Skip to content

feat: add WebSocket-based support tunnel (coexists with don)#1575

Draft
edospadoni wants to merge 7 commits into
mainfrom
feature-support-tunnel
Draft

feat: add WebSocket-based support tunnel (coexists with don)#1575
edospadoni wants to merge 7 commits into
mainfrom
feature-support-tunnel

Conversation

@edospadoni

@edospadoni edospadoni commented Mar 27, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Add a new ns-support-tunnel package that provides WebSocket-based remote support using tunnel-client, alongside the existing OpenVPN-based ns-don package.

What's new

  • ns-support-tunnel package with pre-compiled tunnel-client binary
  • support-tunnel script — start/stop/status with JSON output (-j), same interface as don
  • UCI configuration at /etc/config/support-tunnel (url, system_key, system_secret, exclude_patterns, tls_insecure)
  • health diagnostics plugin — checks core services (firewall, dnsmasq, dropbear), WAN connectivity, DNS resolution, overlay disk usage, nftables status, DHCP leases, and uptime with structured JSON details
  • ubus API via ns.support-tunnel (start, stop, status) with rpcd ACL

How it works

  • Tunnel-client connects via outbound WebSocket (no inbound ports needed)
  • Automatic NethSecurity detection and service discovery (web UI on port 9090)
  • Ephemeral admin user provisioned at session start, removed on stop
  • System diagnostics collected on connection and sent to the support platform
  • Session expiry managed server-side; support-tunnel stop triggers graceful cleanup

Configuration

uci set support-tunnel.config.url='wss://support.nethesis.it/api/tunnel'
uci set support-tunnel.config.system_key='NETH-...'
uci set support-tunnel.config.system_secret='...'
uci set support-tunnel.config.exclude_patterns='pattern1,pattern2'
uci set support-tunnel.config.tls_insecure='1'
uci commit support-tunnel

support-tunnel start -j
support-tunnel status -j
support-tunnel stop

What's unchanged

The existing ns-don package and its OpenVPN-based support system remain untouched.

Related: NethServer/my#47

@edospadoni
feat: add WebSocket-based support tunnel (coexists with don)
3e163e8
@edospadoni
fix: update tunnel-client binary with latest fixes
667e40f
@edospadoni
fix: align status output fields between ns8 and nethsecurity
c7b7310
@edospadoni
fix(tunnel-client): spawn login shell for PTY sessions
f7869f7
@edospadoni
chore(tunnel-client): rebuild binary with PTY home directory fix
8239848 
Picks up NethServer/my@73ee92c1 so the browser
terminal lands in the operator's home directory instead of the
tunnel-client's cwd (/).
@edospadoni
chore(tunnel-client): rebuild binary with cluster/module_domains lookup
c82e882 
Keeps the binary in lockstep with NethServer/ns8-core#1134. The
cluster/module_domains lookup added in
NethServer/my@8e0b557d is a no-op on
NethSecurity but the shared binary is built from a single source.
@edospadoni
chore(tunnel-client): rebuild binary with module_domains refresh
110747a 
Keeps the binary in lockstep with NethServer/ns8-core#1134. The
module_domains refresh added in
NethServer/my@8666b3ef is NS8-only and a
no-op on NethSecurity but the shared binary is built from a single
source.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edospadoni