Network & Connectivity Issues

Accessing Qwak over VPN/Proxy

If you're using a VPN or a proxy, you may encounter issues when running Qwak commands. This section provides guidance on how to resolve common errors related to SSL certificate verification when behind a VPN or proxy.

1. Proxy Access Errors


If your Proxy is filtering network traffic you might be experiencing this issue if you see the following error message when running qwak configure --api-key "xxx":

ProxyError: HTTPSConnectionPool(host='', port=443): 
Max retries exceeded with url: /.well-known/jwks.json 
(Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden')))


Check VPN/Proxy Settings:

Ensure that your VPN or proxy allows traffic to and from Qwak's following domains:

The Qwak Environment name can be found in your Qwak Dashboard, on the lower-left side: in the following example the environment name is grig-qwak.

2. Certificate Validation Errors


If your VPN/Proxy encrypts traffic from with additional certificates, they should be added to the CA certificate file. Typical certificate issues are appearing when configuring your Qwak CLI:

Caused by SSLError(SSLCertVerificationError(1, 
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (\_ssl.c:1129)')


1. Add the CA Certificate to certifi's Bundle

Qwak SDK relies on Python's certifi library for server certificate validation. To identify the location of your certificate validation file, run the following Python snippet:

import certifi

This will output the path to your certificate validation file.

Next, append your VPN's or Proxy's CA certificate to this cacert.pem file. Open the file in a text editor with administrative privileges and add the certificate at the end.

2. Verifying the new Certificate CA with OpenSSL

After adding your custom certificate, you can validate the connection using OpenSSL with the following command:

openssl s_client -connect -CAfile /path/to/your/cacert.pem

Check the output for a line that says Verify return code: 0 (ok). This indicates that the certificate has been successfully verified. If the verification fails, you will see a different return code along with a description of the failure.

Connecting to Cloud Resources Behind Private Networks

When your cloud resources are behind a private network or VPC, you may need to whitelist specific IP addresses to allow Qwak's platform to access them. For example when connecting to a new BigQuery or S3 based Data Source you might get a timeout error.


You might be facing this issue if:

  • You receive timeout errors when Qwak tries to access your cloud resources.
  • Your cloud resource logs show unauthorized or blocked access attempts from Qwak's IP addresses.
  • Data transfers or API calls between Qwak and your cloud resources are failing without a clear error message.


To ensure seamless connectivity, please add the following range of Qwak IP addresses to your network's whitelist:


Need assistance?

For more information and questions, feel free to reach out to Qwak support using the in-platform chat.