Skip to main content

SSH Access

SecureLink provides SSH access to edge devices for troubleshooting and diagnostics. SSH sessions are routed through a secure bastion host rather than connecting directly to the edge.

Viewing SSH Credentials

SSH connection details are available on the Edge Detail page:

  1. Navigate to Equipment > Edges and click on the edge you want to access
  2. The SSH credentials section displays the connection information:
    • Hostname: The bastion host address
    • Port: The SSH port
    • Username: The SSH username for this edge

Click the Copy button next to the credentials to copy the full SSH command to your clipboard for easy pasting into your terminal.

Connecting Through the Bastion Host

All SSH connections to edge devices are routed through a secure bastion host. You do not connect directly to the edge's IP address. The bastion host:

  • Provides a single, auditable entry point for all edge SSH access
  • Handles authentication and session logging
  • Routes your connection to the correct edge device based on the provided credentials

Use the copied SSH command in your terminal to establish the connection:

ssh -p <port> <username>@<bastion-hostname>
SSH Is for Troubleshooting Only

SSH access is provided for diagnostics and troubleshooting purposes. All routine edge configuration -- interfaces, WireGuard, routing, NAT, ACLs, and other settings -- should be managed through the SecureLink UI. Changes made via the UI are tracked, versioned, and synchronized reliably.

Do Not Modify VPP Configuration via SSH

Never modify VPP configuration directly on the edge through SSH (e.g., using vppctl commands or editing configuration files). The SecureLink orchestrator manages VPP configuration through its sync process and will override any manual changes on the next configuration sync. Manual VPP changes can also cause configuration hash mismatches, leading to persistent "Failed" sync status.

What You Can Do via SSH

SSH is useful for:

  • Viewing logs: Check edge agent logs and system logs for error diagnosis
  • Checking interface status: Run read-only VPP commands to verify interface states
  • Network diagnostics: Run ping, traceroute, or other network diagnostic tools from the edge's perspective
  • Verifying connectivity: Confirm the edge can reach the orchestrator, DNS servers, and other network endpoints

What You Should Not Do via SSH

  • Modify VPP configuration (interfaces, routes, NAT, ACLs)
  • Restart VPP or the edge agent containers
  • Change system-level configuration files
  • Modify WireGuard keys or tunnel settings

If you need to change any of these, use the SecureLink UI and sync the configuration through the standard process.