BAUXITENETWORKS
DOCS local first dispatch
Support
# Getting Started: Local-First Fleet Dispatch & Native Tunneling

This tutorial walks you through setting up Bauxite's local-first fleet telemetry architecture and secure remote access tunnel from scratch. 

By the end of this guide, you will have a local edge agent streaming synthetic LiDAR and video telemetry, communicating with a remote cloud gateway (`bauxite-dispatch`) using **Bauxite Native Userspace Tunneling** (mTLS + WebRTC ICE) and verifying operation using the interactive Operator Panel.

---

## Prerequisites

To complete this tutorial, you will need:
* **Edge Host**: A Linux-based workstation or virtual machine running Docker.
* **Cloud Gateway Host**: An AWS EC2 instance or virtual private server with a public IP address.
* **Security Requirements**: OpenSSL for generating initial certificates, and `sudo` access to manage network namespaces on the gateway.
* **Tools**: `ffmpeg` and `socat` installed on the edge host (used for telemetry stream simulation).

---

## Step 1: Setting up the Cloud Gateway (Control Plane)

The Control Plane (`bauxite-dispatch`) runs in the cloud to manage signaling, authentication, and the Operator UI.

### 1.1. Create mTLS Certificates
On the Cloud Gateway host, create a directory for credentials and generate the hub keys:

```bash
mkdir -p /etc/bauxite/certs
cd /etc/bauxite/certs

# Generate CA certificate
openssl req -x509 -new -newkey rsa:4096 -nodes -keyout ca.key -out ca.crt -subj "/CN=Bauxite Root CA"

# Generate Hub gRPC server keys
openssl req -new -newkey rsa:2048 -nodes -keyout hub.key -out hub.csr -subj "/CN=dispatch.bauxite-fleet.internal"
openssl x509 -req -in hub.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out hub.crt -days 365
```

### 1.2. Provision the Tenant Network Namespace
Isolate the tenant's gateway agent inside a dedicated network namespace to prevent overlapping IP definitions and secure tenant boundaries:

```bash
CLIENT_ID="warehouse-zone-4"
NS_NAME="ns_$CLIENT_ID"

# 1. Create the network namespace
sudo ip netns add "$NS_NAME"
sudo ip netns exec "$NS_NAME" ip link set lo up

# 2. Create virtual ethernet (veth) pairs for routing
sudo ip link add "veth_$CLIENT_ID" type veth peer name "veth_ns_$CLIENT_ID"
sudo ip link set "veth_ns_$CLIENT_ID" netns "$NS_NAME"

# 3. Assign IP addresses
sudo ip addr add 10.42.0.1/24 dev "veth_$CLIENT_ID"
sudo ip link set "veth_$CLIENT_ID" up
sudo ip netns exec "$NS_NAME" ip addr add 10.42.0.2/24 dev "veth_ns_$CLIENT_ID"
sudo ip netns exec "$NS_NAME" ip link set "veth_ns_$CLIENT_ID" up

# 4. Route default traffic inside the netns through the host
sudo ip netns exec "$NS_NAME" ip route add default via 10.42.0.1
```

### 1.3. Configure and Start Nginx Proxy
Create `/etc/nginx/sites-available/bauxite.conf` on the host to forward incoming HTTPS requests to the gateway agent running inside the namespace (`10.42.0.2`):

```nginx
server {
    listen 443 ssl http2;
    server_name dispatch.bauxite-fleet.internal;

    ssl_certificate /etc/bauxite/certs/hub.crt;
    ssl_certificate_key /etc/bauxite/certs/hub.key;

    location / {
        proxy_pass http://10.42.0.2:8080;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
```

Restart Nginx to apply the configuration.

---

## Step 2: Configuring the Local Edge Agent

The edge agent runs locally, opening an outbound-only connection back to the Control Plane.

### 2.1. Create local config.toml
Create `/etc/bauxite/config.toml` on the Edge Host, substituting `YOUR_AWS_PUBLIC_IP` and `HUB_PUBLIC_KEY_HEX` with your gateway address and Hub verifying key:

```toml
# /etc/bauxite/config.toml

[node]
id = "autonomous-warehouse-zone-4"
virtual_ip = "10.42.0.2"
discovery_server_id = 1

[network]
mode = "p2p"
listen_port = 51820
psk = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" # 32-byte hex key
static_peer = ""
stun_url = "stun:stun.l.google.com:19302"
turn_url = "turn:YOUR_AWS_PUBLIC_IP:3478"
turn_user = "bauxite-client"
turn_pass = "secure-turn-key"
cipher = "chacha20-poly1305"
outbound_only = true

[hub]
url = "https://YOUR_AWS_PUBLIC_IP:50052"
public_key = "HUB_PUBLIC_KEY_HEX"

[security]
ca_path = "/etc/bauxite/certs/ca.crt"
cert_path = "/etc/bauxite/certs/node.crt"
key_path = "/etc/bauxite/certs/node.key"
dev_skip_tls_verification = true

[qos]
high_ports = [5004, 5005]
medium_ports = [8080]
high_queue = 1000
medium_queue = 500
low_queue = 200
medium_burst = 10
low_burst = 5

[ebpf]
enabled = true
xdp_interface = "eth0"
```

### 2.2. Start the Local Agent via Docker
Start the Bauxite Local Agent container:

```bash
docker run -d \
  --name bauxite_local_node \
  --network host \
  --cap-add SYS_ADMIN \
  --cap-add NET_ADMIN \
  --device /dev/net/tun:/dev/net/tun \
  -e BAUXITE_KEY_PASSPHRASE=your-secure-passphrase \
  -v /etc/bauxite/certs:/etc/bauxite/certs:ro \
  -v /etc/bauxite/config.toml:/etc/bauxite/config.toml:ro \
  --entrypoint "/bin/bash" \
  bauxite-node:local \
  -c "source /opt/vulcanexus/kilted/setup.bash && exec /usr/local/bin/bauxite run --config /etc/bauxite/config.toml"
```

---

## Step 3: Simulating Telemetry and QoS (Demo Mode)

For development or demo purposes, you can stream synthetic Point Cloud and RTSP video traffic through Bauxite's eBPF priority queues.

### 3.1. Start the Telemetry Generator
Run the simulator script on the Edge Host, routing Point Cloud data (port 7415) and H.264 video (port 8554) to the local loopback:

```bash
./scripts/stream_demo_telemetry.sh 127.0.0.1 7415 8554
```

### 3.2. Access the Operator Control Room
1. Open your browser and navigate to the Bauxite Control Plane UI URL: `http://YOUR_AWS_PUBLIC_IP:8080` (or the proxy URL if configured).
2. The UI will render the Mesh overview, showing all active nodes.
3. Switch to the **Virtual Operator** tab.
4. Select your target node from the dropdown list.
5. Choose the stream mode (either the **2D Canvas** simulation or **Live WHEP** video feed).
6. Start driving the robot using the interactive joystick or keyboard keys (`W/A/S/D` or Arrow keys).
7. Under simulated link drops or congestion, inspect the telemetry logs to see how Bauxite prioritizes command execution (`/cmd_vel`) and manages latency.

---

## Step 4: Tear Down and Cleanup

To clean up the sandbox and networking resources:

```bash
# Stop and remove local Docker container
docker stop bauxite_local_node
docker rm bauxite_local_node

# Remove gateway namespaces and veth bridges
sudo ip netns del ns_warehouse-zone-4
sudo ip link del veth_warehouse-zone-4
```