|
| 1 | +# Getting a New Target Board Directly Accessible |
| 2 | + |
| 3 | +Quick guide to enable direct access to a new Foundries device via VPN. |
| 4 | + |
| 5 | +## Prerequisites |
| 6 | + |
| 7 | +- Foundries device is online and VPN enabled in FoundriesFactory |
| 8 | +- VPN server access (SSH to `144.76.167.54:5025`) |
| 9 | +- Your client VPN connection is active |
| 10 | + |
| 11 | +## Steps |
| 12 | + |
| 13 | +### 1. Verify Device Status |
| 14 | + |
| 15 | +Check device is online and VPN enabled: |
| 16 | +```bash |
| 17 | +fioctl devices show <device-name> |
| 18 | +``` |
| 19 | + |
| 20 | +Look for: |
| 21 | +- `status: OK` |
| 22 | +- `wireguard-client` section with VPN IP (e.g., `address=10.42.42.X`) |
| 23 | + |
| 24 | +### 2. Register Your Client Peer (If Not Already Done) |
| 25 | + |
| 26 | +If you can't ping the VPN server (`10.42.42.1`), register your client: |
| 27 | + |
| 28 | +```bash |
| 29 | +# Get your public key |
| 30 | +cat ~/.config/wireguard/foundries.conf | grep PrivateKey | awk '{print $3}' | wg pubkey |
| 31 | + |
| 32 | +# Register on server (replace with your public key and assigned IP) |
| 33 | +ssh root@144.76.167.54 -p 5025 |
| 34 | +wg set factory peer <your-public-key> allowed-ips 10.42.42.10/32 |
| 35 | +echo "<your-public-key> 10.42.42.10 your-name" >> /etc/wireguard/factory-clients.conf |
| 36 | +``` |
| 37 | + |
| 38 | +### 3. Enable Device-to-Device Communication |
| 39 | + |
| 40 | +**Server-side:** |
| 41 | +```bash |
| 42 | +# Get device public key |
| 43 | +fioctl devices show <device-name> | grep -A 5 wireguard | grep pubkey |
| 44 | + |
| 45 | +# Set AllowedIPs to subnet on server |
| 46 | +ssh root@144.76.167.54 -p 5025 |
| 47 | +wg set factory peer <device-public-key> allowed-ips 10.42.42.0/24 |
| 48 | +wg-quick save factory |
| 49 | +``` |
| 50 | + |
| 51 | +**Device-side (temporary - until PR is deployed):** |
| 52 | +```bash |
| 53 | +# SSH to device via server |
| 54 | +ssh root@144.76.167.54 -p 5025 |
| 55 | +ssh fio@<device-vpn-ip> |
| 56 | + |
| 57 | +# Update AllowedIPs on device |
| 58 | +sudo wg set factory-vpn0 peer <server-public-key> allowed-ips 10.42.42.0/24 |
| 59 | +``` |
| 60 | + |
| 61 | +**Note:** Device-side change is temporary. Once PR #18 is deployed with `--allow-device-to-device` flag, this will be persistent. |
| 62 | + |
| 63 | +### 4. Verify Connectivity |
| 64 | + |
| 65 | +```bash |
| 66 | +# Ping device |
| 67 | +ping -c 3 <device-vpn-ip> |
| 68 | + |
| 69 | +# SSH to device |
| 70 | +ssh fio@<device-vpn-ip> |
| 71 | +``` |
| 72 | + |
| 73 | +## Using MCP Tools |
| 74 | + |
| 75 | +Alternatively, use the MCP tools: |
| 76 | + |
| 77 | +```bash |
| 78 | +# Enable device-to-device (handles both server and device side) |
| 79 | +enable_foundries_device_to_device(device_name="<device-name>", device_ip="<vpn-ip>") |
| 80 | + |
| 81 | +# Test connectivity |
| 82 | +test_device(device_id="<device-name>") |
| 83 | +``` |
| 84 | + |
| 85 | +## Troubleshooting |
| 86 | + |
| 87 | +**Can't ping VPN server:** |
| 88 | +- Client peer not registered → Register client peer (Step 2) |
| 89 | + |
| 90 | +**Can ping server but not device:** |
| 91 | +- Server-side AllowedIPs not set → Set server AllowedIPs to subnet (Step 3) |
| 92 | + |
| 93 | +**Device can't send packets:** |
| 94 | +- Device-side AllowedIPs still `/32` → Update device AllowedIPs (Step 3) |
| 95 | + |
| 96 | +**After device reboot:** |
| 97 | +- Device-side AllowedIPs resets → Re-run device-side update (temporary until PR deployed) |
| 98 | + |
| 99 | +## Future (After PR #18 Deployment) |
| 100 | + |
| 101 | +Once `--allow-device-to-device` flag is deployed: |
| 102 | +- Server-side AllowedIPs will be set automatically |
| 103 | +- Device-side AllowedIPs will persist across reboots |
| 104 | +- Only client peer registration needed for new users |
| 105 | + |
| 106 | +--- |
| 107 | + |
| 108 | +*This document was created with the assistance of Cursor.AI for user @ajlennon.* |
| 109 | + |
0 commit comments