Summary

Add a new ns-support-tunnel package that provides WebSocket-based remote support using tunnel-client, alongside the existing OpenVPN-based ns-don package.

What's new

• ns-support-tunnel package with pre-compiled tunnel-client binary
• support-tunnel script — start/stop/status with JSON output (-j), same interface as don
• UCI configuration at /etc/config/support-tunnel (url, system_key, system_secret, exclude_patterns, tls_insecure)
• health diagnostics plugin — checks core services (firewall, dnsmasq, dropbear), WAN connectivity, DNS resolution, overlay disk usage, nftables status, DHCP leases, and uptime with structured JSON details
• ubus API via ns.support-tunnel (start, stop, status) with rpcd ACL

How it works

• Tunnel-client connects via outbound WebSocket (no inbound ports needed)
• Automatic NethSecurity detection and service discovery (web UI on port 9090)
• Ephemeral admin user provisioned at session start, removed on stop
• System diagnostics collected on connection and sent to the support platform
• Session expiry managed server-side; support-tunnel stop triggers graceful cleanup

Configuration

uci set support-tunnel.config.url='wss://support.nethesis.it/api/tunnel'
uci set support-tunnel.config.system_key='NETH-...'
uci set support-tunnel.config.system_secret='...'
uci set support-tunnel.config.exclude_patterns='pattern1,pattern2'
uci set support-tunnel.config.tls_insecure='1'
uci commit support-tunnel

support-tunnel start -j
support-tunnel status -j
support-tunnel stop

What's unchanged

The existing ns-don package and its OpenVPN-based support system remain untouched.