Skip to content

CLI Overview

cvpn-manager is a cross-platform CLI that automates node provisioning and runtime management for Catalyst Networks. It handles registration, certificate provisioning, system service management, credential storage, and optionally runs as a privileged daemon for desktop integration.

Command Reference

CommandDescription
registerRegister a new node with the control plane
sync-configUpdate local config from the control plane
check-authVerify credentials are still valid; stop revoked orgs
checkinSend a heartbeat to the control plane
nebula checkCheck if Nebula is installed and report its version
nebula installDownload and install the latest Nebula binary
nebula updateUpdate Nebula to the latest version
check-portCheck if UDP ports are available
install-systemdCreate or recreate the systemd unit (Linux)
install-launchdCreate or recreate the launchd plist (macOS)
install-tapInstall the wintun network driver (Windows only)
self-updateDownload and replace the running binary with the latest published release
versionPrint version and check for updates

The CLI can also run as a daemon when started with --ipc-mode, supervising Nebula processes and accepting commands over a Unix socket or Windows named pipe.

Global Flags

These flags are available on every command:

FlagDefaultDescription
--verbose, -vfalseEnable debug logging
--log-fileWrite logs to a file
--dry-runfalsePreview changes without applying
--config-rootPlatform-specificRoot directory for team configurations
--ipc-modeStart daemon mode (socket or pipe)
--socket-pathPlatform-specificUnix socket path for daemon IPC
--pipe-namePlatform-specificNamed pipe path for daemon IPC (Windows)
--state-db-pathPlatform-specificPath to the daemon state database (BoltDB)
--autostarttrue (Linux)Auto-start configured teams on daemon boot
--nebula-binaryPlatform-specificPath to the Nebula binary

Platform Defaults

PathDefault
Config root/etc/catalyst-networks/
Nebula binary/usr/local/bin/nebula
IPC socket/var/run/tech.deltaops.cvpn/cmd.sock
State database/var/lib/tech.deltaops.cvpn/state.db

Files Per Organization

After registration, each organization directory contains:

FileModeDescription
config.yml0644Nebula configuration
ca.crt0644Certificate Authority certificate
node.crt0644Node certificate
host.crt0644Host certificate
node.key0600Node private key
host.key0600Host private key
credentials.json0600API connection details and node token
node-config.json0644Node metadata (name, IP, mode, lighthouse status)

Credential Storage

The CLI stores the node’s API token in two locations:

  1. OS keyring (primary) — Service name catalyst-manager, account {org-slug}:{node-id}
  2. credentials.json (fallback) — Used when the keyring is unavailable (headless servers, containers)

When loading credentials, the keyring value takes precedence over the file-based token.

The credentials.json file contains:

{
"api_base": "https://app.catalystnetworks.io",
"org_slug": "my-org",
"node_id": 42,
"api_token": "..."
}

Node API Token Scope

The API token returned during registration is scoped to two endpoints only:

  • POST /api/org/{slug}/nodes/{id}/checkin/ — heartbeat
  • GET /api/org/{slug}/nodes/{id}/download_config/ — fetch config package

All other API endpoints (including GET, PATCH, DELETE on /nodes/{id}/) return 403 Forbidden and require a user/admin JWT passed via --access-token.

Install Modes (Linux)

Linux supports two install modes that determine how Nebula is managed at runtime:

ModeSystemd runsAuth timerUse case
servernebula directlyYes (60s interval)Headless servers, always-on infrastructure
desktopcvpn-manager daemonNoDesktop machines with GUI app integration

Set the mode during registration with --mode server or --mode desktop. The default is desktop. See Registering a Node for details.

Next Steps