Connector Deployment
Connectors are lightweight edge devices designed for small branch offices or remote sites that need basic connectivity back to a hub edge. They use Linux native networking instead of VPP, resulting in the simplest deployment process and lowest resource requirements of any SecureLink device type.
Prerequisites
- Any Linux server (Ubuntu 22.04+ recommended)
- Docker installed and running
- SSH access configured
- Minimum hardware: 1 CPU core, 1 GB RAM, 1 NIC
- A hub edge must already be deployed and configured with WireGuard
Connectors always use Linux native networking. There is no VPP installation and no choice between DPDK and AF_PACKET modes.
Hub Edge Requirement
Before deploying a connector, you must have a hub edge already deployed and active. The connector establishes a WireGuard tunnel back to its assigned hub edge. During connector registration in the UI, you select which hub edge the connector will connect to.
The hub edge's WireGuard configuration is automatically updated to include the connector as a peer, and the connector receives the hub edge's public key and endpoint in its batch config.
Deployment with the Installer CLI
The recommended way to deploy a connector is using the SecureLink Installer CLI:
sudo ./securelink-installer install \
--token NLZ-XXXX-XXXX-XXXX-XXXX \
--url http://orchestrator:3001
The installer automatically detects the device type from the deployment token (connector tokens produce a connector deployment). It handles identity provisioning, Docker Compose generation, and service startup. See the Installer CLI page for the full command reference.
No hugepages, no VFIO, no VPP configuration — the installer skips all dataplane setup for connectors.
Connectors are ideal for sites that need basic SD-WAN connectivity without the complexity of a full VPP edge deployment. If a site later needs higher performance or more advanced features, it can be replaced with a dedicated edge.
Registration
Before deployment, register the connector through the SecureLink web UI:
- Navigate to Equipment > Connectors in the sidebar
- Click Add Connector
- Provide the connector details and select the hub edge it will connect to
- The dialog displays a one-time deployment token (
NLZ-XXXX-XXXX-XXXX-XXXX) — save this immediately - Run the installer on the connector device using the token
- The connector appears in the list and transitions to Active once it connects
Configuration
Connectors receive their configuration from the orchestrator automatically via MQTT batch config. The following are configured through the SecureLink web UI:
| Configuration | Description |
|---|---|
| WireGuard tunnel | Auto-configured based on hub edge assignment (keys, endpoint, allowed IPs) |
| Static routes | Routes pushed to the connector for directing traffic through the tunnel |
| NAT rules | Source NAT for outbound traffic from the connector's LAN |
| ACL rules | Access control lists for traffic filtering |
When the connector's WireGuard configuration changes, the hub edge is automatically marked as needing a config sync (and vice versa), ensuring both sides stay in sync.
Verification
Check connector status in the UI
Navigate to Connectors in the SecureLink web UI. The connector should show an Active status with a recent last-seen timestamp.
Verify on the hub edge
The connector appears as a WireGuard peer on the hub edge. In the hub edge's detail page, navigate to the WireGuard Peers section. The connector peer is displayed with a blue Connector badge to distinguish it from regular VPN peers.
Check from the connector
ssh admin@<CONNECTOR_IP> "sudo docker logs connector-agent"
Look for successful MQTT connection and batch config processing messages.
Troubleshooting
Connector not transitioning to Active
- Verify the connector can reach the MQTT broker (check firewall rules)
- Confirm the bootstrap credentials were entered correctly
- Check container logs:
sudo docker logs connector-agent
WireGuard tunnel not establishing
- Verify the hub edge is online and its WireGuard interface is up
- Check that the hub edge's public IP/endpoint is reachable from the connector
- Review the connector's WireGuard config:
sudo wg showon the connector
Hub edge not showing connector peer
- Ensure the connector's WireGuard configuration has been synced
- Check that the hub edge received a config update (look for config confirmation in the orchestrator logs)
- Verify bidirectional dirty flag coordination is triggering syncs on both sides