For new installs, prefer the pairing-code flow.