DX Unified Infrastructure Management

  • Private Community
 View Only

 Is there any API or pu to disconnect a tunnel

David Givens's profile image
David Givens posted Sep 24, 2025 10:38 AM

hi all,

I am wondering if there any API/pu exposed which allows the "Disconnect" of tunnel clients ?

We need to perform this on a number of tunnels and it would be nice to script this.

Thanks

Garin Walsh's profile image
Garin Walsh posted Sep 26, 2025 12:02 AM

You can use the controller callback probe_config_set to set /tunnel/clients/1/active to no and then use the hub callback _stop to restart the hub and read the new config.

The main issue is that there's no good way to identify the tunnel because the client number of the tunnel is set based on creation order.

You can also use an archive package and create a cfx file that updates or replaces the tunnel section(s) with the new information.

David Givens's profile image
David Givens posted Sep 26, 2025 04:25 AM

Thanks Garin.

The issue with the pu is that once the tunnel deativated, there is no way to then send the active pu after the successul drop. I guess a script(ps1/bat) file could be called locally but that would include creds on a remote session. Hopefully I am wrong with that understanding and you can tell me otherwise :)

Garin Walsh's profile image
Garin Walsh posted Sep 26, 2025 09:49 AM

Your existing tunnel section will look like

<tunnel>
   <clients>
      <1>
         active = yes
         host = 1.2.3.4
         port = 1234
         heartbeat = 30
         cert = certs/client1.pem
         password = gobbledygook=
         check_cn = no
         description = Im a tunnel
         hub = TunnelHub
         robot = RobotName
      </1>

If you are just changing the tunnel server IP to 9.8.7.6 for the client, you could create a hub archive package that contains a hub.cfx that contains the contents:

<tunnel> overwrite
   <clients> overwrite
      <1> overwrite
         host = 9.8.7.6

      </1>

   </clients>

</tunnel>

That package would then update the IP of the tunnel server and restart the hub probe on the client. The tunnel is still "active" and so on restart it'll be working.

Alternatively, you could create a second tunnel (section <2>) and then the client will run two tunnels. Then you can verify the new tunnel works and then after that, disable the old tunnel. This is the process we use to update the tunnel certificates when they expire.

But specifically to you question about "activating" a tunnel, all that's required is to configure the tunnel, set "active = yes" for it's section, restart the hub probe.

You can also include things like the certificate pem file in the package too in order to get that into the right place.

David Givens's profile image
David Givens posted Sep 26, 2025 10:01 AM

Thanks for the input Garin

ah yes, I have moved tunnel clients around with that method

The context behind this is .. I have made a small private app which connects to uimapi and/or exectutes a pu. Searches for end customer hubs, removes old hub entries from all hubs, checks hub queues etc etc , so I wanted to add a nice option in the app to search and destroy a tunnel for the hub name

We have Primary(Tunnel Server) <-Secondary (Tunnel Client, 4 of these) <-Customer Hub (Client)

Customer hubs keep dropping, get/attach still functions/connects, but admin is not possible due to them being red. A tunnel disconnect from the Secondary hub will recover these stale tunnels.

So I wanted to add this to the app; like call the <disconnect_client> callback via my app.