Skip to content

Agent Connector Install: Ubiquity EdgeRouter X

Agent Connector Install: Ubiquity EdgeRouter X

The Ubiquity EdgeRouter X (ER-X/ER-X SFP) is a small-form factor router. In addition to performing routing services, it is a good vantage point to run the Agilicus Agent Connector.

(Once you have completed these, you may wish to try accessing the EdgeRouter X web interface via the Agilicus Any-X platform, see example).

Note: this device is a low-performance device with an older processor and low ram. If you have a need for more than a few services, or ones which need more than ~10Mbps of throughput, we recommend a newer device such as a Raspberry Pi, or a pfSense.

The below instructions were tested on an EdgeRouter X SFP with v2.0.9, specifically:

# cat /etc/version
EdgeRouter.ER-e50.v2.0.9-hotfix.2.5402463.210511.1317

Installation

In the Agilicus Administrative Web interface, you will:

  1. Create Agent Connector
  2. Assign name
  3. Copy the install command line
  4. Paste this into the ssh interface of the Ubiquity EdgeRouter X

Step 1: Create Connector

Navigate (in the Agilicus admin web interface) to ‘Resources/Connectors/New’. Select ‘An outbound agent connector’ and ‘next’

Step 2: Assign name

Assign a name to this connector. Typically this will be the hostname of the Ubiquity EdgeRouter X. It will show up in audit logs, and be used elsewhere in the administrative interface to assign services to sites. This might also be the name of the site.

Step 3: Copy the install command line

Select “Linux”. Copy the command line to your clipboard.

This command will fetch a script, and then run it with 2 arguments (a GUUID representing this Agilicus Agent Connector, and an OpenID Connector Issuer URL, for authentication).

Note: the command line looks complex since it must run on multiple platforms, some of which have curl, some of which have wget, but it effictively fetchs a single install script and runs it with 2 arguments. You may feel free to fetch the script and inspect it, run it manually.

Step 4: SSH & Paste

In your normal ssh interface, login to your router. The default username is ubnt with a password of ubnt.

Become root (sudo su -)

Paste the command line.

You might see some failures in the pre-flight checks (e.g. time-sync not enabled, missing SSL certificates). Correct these if they show. (see the below note about SSL and NTP).

You will now see a UR (See Agent Connector Sign-In for more information). Paste this into a browser that you are signed into (typically another tab in the same browser running the administrative UI). You will now be given a short code. Paste this into the Ubiquity SSH interface.

You should now be complete.

A complete log of a successful install is shown below for reference.

don@machine$ ssh ubnt@172.16.0.13
  _____    _
 | ____|__| | __ _  ___          (c) 2010-2020
 |  _| / _  |/ _  |/ _ \         Ubiquiti Networks, Inc.
 | |__| (_| | (_| |  __/
 |_____\__._|\__. |\___|         https://www.ubnt.com
             |___/

Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

ubnt@172.16.0.13's password:
Linux erx 4.14.54-UBNT #1 SMP Tue May 11 13:23:28 UTC 2021 mips
Welcome to EdgeOS
Last login: Sat May 28 18:11:43 2022 from 172.16.0.8
ubnt@erx:~$ sudo su -
root@erx:~# which curl && (curl -sL agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh) || (wget -O - agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh); sh /tmp/i.sh JX2EXXXXXXXXXXXXEU https://auth.MYDOMAIN
/usr/bin/curl
Starting install... <JX2EXXXXXXXXXXXXEU> <https://auth.MYDOMAIN>
OS: <Linux>, Machine: <mips>, END: <le>
INFO[2022-05-28T18:32:33.787560338Z] Starting client - version v0.119.0
INFO[2022-05-28T18:32:34.923316902Z] Logging in...

 You may see a browser open, in which case you may sign in automatically.
 Failing that, if this machine is headless, or remote, you will see a URL below.
 Copy and paste that into a browser you are logged into. You will then see a code,
 paste it in below.

Please go to the following link in your browser to retrieve the authentication
code:
	https://auth.MYDOMAIN/auth?client_id=agilicus-builtin-agent-connector&code_challenge=XXXXX&code_challenge_method=S256&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+profile+email+offline_access+urn%3Aagilicus%3Aapi%3Aapplications%3Areader%3F+urn%3Aagilicus%3Aapi%3Aapplications%3Aowner%3F+urn%3Aagilicus%3Aapi%3Atraffic-tokens%3Aowner+urn%3Aagilicus%3Aapplication_service%3A%2A%3Aowner%3F&state=XXXXX

Enter verification code: scpfcXXXXXpim4qq5pl
checking code
INFO[2022-05-28T18:33:23.875526942Z] Check if the agilicus-agent is already running as a service. If so stop it
INFO[2022-05-28T18:33:23.932589295Z] Create a directory at /etc/agilicus/agent
INFO[2022-05-28T18:33:23.934868328Z] Download public key file to /etc/agilicus/agent/public_key.json
INFO[2022-05-28T18:33:24.265979606Z] Create file /usr/bin/agilicus-agent-wrapper.sh
INFO[2022-05-28T18:33:24.266562921Z] Create file /etc/systemd/system/agilicus-agent.service
INFO[2022-05-28T18:33:24.273604799Z] Will install to /agilicus-agent-wrapper.sh -> {/usr/bin/agilicus-agent-wrapper.sh -rwxr-xr-x}
INFO[2022-05-28T18:33:24.278649712Z] Will install to /agilicus-agent.service -> {/etc/systemd/system/agilicus-agent.service -r--r--r--}
INFO[2022-05-28T18:33:24.282177117Z] Create a directory at /opt/agilicus/agent/tufmetadata/latest
INFO[2022-05-28T18:33:24.282578531Z] Create a directory at /opt/agilicus/agent/tufmetadata/stable
INFO[2022-05-28T18:33:24.285506591Z] Setup Agilicus secure store
INFO[2022-05-28T18:33:24.285945878Z] Create secure keyring for storing communication credentials in /etc/agilicus/agent
INFO[2022-05-28T18:34:25.392134745Z] Fetch agent configuration
INFO[2022-05-28T18:34:25.392429467Z] Write agent configuration file in /etc/agilicus/agent/agent.conf.enc.yaml
INFO[2022-05-28T18:34:26.432424427Z] Create a user and group named Agilicus to run the agilicus-agent service
INFO[2022-05-28T18:34:26.432722016Z] Copy executable to /opt/agilicus/agent
INFO[2022-05-28T18:34:26.432866291Z] Set permissions to Agilicus on /opt/agilicus/agent
INFO[2022-05-28T18:34:26.433163321Z] Create symlink from /usr/bin/agilicus-agent to /opt/agilicus/agent/agilicus-agent-mipsle
INFO[2022-05-28T18:34:26.914492417Z] Start agilicus-agent service
INFO[2022-05-28T18:34:27.898994929Z] Installation Complete
root@erx:~# systemctl status agilicus-agent.service
* agilicus-agent.service - Agilicus Agent
   Loaded: loaded (/etc/systemd/system/agilicus-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2022-05-28 18:34:27 UTC; 9s ago
 Main PID: 23147 (agilicus-agent)
   CGroup: /system.slice/agilicus-agent.service
           `-23147 /usr/bin/agilicus-agent client --cfg-file /etc/agilicus/agent/agent.conf.enc.yaml

Note: Missing Let’s Encrypt Intermediary

The ER-X may be missing the Let’s Encrypt Intermediary certificate (see link for more info). The install script will check for this and offer to repair. This will in turn run the below commands. If you prefer, you may run them manually in advance.

curl -k https://letsencrypt.org/certs/lets-encrypt-r3.pem -o /etc/ssl/certs/lets-encrypt-r3.pem
sed -i ‘/^mozilla\/DST_Root_CA_X3/s/^/!/’ /etc/ca-certificates.conf
update-ca-certificates

Note: Time Synchronisation (NTP)

Before running the install steps, ensure NTP (time synchronisation) is running. If you do not have your own NTP server, use pool.ntp.org (specifically, use 0.pool.ntp.org as a server name). NTP can be enabled in the ‘system’ menu.

$ show ntp
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
-216.197.156.83  .PPS.            1 u   51   64    1   44.325   -2.774   3.691
+198.245.55.137  15.254.136.119   2 u   48   64    3   31.049    3.062   2.792
*2001:1600:4:1:: .GPS.            1 u   48   64    3  117.633    0.569   1.495
+207.34.48.31    205.206.70.42    3 u   48   64    3   61.305    3.715   3.977