← Back to Documentation

Hardware Sharing Guide

Share your embedded debug hardware with your team for remote debugging.

Overview

ProbeCodex allows you to share physical debug probes (J-Link, ST-Link, Nu-Link, etc.) with your team over a secure VPN. This enables remote debugging of embedded systems from anywhere in the world.

How It Works

  1. The ProbeCodex Agent runs on your machine with the debug probe attached
  2. The agent starts OpenOCD locally, bound to 0.0.0.0:13333 (accessible over VPN)
  3. Both machines connect over a WireGuard VPN
  4. Remote team members connect their GDB to the host's OpenOCD via VPN IP

Prerequisites

For Hardware Owners (Sharing)

  • A ProbeCodex account with an active subscription
  • A supported debug probe (J-Link, ST-Link, Nu-Link, CMSIS-DAP)
  • WireGuard installed on your system
  • The ProbeCodex Agent installed

For Remote Users (Connecting)

  • A ProbeCodex account (same organization)
  • WireGuard installed and configured with VPN config
  • ProbeCodex MCP server or arm-none-eabi-gdb for connecting to remote OpenOCD

Step 1: Install the ProbeCodex Agent

Install the ProbeCodex Agent on the machine where your debug probe is physically connected.

macOS / Linux

curl -fsSL https://probecodex.com/install.sh | bash

Windows (PowerShell as Administrator)

irm https://probecodex.com/install.ps1 | iex

Verify Installation

probecodex-agent --version

Step 2: Set Up WireGuard VPN

The VPN provides secure connectivity between you and your team members.

Install WireGuard

macOS

brew install wireguard-tools

Or download from: wireguard.com/install

Windows

Download and install from: wireguard.com/install

Linux

sudo apt install wireguard

Get Your VPN Configuration

  1. Go to Portal → Hardware
  2. Click Get VPN Config to download your ProbecodexVPN.conf file
  3. Save it to your ProbeCodex config directory

Connect to VPN

macOS / Linux (via Agent)

probecodex-agent start

The agent will automatically connect to VPN if enabled in config.

Windows (via WireGuard GUI)

  1. Open the WireGuard application
  2. Click Import tunnel(s) from file
  3. Select your ProbecodexVPN.conf file
  4. Click Activate to connect

Then start the agent:

probecodex-agent start

Step 3: Register Your Hardware

Register your debug probe in the portal so team members can see and book it.

  1. Go to Portal → Hardware
  2. Click Offer Hardware to Team
  3. If the agent is running, it will auto-detect your probe. Select it from the dropdown, or enter details manually:
    • Device Type: J-Link, ST-Link, Nu-Link, or CMSIS-DAP
    • Device Name: A friendly name (e.g., "Lee's J-Link Pro")
    • Serial Number: Your probe's serial number
    • Target MCU: The connected MCU (e.g., STM32F407VG)
    • Target Board: The dev board name (optional)
  4. Click Register Hardware

Important

Make sure your debug probe is connected and the agent is running. The agent detects USB probes automatically when you visit the hardware page.

Step 4: Set Availability Windows

Define when your hardware is available for others to book.

  1. Go to your device's detail page in the Hardware Portal
  2. Click Manage Availability or + Add Availability
  3. Choose the type:
    • Recurring Weekly: Same time every week (e.g., "Monday 9am-5pm")
    • Specific Dates: One-time availability window
  4. Set the time window and timezone
  5. Click Add Availability

Example: Office Hours

  • Monday 09:00 - 17:00 UTC
  • Tuesday 09:00 - 17:00 UTC
  • Wednesday 09:00 - 17:00 UTC
  • Thursday 09:00 - 17:00 UTC
  • Friday 09:00 - 17:00 UTC

Step 5: Connect to Shared Hardware (Remote User)

Once hardware is shared, team members can connect to it remotely.

  1. Ensure WireGuard VPN is connected (see Step 2)
  2. Go to Portal → Hardware
  3. Find the device you want to use and click on it
  4. Click Request Booking and select a time slot within the availability windows
  5. Wait for the owner to approve your booking
  6. Once approved, the device will show Connection Details with VPN IP and GDB port
  7. Connect GDB to the remote OpenOCD over VPN:
    target_connect(host: "<VPN_IP>", port: 13333)

    Or directly with GDB:

    arm-none-eabi-gdb -ex "target remote <VPN_IP>:13333"

Success!

You are now connected to the remote OpenOCD instance over VPN. You can debug, flash, and inspect the target MCU as if the probe was locally connected.

How the VPN Works & Security

ProbeCodex uses WireGuard, a modern, high-performance VPN protocol, to create a secure private network between team members sharing hardware.

How It Works

  1. When you join a team, the ProbeCodex portal generates a unique WireGuard key pair and VPN IP address for your account
  2. Your VPN configuration file (ProbecodexVPN.conf) contains your private key and connection details
  3. The ProbeCodex Agent handles VPN connection automatically when it starts — no manual setup needed
  4. Once connected, your machine gets a private IP (e.g., 10.100.1.x) on the team network
  5. The agent runs a local debug server (OpenOCD) that is accessible to authorized team members over this VPN

What the Agent Does Automatically

  • Downloads your VPN config from the portal after authentication
  • Detects network conditions — tests if direct UDP (WireGuard) works or if your network blocks it
  • Selects the best connection mode — direct WireGuard (fastest) or wstunnel fallback (for restrictive networks)
  • Connects to the VPN and verifies connectivity to the server gateway
  • Installs dependencies — WireGuard tools and wstunnel if needed

Security Measures

Per-Session Access Control

VPN peers can only communicate with each other during active, approved hardware bookings. Outside of booking windows, peer-to-peer traffic is blocked at the server level. Only the hardware owner and the borrower can see each other, and only during the scheduled time.

Unique Key Pairs

Each team member gets a unique X25519 cryptographic key pair. Your private key never leaves your machine after the initial download. All traffic is encrypted end-to-end using WireGuard's modern cryptography (ChaCha20, Poly1305, Curve25519).

Network Isolation

Organizations are isolated into separate VPN subnets. Your VPN configuration only allows traffic within your team's subnet — you cannot reach devices belonging to other organizations.

Have questions about VPN security? Use the AI Support Chat in the portal for detailed answers about our security architecture.

Agent VPN Management

The ProbeCodex Agent manages your VPN connection automatically. During installation (probecodex-agent install), the agent:

What the installer checks and sets up

  1. Installs WireGuard tools if not already present (via brew, apt, or the platform's package manager)
  2. Downloads your VPN config from the portal API using your authenticated session
  3. Saves it securely to ~/.probecodex/wg0.conf with restricted file permissions (chmod 600)
  4. Tests network connectivity — checks if UDP port 51820 is reachable
  5. Installs wstunnel if UDP is blocked and the tool is not already available
  6. Creates a wstunnel config variant automatically (same file, different Endpoint) for fallback mode
  7. Verifies the VPN connection by pinging the server gateway

Agent VPN Commands

probecodex-agent vpn status

Show current VPN connection status, mode (direct/wstunnel), your VPN IP address, and connection health.

probecodex-agent vpn connect

Manually connect to the VPN. The agent auto-detects the best mode (direct UDP or wstunnel) and connects. Use this if auto-connect was skipped or you disconnected manually.

probecodex-agent vpn disconnect

Disconnect from the VPN. Also stops wstunnel if it was running.

probecodex-agent vpn config

Show the path to your VPN configuration file and whether it exists.

Install Options

  • --no-vpn — Skip VPN setup during install (not allowed for Team/Enterprise tiers)
  • --no-deps — Skip dependency installation (WireGuard, wstunnel)
  • --keep-vpn — Keep VPN configuration when uninstalling

Auto-Connect Behavior

When the agent starts (probecodex-agent start), it automatically:

  1. Checks if VPN config exists
  2. Tests if already connected (detects manual WireGuard GUI connections on Windows)
  3. If not connected, tests UDP connectivity to the server
  4. If UDP works → connects directly via WireGuard
  5. If UDP blocked → starts wstunnel, then connects WireGuard through it
  6. Verifies connection by pinging the VPN gateway

If VPN connection fails, the agent continues running without VPN. You can retry with probecodex-agent vpn connect.

Need help with VPN issues? Use the AI Support Chat in the portal — it understands the full VPN architecture and can diagnose connection problems.

Restrictive Networks (wstunnel)

WireGuard uses UDP port 51820 by default. Some networks block this — corporate firewalls, hotel Wi-Fi, and mobile hotspots from certain carriers are known to block UDP VPN traffic.

Mobile Hotspot Users

Many mobile carriers block UDP ports used by VPN protocols like WireGuard. If you are tethering through a phone hotspot and the VPN won't connect, this is likely the cause. The wstunnel workaround below solves this.

What is wstunnel?

wstunnel is an open-source tool that wraps WireGuard's UDP traffic inside a standard HTTPS WebSocket connection (TCP port 443). Since HTTPS traffic on port 443 is allowed by virtually every network, this bypasses UDP blocking while keeping all the security of WireGuard encryption.

How it works

Your Machine (WireGuard UDP)

  ↓

wstunnel client (wraps UDP in WebSocket)

  ↓ HTTPS port 443 (passes through any firewall)

ProbeCodex Server (Caddy TLS termination)

  ↓

wstunnel server (unwraps back to UDP)

  ↓

WireGuard Server (port 51820)

Automatic Mode (Recommended)

The ProbeCodex Agent handles this automatically. When it detects that UDP is blocked, it switches to wstunnel mode without any manual configuration. Just make sure wstunnel is installed:

macOS

brew install wstunnel

Linux

sudo apt install wstunnel

Or download from: github.com/erebe/wstunnel/releases

Windows

Download the Windows binary from github.com/erebe/wstunnel/releases and add it to your PATH.

Manual Mode

If you need to set up wstunnel manually (without the agent), follow these steps:

  1. Download your VPN config from Portal → Hardware (click Get VPN Config)
  2. Edit the Endpoint line in your ProbecodexVPN.conf file:

    # Change this:

    Endpoint = vpn.probecodex.com:51820

    # To this:

    Endpoint = 127.0.0.1:51820

  3. Start wstunnel in a terminal:
    wstunnel client -L udp://127.0.0.1:51820:127.0.0.1:51820 wss://vpn.probecodex.com:443
  4. Connect WireGuard in a second terminal:
    sudo wg-quick up ./ProbecodexVPN.conf

Need help? Use the AI Support Chat in the portal — it has full context on the VPN architecture and can guide you through setup.

Troubleshooting

VPN shows disconnected on Windows

Windows users must connect to VPN manually via the WireGuard GUI app before starting the agent. The agent will then detect the existing VPN connection.

Device shows "offline" in portal

  • Ensure the ProbeCodex Agent is running: probecodex-agent status
  • Ensure VPN is connected (check for 10.100.x.x IP)
  • Ensure the debug probe is physically connected

Cannot connect to remote device

  • Verify both you and the owner are connected to VPN
  • Check that your booking is approved and active
  • Try ping <VPN_IP> to test connectivity

VPN won't connect on mobile hotspot

Many mobile carriers block UDP traffic used by WireGuard. Install wstunnel and the agent will automatically route traffic over HTTPS (TCP 443) instead. See Restrictive Networks above for details.

VPN connected but can't reach team member

Peer-to-peer VPN traffic is only allowed during active, approved hardware bookings. Make sure your booking is approved, the scheduled time has started, and both you and the hardware owner have the agent running. Outside of booking windows, peer traffic is blocked for security.

Nu-Link not detected

Nu-Link probes require OpenOCD-Nuvoton, not standard OpenOCD. Install it from: github.com/OpenNuvoton/Nuvoton_Tools

Related Documentation

Agent Installation

Detailed agent installation and configuration

Agent CLI Reference

All agent commands and options