tech-support is the CLI behind the Remote Support feature. It opens a temporary, operator-initiated WireGuard tunnel from the Defend-O-Tron to the Awesome-O support team and starts a strictly-scoped SSH session that lives only as long as the operator keeps the terminal window open. Press Enter and the whole thing tears itself down — tunnel, session, and the device's temporary support account all collapse together.
This page is the deeper-dive companion to the operator-facing Remote Support page. If you're an admin just wanting to open a support session, the operator page is the friendlier read.
Where to run it: Open the Cockpit admin interface and click Tools → Terminal, then type
tech-support. The shell will prompt for yoursudopassword. You can also run it over SSH — but if the support team is troubleshooting a networking problem, the Cockpit terminal is the more reliable surface (it doesn't depend on your SSH path working).
tech-support
That's it. No flags, no arguments. Press Enter to end the session.
$ tech-support
[sudo] password for admin:
Support account will expire on 2026-05-17 (Etc/UTC)
OK Success support user account
OK Success creating wireguard interface wg0
Public Key: [ VFZ9XaE+V08XnoIaEtUGlAzzk2NLoQ43Zxyag+gfcik= ] for remote server
[+] Running 2/2
✔ Network wgnet Created 0.1s
✔ Container support Started 1.3s
Press enter to exit support mode...
The script's actions, in order:
/opt/deploy/support/config/support.env — currently the time-zone passed to the support container and the verbosity level for the netavark WireGuard plugin.wg.key / wg.pub under /var/lib/awesome-o-remote-support/) — never reused across sessions. The tunnel goes out on UDP 60-62 to the support endpoint.do-stacks. The container is a stripped-down image containing the SSH daemon and the scoped tooling the support engineer needs.[Enter]
[+] Running 2/2
✔ Container support Removed 0.7s
✔ Network wgnet Removed 0.0s
OK Success removing wireguard wg0
admin@defend-o-tron:
When the operator presses Enter:
do-stacks).The whole process from key tap to "tunnel closed" is typically under one second.
/opt/deploy/support/config/support.env carries device-side settings. The two runtime knobs:
| Variable | Effect |
|---|---|
TZ |
Time zone passed into the support container. Affects timestamps in nginx logs inside the container — set so logs match the device clock. |
NETAVARK_WIREGUARD_LOG_LEVEL |
Verbosity of the in-house netavark WireGuard plugin: debug / info / warn / error. Default debug is appropriate for an investigation; you'd flip to warn for a quieter session if you don't need plugin diagnostics. |
You generally don't need to touch this file — defaults work for the standard support flow.
No inbound ports need to be opened on your firewall. If tech-support can't connect within its built-in timeout, it gives up and prints an error — usually a firewall block on UDP 60-62 or a DNS issue.
tech-support invocation lands in /var/log/auth.log. The audit subsystem signs the rotated copy of that log in its daily manifest — so an auditor or compliance officer can see when support sessions opened and closed.2026-05-16T19:25:24.975804-06:00 defend-o-tron systemd-logind[716]: New session 432 of user support@awesome-o.
2026-05-16T19:25:25.058604-06:00 defend-o-tron (systemd): pam_unix(systemd-user:session): session opened for user support@awesome-o(uid=9999) by (uid=0)
2026-05-16T19:25:26.168869-06:00 defend-o-tron sshd[182339]: pam_env(sshd:session): deprecated reading of user environment enabled
2026-05-16T19:26:23.916648-06:00 defend-o-tron sshd[182369]: Received disconnect from 172.20.250.9 port 53402:11: Bye
2026-05-16T19:26:23.918326-06:00 defend-o-tron sshd[182369]: Disconnected from user support@awesome-o 172.20.250.9 port 53402
2026-05-16T19:26:23.924086-06:00 defend-o-tron sshd[182339]: pam_unix(sshd:session): session closed for user support@awesome-o
2026-05-16T19:26:23.939171-06:00 defend-o-tron systemd-logind[716]: New session 432 logged out. Waiting for processes to exit.
2026-05-16T19:26:23.945569-06:00 defend-o-tron systemd-logind[716]: Removed session 432.
| Path | Role |
|---|---|
/usr/local/sbin/tech-support |
The script itself (shipped by awesome-o-remote-support). |
/opt/deploy/support/config/support.env |
Device-side configuration. |
/var/lib/awesome-o-remote-support/wg.key |
Device WireGuard private key (mode 0600 root, persisted across sessions in the Phase-1 design — the same key reused so the support server's allowlist can be stable). |
/var/lib/awesome-o-remote-support/wg.pub |
Device WireGuard public key. Safe to share with the support team. |
/etc/nftables.d/support-acl.nft |
Firewall set support-outports permitting UDP 60-62 outbound. Owned by awesome-o-base. |
support.