Wolf-App — Setup Guide

Get your new Wolf IoT Gateway running Wolf-App connected and configured.

This page helps you get your new Wolf IoT Gateway running Wolf-App connected and configured, and points you to the documentation, security information, and downloads that come with the product.

Quick Start

1. Mount the device and connect cables

Mount the gateway on a DIN rail or place it on the bench for setup.

Connect all the cables you will need before powering the device.

  • Ethernet — plug a cable into the RJ45 port on the connector panel. Connect the other end to your local network (a switch or router). The gateway gets an IP address automatically from your DHCP server once it boots.
  • Field wiring on the expansion card (if you have any) — connect Modbus, RS-485, sensors, relays, or other field devices to the expansion-card terminals. Refer to the expansion-card datasheet for the pinout.
  • Nano-SIM (only if you have the LTE-fitted variant) — slide it into the slot on the connector panel. Disable the SIM PIN before inserting.
  • microSD (optional) — for extended logging or storage. Format as ext4 (FAT32, NTFS, exFAT are not supported).

2. Power the device

The Wolf Gateway runs on DC power. The voltage range depends on your expansion-card variant — check the model code on the device label:

Model code Variant Voltage
GW-WOLF-RS-R1 2-Port RS-485 9–30 V DC
GW-WOLF-OI-R1 3OI3RO 9–30 V DC
GW-WOLF-IO-R2 8ADio1Ro 12–30 V DC
GW-WOLF-DA-R1 2DALI 21–30 V DC

There are two ways to power the gateway:

  • DC jack (back panel). Plug in the adapter that came with the device.
  • Screw terminals on the expansion card. The terminals are labelled + and . Use this if your installation wires power directly from a cabinet rail.

When you connect power, the green LED on the connector panel lights up immediately. After Wolf-OS finishes booting (about 30 seconds), the LED switches to a heartbeat blink — that means the gateway is running.

3. Find the device IP address

The gateway does not advertise itself by default. To find its IP address:

  • Easiest — open your router's admin page and look at the connected-clients list. The Wolf Gateway appears with a MAC address starting with 8C:1F:64: (FoxIoT OÜ). Many routers also show its hostname wolf-....

  • Alternative — run a network scan from a computer on the same LAN:

    sudo nmap -sn 192.168.0.0/24

    Replace 192.168.0.0/24 with your LAN's network range. In the result, look for a host with MAC address from FoxIoT OÜ (the MAC starts with 8C:1F:64:...).

  • Use a known IP (recovery mode) — if you cannot find the device on your network, boot it into recovery mode to reach it at a fixed IP:

    1. With power disconnected, press and hold the front-panel button.
    2. Apply power while continuing to hold the button.
    3. When the yellow LED begins blinking rapidly, release the button within 5 seconds.
    4. The gateway is now reachable at http://192.168.2.127:5080.

    Connect your computer to the same network with an IP in the 192.168.2.x range (for example, set your network adapter to 192.168.2.10 / 255.255.255.0).

4. Open the web UI

In a browser, go to:

http://<device-ip>:5080

You should see the Wolf-App login screen.

5. Log in and set a new password

The factory default credentials are:

Field Value
Username foxiot
Password foxiot

After you log in, the system immediately shows a "Change password required" dialog. You must set a new strong password before you can do anything else.

Password rules:

  • At least 10 characters
  • Uppercase letter
  • Lowercase letter
  • Number
  • Special character (for example: !, ?, *, #)

The forced change is mandatory. The shared default password works only for the very first login.

Harden Your Gateway

Do these steps after your first login. They take 15–30 minutes and significantly improve the security of your deployment. Step E is optional.

A. Enable two-factor authentication (TOTP)

Why: if your password is ever leaked, a second factor stops an attacker from logging in.

Steps:

  1. Click Users in the left menu.
  2. Click your username (foxiot, or whatever you renamed it to).
  3. Enter your current password in the prompt that appears.
  4. Click Enable 2FA.
  5. Open a TOTP app on your phone — for example Google Authenticator, 1Password, Bitwarden, or Microsoft Authenticator.
  6. Scan the QR code on the screen with the app.

2FA is now active. Log out and back in to verify — after your password, the login asks for the 6-digit code from your app.

B. Set up the WireGuard VPN

Why: a VPN encrypts all access to the gateway from outside your local network. It is also a precondition for closing the HTTP port in the next step.

You need a WireGuard server. The server administrator gives you the assigned IP (in CIDR form, for example 172.19.1.100/32), the endpoint (hostname/IP and port), the server's public key, and the allowed IPs (which network ranges go through the VPN).

Steps:

  1. Click Network → WireGuard in the left menu. The page shows the Secure VPN tunnel (wg1) configuration.
  2. In the Configuration form, fill in:
    • Address (IPv4 CIDR) — e.g. 172.19.1.100/32
    • Endpoint (hostname or IPv4 with port) — e.g. vpn.example.com:51820
    • Allowed IPs (comma-separated IPv4 CIDRs) — e.g. 172.19.1.0/24
    • Persistent keepalive (seconds, optional)25 if your VPN server is behind NAT, otherwise leave empty
    • Peer public key — the server's public key
    • Peer pre-shared key (optional) — leave empty unless your server uses one
  3. Click Save WireGuard. The gateway asks for a reboot to apply the new settings — confirm it.
  4. After the gateway reboots, return to Network → WireGuard. In the Status section at the top of the page, copy the Controller public key.
  5. The Controller public key must be added on the VPN server side as the gateway's peer — otherwise the tunnel cannot start. If you manage the VPN server yourself, add it there. If someone else manages it, send them the key.

The tunnel becomes active once both ends are configured.

Verify: from a computer connected to the same VPN, open http://<gateway-vpn-ip>:5080. The login screen should load.

C. Close the HTTP port on the LAN

Why: once the VPN works, you no longer need to expose the web UI (port 5080) on the local network. The web UI sends login credentials in cleartext over HTTP — closing port 5080 forces all UI access through the encrypted VPN.

Verify the VPN works first. If you close the port without a working VPN, you will lock yourself out of the web UI. Recovery is via SSH (if still open) or factory reset.

Steps:

  1. Click Network → Firewall in the left menu.
  2. In the Incoming TCP ports on eth0 section, configure port 5080 with action DROP:
    • If a row for port 5080 already exists, change its Action to DROP.
    • If no row exists, click Add port and set Port to 5080, Action to DROP.
  3. Click Save firewall.
  4. The gateway asks for a reboot — confirm it. The new firewall rule applies after reboot.

Verify (after reboot):

  • From a computer on the local LAN (not connected to the VPN), open http://<gateway-lan-ip>:5080. The connection should be refused.
  • From a computer on the VPN, open http://<gateway-vpn-ip>:5080. The login screen should still load.

Optional — close SSH (port 22) as well

SSH is already encrypted and uses key-only authentication on Wolf-App, so the risk is much lower than HTTP. Many integrators leave SSH open on the local network so they can recover the device on-site if Wolf-App or the VPN ever fail.

Close port 22 only if you are sure on-site SSH access is not needed.

Trade-off. With both HTTP and SSH closed, the device is reachable only through the VPN. If the VPN server fails or the gateway loses its VPN configuration, the device is effectively bricked and recovery requires a factory reset (which erases all settings).

Steps: same as above, but for port 22 instead of 5080. Reboot when prompted.

If you locked yourself out: factory-reset the device using the front-panel button. The button sequence is described in the user information PDF (§8(d)). The reset wipes all settings and credentials, after which you can log in again with foxiot / foxiot.

D. Check the audit log and firmware version

Why: the audit log records UI logins, configuration changes, and firmware updates. Checking the firmware version confirms you are on the latest published release, which includes the latest security fixes.

Steps:

  1. Click Users → Audit Log in the left menu. Confirm that your recent actions (login, password change, 2FA setup, firewall change, etc.) appear in the log.
  2. Click System in the left menu. In the Versions block, note the firmware version.
  3. Compare it with the latest version listed at foxiot.eu/firmware/wolf-gateway/. If a newer version is available, install it — the user information PDF §8(c) describes the firmware update procedure.

The system clock is set automatically by NTP (chrony) when the gateway has internet access. There is no UI option for manual time setting.

E. (Optional) Add an SSH key for advanced access

Wolf-App ships with no SSH keys configured by default, so SSH login is not possible out of the box. Most users do not need SSH — the web UI is enough.

Before you use SSH to make any changes to the gateway, contact FoxIoT support at support@foxiot.eu. Direct shell modifications can affect the gateway's stability and its CE / CRA compliance status — a short consultation helps you avoid both.

Add an SSH key only if:

  • You are a power user who wants direct shell access to the controller, or
  • You want a fallback access method on the local network if the web UI ever fails.

You need: an SSH public key on your computer. If you don't have one yet, the SSH Keys page has a Show instructions button that explains how to generate one.

Steps:

  1. Click Network → SSH Keys in the left menu.
  2. In the Add key section, paste your public key (the one-line ssh-ed25519 AAAA... user@host text) into the field.
  3. To add more keys, click Add key for an extra field and paste another public key.
  4. Click Save keys.
  5. The gateway asks for a reboot — confirm it. The keys become active after reboot.

Verify (after reboot): from a computer on the LAN (or via VPN), run:

ssh root@<gateway-ip>

You should be logged in without a password prompt.

Common Issues

The device does not appear on the network. Check the green LED is on (device is powered), the Ethernet cable is plugged in, and your DHCP server is reachable. The gateway can take up to about 30 seconds after boot to get an IP address.

http://<device-ip>:5080 shows "connection refused". The web service may still be starting. Wait one minute after the first boot, then try again.

The default foxiot / foxiot login is rejected. Type both fields exactly as shown — both lowercase, no spaces. If the device was set up before, the default credentials no longer work; you need a factory reset.

You forgot the password / want to start from scratch. Use the front-panel button to factory-reset the device. The button sequence is described in the user information PDF §8(d). The reset erases all user data and credentials. After reboot, log in with foxiot / foxiot again.

Everything that ships with the product, as required by EU Regulation 2024/2847 (Cyber Resilience Act):

Document Link
User information (Annex II) — full security guidance, lifetime maintenance, data removal, support period PDF ↓
EU Declaration of Conformity Available on request — security@foxiot.eu
Coordinated vulnerability disclosure policy Open page →
Security advisories /legal/security.html (advisories listed at the top of the page)
Firmware downloads /firmware/wolf-gateway/
Older versions of these documents (10-year retention archive) Browse archive →

Support and Contact

Topic Contact
General product support, integration questions support@foxiot.eu
Security vulnerability reports (responsible disclosure) security@foxiot.eu — please read our coordinated vulnerability disclosure policy before reporting
Postal address (manufacturer) FoxIoT OÜ, Pärnu mnt 148, 11317 Tallinn, Estonia

Looking for the marketing / specifications page instead? See Wolf Gateway product overview.