Skip to content

feat: add WebSocket-based support tunnel (coexists with don)#1134

Draft
edospadoni wants to merge 4 commits intomainfrom
feature/support-tunnel
Draft

feat: add WebSocket-based support tunnel (coexists with don)#1134
edospadoni wants to merge 4 commits intomainfrom
feature/support-tunnel

Conversation

@edospadoni
Copy link
Copy Markdown
Member

@edospadoni edospadoni commented Mar 26, 2026
edited
Loading

Summary

Add a new WebSocket-based remote support system (tunnel-client) alongside the existing OpenVPN-based "don". The two systems coexist — when the tunnel-client is mature, don will be removed.

What's new

  • tunnel-client binary shipped in the core image (core/support-tunnel/)
  • Node actions: start-tunnel-client, stop-tunnel-client, get-tunnel-client-status — run on individual nodes
  • Cluster actions: start-tunnel-all-nodes, stop-tunnel-all-nodes, get-tunnel-all-nodes — orchestrate all nodes in parallel via agent.tasks.runp_brief()
  • support-tunnel.service systemd unit with RuntimeMaxSec=7d safety net (session expiry managed server-side by MY platform)
  • install-support-tunnel helper that extracts binary and plugins from the core image on each node
  • users.d/nethvoice plugin for ephemeral FreePBX user provisioning
  • diagnostics.d/health plugin that checks core services, Redis, modules, failed units, and TLS certs

How it works

  • Credentials come from cluster/support_tunnel Redis hash
  • The tunnel-client connects via WebSocket with yamux multiplexing
  • Service discovery is automatic via Traefik routes (all nodes)
  • User provisioning: leader creates cluster-admin + domain users, workers fetch credentials via USERS_FETCH stream
  • Diagnostics collected on connection and sent to the support service

Configuration

# Set tunnel credentials (on leader node)
redis-cli HSET cluster/support_tunnel url "wss://support.my.nethesis.it/api/tunnel"
redis-cli HSET cluster/support_tunnel key "NETH-..."
redis-cli HSET cluster/support_tunnel secret "..."
redis-cli HSET cluster/support_tunnel exclude_patterns "pattern1,pattern2"
redis-cli HSET cluster/support_tunnel tls_insecure "true"

# View current config
redis-cli HGETALL cluster/support_tunnel

Usage

# All nodes
api-cli run cluster/start-tunnel-all-nodes
api-cli run cluster/get-tunnel-all-nodes
api-cli run cluster/stop-tunnel-all-nodes

# Single node
api-cli run node/1/start-tunnel-client
api-cli run node/1/get-tunnel-client-status
api-cli run node/1/stop-tunnel-client

What's unchanged (don)

All existing OpenVPN support files remain untouched: support.service, start-support-session, stop-support-session, get-support-session, etc. The new system uses separate paths (/var/lib/nethserver/support-tunnel/) and service names.

github-actions bot pushed a commit that referenced this pull request Mar 26, 2026
@nethbot
apidoc@feature/support-tunnel #1134
58964c3
github-actions bot pushed a commit that referenced this pull request Mar 27, 2026
@nethbot
apidoc@feature/support-tunnel #1134
d34073b
@edospadoni
fix: structured JSON details, Redis replica auth, nethvoice plugin re…
488564a 
…write, tls_insecure and exclude_patterns config
github-actions bot pushed a commit that referenced this pull request Mar 27, 2026
@nethbot
apidoc@feature/support-tunnel #1134
190bf5b
github-actions bot pushed a commit that referenced this pull request Mar 27, 2026
@nethbot
apidoc@feature/support-tunnel #1134
8c012dc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edospadoni