ERP Sharing with TSplus + WireGuard for 10 Branches
📋 PHASE 1 — Planning
Before touching any software, collect requirements.
✅ STEP 1 — Decide Main Office Server
You need one central server.
Requirements
| Item | Recommended |
|---|---|
| OS | Windows Server 2019/2022 |
| RAM | Minimum 16 GB |
| CPU | i5/i7 Xeon |
| Storage | SSD |
| Internet | Stable Fiber |
| UPS | Required |
✅ STEP 2 — Public Static IP
Requirement
You MUST get:
Public Static IP
From ISP.
Ask ISP
Say:
“I need public static IP with port forwarding support for VPN server.”
✅ STEP 3 — Check CGNAT
On router:
- Check WAN IP
Compare with:
What Is My IP
If Different
You are behind CGNAT.
Then:
❌ VPN hosting will not work properly.
✅ STEP 4 — Prepare Network IP Plan
Example:
| Device | IP |
|---|---|
| Server VPN | 10.0.0.1 |
| Branch 1 | 10.0.0.2 |
| Branch 2 | 10.0.0.3 |
| Branch 3 | 10.0.0.4 |
🛠️ PHASE 2 — Main Server Setup
✅ STEP 5 — Install Windows Server
Install:
- Windows Server
- Drivers
- Updates
✅ STEP 6 — Install ERP
Install your ERP software.
Test locally first.
✅ STEP 7 — Install TSplus
Install:
- TSplus
Configure
Enable:
- Remote access
- Multi-user sessions
Create:
- ERP users
✅ STEP 8 — Test TSplus Locally
Inside server:
Run:
mstsc
Connect:
localhost
Check ERP opens correctly.
🔐 PHASE 3 — WireGuard VPN Setup
✅ STEP 9 — Install WireGuard on Server
Install:
- WireGuard
✅ STEP 10 — Generate Server Keys
WireGuard automatically creates:
- Private key
- Public key
✅ STEP 11 — Create Server Config
Example:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
🌐 PHASE 4 — Router Configuration
✅ STEP 12 — Configure Port Forwarding
On office router:
| Setting | Value |
|---|---|
| Port | 51820 |
| Protocol | UDP |
| Destination IP | Server LAN IP |
✅ STEP 13 — Configure Firewall
Allow:
UDP 51820
Block:
3389
80
443
From internet.
🏢 PHASE 5 — Branch Setup
Repeat for all 10 branches.
✅ STEP 14 — Install WireGuard on Branch PC
Install WireGuard.
✅ STEP 15 — Generate Branch Keys
Each branch gets:
- Unique keys
✅ STEP 16 — Create Branch Config
Example:
[Interface]
Address = 10.0.0.2/24
PrivateKey = BRANCH_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_STATIC_IP:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25
✅ STEP 17 — Add Branch Peer to Server
On server:
[Peer]
PublicKey = BRANCH_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
🧪 PHASE 6 — Testing
✅ STEP 18 — Activate VPN
On branch:
Click:
Activate
✅ STEP 19 — Test Ping
Run:
ping 10.0.0.1
If Successful
You should see:
Reply from 10.0.0.1
🖥️ PHASE 7 — TSplus Access
✅ STEP 20 — Open Remote Desktop
Run:
mstsc
Connect:
10.0.0.1
✅ STEP 21 — Login to TSplus
Enter:
- Username
- Password
✅ STEP 22 — Open ERP
ERP should load from server.
🔒 PHASE 8 — Security Hardening
✅ STEP 23 — Disable Public RDP
Never expose:
3389
To internet.
✅ STEP 24 — Restrict Firewall
Allow only:
10.0.0.0/24
✅ STEP 25 — Backup System
Backup:
- ERP database
- TSplus config
- WireGuard configs
🚀 PHASE 9 — Optimization
✅ STEP 26 — Monitor Server Load
Watch:
- RAM
- CPU
- Disk usage
✅ STEP 27 — Improve Stability
Recommended:
- UPS
- SSD
- Fiber internet
🎯 FINAL RESULT
After completion:
✅ 10 branches securely connected
✅ ERP accessible remotely
✅ Centralized management
✅ Encrypted communication
✅ Safe from direct internet attacks
🧠 MOST IMPORTANT THINGS TO REMEMBER
| Critical Rule | Why |
|---|---|
| Static Public IP | Provides a stable endpoint for VPN connectivity |
| Unique VPN IPs | Prevents IP conflicts between branches and devices |
| Only UDP 51820 Open | Reduces attack surface and improves VPN security |
| Never Expose RDP | Prevents direct internet attacks and brute-force hacking |
| VPN First, ERP Second | Ensures ERP traffic is accessed only through a secure VPN tunnel |
0 Comments