diff --git a/docs/website/docs.html b/docs/website/docs.html index 798b45e..fd1d31c 100644 --- a/docs/website/docs.html +++ b/docs/website/docs.html @@ -101,6 +101,7 @@ Navigation Device Management Config Editor + Remote Access Monitoring & Alerts Reports @@ -141,6 +142,7 @@
  • Configuration — Config Editor with two-phase safe apply, batch configuration across devices, bulk CLI commands, reusable templates, Simple Config (Linksys/Ubiquiti-style UI), and git-backed config backup with diff viewer.
  • Monitoring — Interactive network topology (ReactFlow + Dagre), real-time metrics via SSE/NATS, configurable alert rules, notification channels (email, webhook, Slack), audit trail, KMS transparency dashboard, and PDF reports.
  • Security — 1Password-style zero-knowledge architecture with SRP-6a auth, 2SKD key derivation, Secret Key with Emergency Kit, OpenBao KMS for per-tenant envelope encryption, Internal CA with SFTP cert deployment, WireGuard VPN, and AES-256-GCM credential encryption.
    • +
  • Remote Access — One-click WinBox tunnel launch via NATS request-reply, browser-based SSH terminal (xterm.js over WebSocket), per-device session management with idle timeouts, and full audit logging of remote sessions.
  • Administration — Full multi-tenancy with PostgreSQL RLS, user management with RBAC, API keys (mktp_ prefix), firmware management, maintenance windows, and setup wizard.
  • UX — Command palette (Cmd+K), Vim-style keyboard shortcuts, dark/light mode, Framer Motion page transitions, and shimmer skeleton loaders.
    • @@ -452,6 +454,7 @@ open http://localhost reportsPDF report generation (Jinja2 + WeasyPrint) api_keysAPI key management (mktp_ prefix) maintenance_windowsScheduled maintenance with alert suppression + remote_accessWinBox tunnel and SSH terminal session management vpnWireGuard VPN management certificatesInternal CA and device TLS certificates transparencyKMS access event dashboard @@ -468,6 +471,8 @@ open http://localhost
  • Circuit breaker: Backs off from unreachable devices to avoid wasting poll cycles
  • Credential decryption: OpenBao Transit with LRU cache (1024 entries, 5min TTL) to minimize KMS calls
  • Output: Publishes poll results to NATS JetStream; the API’s NATS subscribers process and persist them
    • +
  • Remote access: Tunnel manager allocates TCP ports (49000–49004) for WinBox sessions; SSH relay server bridges WebSocket connections to RouterOS SSH via PTY
    • +
  • NATS responder: Listens on tunnel.open.* / tunnel.close.* for API-initiated WinBox tunnel requests
  • Database access: Uses poller_user role which bypasses RLS (needs cross-tenant device access)
  • Memory limit: 256 MB
    • @@ -503,7 +508,8 @@ open http://localhost @@ -555,6 +561,8 @@ open http://localhost NATS Monitor82228222HTTP OpenBao82008200HTTP WireGuard5182051820UDP + WinBox Tunnels49000–4900449000–49004TCP + SSH Relay (WebSocket)22222222TCP @@ -821,6 +829,14 @@ open http://localhost +

    Remote Access Buttons

    +

    The device detail page includes WinBox and SSH buttons for one-click remote access:

    + +

    Both session types have configurable idle timeouts (WinBox: 5 min, SSH: 15 min) and are fully audit-logged.

    +

    Simple Config

    Simple Config provides a consumer-router-style interface modeled after Linksys and Ubiquiti UIs. It is designed for operators who prefer guided configuration over raw RouterOS paths.

    Seven category tabs:

    @@ -853,6 +869,70 @@ open http://localhost

    Safe Apply is strongly recommended for firewall rules and routing changes on remote devices.

    + +
    +

    Remote Access

    +

    TOD provides browser-based remote access to RouterOS devices without exposing management ports to the internet. Two access methods are available from the device detail page.

    + +

    WinBox Tunnels

    +

    Click the WinBox button on any device to open a temporary TCP tunnel:

    +
      +
    1. The API sends a NATS request to the poller on tunnel.open.{device_id}.
      2. +
    2. The poller allocates a port from the pool (49000–49004) and opens a bidirectional TCP proxy to the device’s WinBox port (8291).
      3. +
    3. The API returns a winbox:// URI that launches your local WinBox application.
      4. +
    4. The tunnel closes automatically after 5 minutes of idle time, or when explicitly closed.
      5. +
    + +

    SSH Terminal

    +

    Click the SSH button to open an in-browser terminal:

    +
      +
    1. The API generates a single-use session token stored in Redis (60-second TTL).
      2. +
    2. The frontend connects to the poller’s WebSocket endpoint with the token.
      3. +
    3. The poller’s SSH relay authenticates the token, establishes an SSH connection to the device, and bridges the WebSocket to a PTY session.
      4. +
    4. The terminal renders in the browser using xterm.js with full color and resize support.
      5. +
    5. Sessions close after 15 minutes of idle time.
      6. +
    + +

    Architecture

    + 
    Browser         API            NATS          Poller         RouterOS
+  |              |               |              |               |
+  +--WinBox btn->|              |              |               |
+  |              +--req tunnel.open----------->|               |
+  |              |               |              +--TCP proxy--->|
+  |              |<--{port, uri}---------------+               |
+  |<--winbox://->+              |              |               |
+  |              |               |              |               |
+  +--SSH btn---->|              |              |               |
+  |              +--token to Redis             |               |
+  |<--ws url-----+              |              |               |
+  +--WebSocket-------------------------------------->|         |
+  |              |               |              +--SSH session->|
+  |<-------- bidirectional PTY bridge -------->|<------------>|
    + +

    Session Management

    + + + + + + + + + + + +
    FeatureWinBox TunnelSSH Terminal
    Idle timeout5 minutes15 minutes
    Port range49000–49004N/A (WebSocket)
    Auth methodNATS request-replySingle-use Redis token (60s TTL)
    Audit loggedYes (open/close)Yes (open/close with duration)
    RBACOperator+Operator+
    + +

    Security

    + +
    +

    Monitoring & Alerts

    @@ -1134,6 +1214,7 @@ open http://localhost Reports/api/reports/*PDF report generation (Jinja2 + WeasyPrint) API Keys/api/api-keys/*API key CRUD Maintenance Windows/api/maintenance-windows/*Scheduled maintenance window management + Remote Access/api/tenants/{id}/devices/{id}/remote-access/*WinBox tunnel and SSH terminal session management VPN/api/vpn/*WireGuard VPN tunnel management Certificates/api/certificates/*Internal CA and device certificate management Transparency/api/transparency/*KMS access event dashboard diff --git a/docs/website/index.html b/docs/website/index.html index 1c350b8..cde2894 100644 --- a/docs/website/index.html +++ b/docs/website/index.html @@ -51,7 +51,8 @@ "Two-phase configuration push with panic-revert", "Multi-tenant PostgreSQL Row-Level Security", "Internal Certificate Authority", - "Firmware management and audit trail" + "Firmware management and audit trail", + "Browser-based WinBox tunnels and SSH terminal" ], "softwareRequirements": "Docker, PostgreSQL 17, Redis, NATS" } @@ -177,6 +178,7 @@
  • Manage firmware upgrades
  • Discover and visualize network topology
  • Maintain secure backups of router configurations
    • +
  • Launch WinBox sessions and SSH terminals directly from the browser

    • Everything in one place.