User Guide
Status: Current
Last reviewed: 2026-05-15
This guide documents the current NexusNet console from a user and operator point of view. It follows the deployed frontend routes in nexus-frontend and the REST routes registered by nexus-backend.
Console Areas
| Area | Route | Purpose |
|---|---|---|
| Login | /login | Sign in and start a JWT-backed console session. |
| Dashboard | /dashboard | View high-level node, route, upstream, health, and alert state. |
| Nodes | /nodes | Register, edit, reset, and inspect agent nodes. |
| L3 Tunnels | /gateway/l3-networks | Manage point-to-point IP tunnels over QUIC REALITY DATAGRAM. |
| L4 Chains | /gateway/l4-chains | Build deployable L4 forwarding pipelines. |
| Port Management | /nodes/ports | Inspect Nexus-owned listener ports, service lists, and agent runtime state. |
| L4 Upstreams | /gateway/l4-upstreams | Maintain reusable target endpoints and inbound SNI match names. |
| Security Credentials | /gateway/credentials | Manage X25519 keys, TLS certificates, and REALITY profiles. |
| Audit Log | /audit | Inspect configuration and system change history. |
| Users | /settings/users | Create users and review roles. |
| Settings | /settings | Update the current account, UI preferences, and local endpoint hints. |
| API-only features | REST API | Compatibility and admin features without first-class console pages. |
Role Model
NexusNet has three roles:
| Role | Typical access |
|---|---|
admin | Full access, including user creation, TLS certificate writes, credential writes, and audit revert API access. |
operator | Operational changes to nodes, L3 tunnels, L4 chains, upstreams, and deployments. |
viewer | Read-only access to protected APIs and console pages. |
Some buttons may still be visible to lower roles. The backend is authoritative: write requests that require a higher role return 403 Forbidden.
Common Workflows
Bring a Node Online
- Sign in with an
adminoroperatoraccount. - Open Settings > Connections and store the control endpoint used by agents.
- If the backend has
REGISTRATION_SECRETconfigured, store the registration secret in Settings > Connections. - Open Nodes and create a node.
- Copy the one-time control PSK and generated agent environment block.
- Start the agent with
NEXUS_AGENT_ID,NEXUS_CONTROL_ENDPOINT, andNEXUS_CONTROL_PSK. - Return to Nodes and confirm the status dot becomes online after heartbeat.
Deploy an L4 Chain
- Create any required targets in L4 Upstreams.
- Create any required credentials in Security Credentials.
- Open L4 Chains and build a chain with transit stages followed by one target stage.
- Save the chain.
- Click deploy. A success toast lists the nodes that received config.
Inspect L4 Listener Runtime State
- Open Nodes > Port Management.
- Select a node or keep All nodes.
- Review the listeners derived from enabled L4 chains, L3 services, and any saved listener policies.
- Open the service/order dialog to see each L4 or L3 service on that listener.
- Open runtime preview to load the current agent-reported listener and route table from
/api/nodes/ports/runtime.
Deploy an L3 Tunnel
- Ensure two different nodes are registered and connected.
- Create a
REALITYprofile in Security Credentials. - Open L3 Tunnels and create a point-to-point tunnel.
- Select endpoint nodes, tunnel interface names, addressing, MTU, and allowed source CIDRs.
- Save and deploy the tunnel. A success toast lists the nodes that received L3 config.
Current Limitations
- User deletion is not implemented in the current frontend/API path.
- Audit revert API exists, but currently only supports legacy
routeresources; the console only exposes diff viewing. - Legacy
/api/routesAPIs still exist, but the current console workflow is L4 chains and L3 tunnels. - The old dedicated TLS and ENC key pages have been merged into
/gateway/credentials. - Display REST/control endpoints in settings are local browser hints used for copyable config text. They do not change backend runtime configuration.