Troubleshooting on Windows
On Windows, the agent runs as a system service. Following are the directories the agent uses by default:
C:\Program Files\Sirius Computer\Crux VPN Agent: Root program directory.C:\Program Files\Sirius Computer\Crux VPN Agent\cnf: Agent configuration files.C:\Program Files\Sirius Computer\Crux VPN Agent\log: Log files.C:\Program Files\WireGuard\Data\Configurations: WireGuard configuration files.
Status
To view the general status of the agent, run the following in a command prompt:
> sc query cruxvpn-agent-service
SERVICE_NAME: cruxvpn-agent-service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
If the agent is running, this command output should contain STATE : 4 RUNNING. Otherwise, try starting the agent with this command as Administrator:
> sc start cruxvpn-agent-service
SERVICE_NAME: cruxvpn-agent-service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1234
FLAGS
Run the stop command and then the start command to restart an already running agent.
Logs
The agent's main log file is C:\Program Files\Sirius Computer\Crux VPN Agent\log\stdout.log. When the agent starts up normally, its first dozen log entries should look like the following:
2025-01-17 06:52:57,154 INFO uk.arqit.device.common.authentication.authentication - About to authenticate device ge3AOPdLKp9dwn/gQezC9egtRvrJXW/3Ds6IugXDiMs=
2025-01-17 06:52:58,633 INFO uk.arqit.device.common.authentication.authentication - Finished successfully authenticating device duid ge3AOPdLKp9dwn/gQezC9egtRvrJXW/3Ds6IugXDiMs=
2025-01-17 06:52:58,634 INFO procustodibus_agent.agent - Starting agent 1.8.0
... 1 wireguard interfaces found ...
... 203.0.113.150 is crux vpn ip address ...
... healthy crux vpn api ...
... can access host record on api for Example Host ...
... device registered with SKA-Platform™ ...
... 198.51.100.103 is SKA-Platform™ DSCC ip address ...
... device can authenticate with SKA-Platform™ ...
All systems go :)
2025-01-17 06:52:59,619 INFO procustodibus_agent.pqc.app - pqc update device policies
2025-01-17 06:52:59,625 INFO uk.arqit.device.monitoring.device_properties_client - Loading device metadata & properties...
2025-01-17 06:53:00,237 INFO uk.arqit.device.monitoring.device_properties_client - About to send properties with correlationId: 820CF1BD-7A5D-4C64-B7C6-AB266361978A
2025-01-17 06:53:00,837 INFO uk.arqit.device.monitoring.heartbeat_client - Loading device metadata...
2025-01-17 06:53:00,838 INFO uk.arqit.device.monitoring.heartbeat_client - About to send heartbeat with correlationId: 3662BAD5-BFFA-42F2-8AA2-B270F86FFD2F
2025-01-17 06:53:01,120 INFO procustodibus_agent.pqc.peering - starting pqc receiver on port 8887
The very first time the agent starts up, it will include a number of additional log entries related to registering with the Arqit SKA-Platform™ and starting up its WireGuard interfaces:
2025-01-15 22:46:07,862 INFO procustodibus_agent.pqc.app - pqc device metadata missing: /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:08,876 INFO procustodibus_agent.resolve_hostname - adjusting preference from ipv6 to ipv4
2025-01-15 22:46:09,420 INFO procustodibus_agent.pqc.app - pqc device metadata missing: /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:09,421 INFO procustodibus_agent.pqc.app - pqc device metadata missing: /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:09,427 INFO procustodibus_agent.agent - Starting agent 1.8.0
!!! no wireguard interfaces found !!!
... 203.0.113.150 is crux vpn ip address ...
... healthy crux vpn api ...
... can access host record on api for Example Host ...
!!! device not registered with SKA-Platform™ !!!
... 198.51.100.103 is SKA-Platform™ DSCC ip address ...
!!! device not authenticated with SKA-Platform™ !!!
All systems go :)
2025-01-15 22:46:09,577 INFO procustodibus_agent.pqc.app - pqc device metadata missing: /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:09,578 INFO procustodibus_agent.pqc.app - pqc device metadata missing: /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:10,215 INFO uk.arqit.device.registration.registration - Registering device with ID 'host-8zhVy1sDwAe', app_name 'Crux VPN Linux Host', manufacturer ID 'Sirius' OU UID '28it83MlKjaH3viVCyqpEM+QkcFH6PsjiQTZ59UXdSI='
2025-01-15 22:46:10,215 INFO uk.arqit.device.registration.key_exchanger_state_machines.ota_quantum_key_exchanger_state_machine - About to preregister with correlationId: 5D04C716-2379-4AEF-845F-6D3515559FDF
/opt/venvs/cruxvpn-agent/lib/python3.12/site-packages/oqs/oqs.py:173: UserWarning: liboqs version 0.11.0 differs from liboqs-python version 0.12.0
warnings.warn(
2025-01-15 22:46:13,240 INFO uk.arqit.device.registration.key_exchanger_state_machines.ota_quantum_key_exchanger_state_machine - About to register with correlationId: D86E2AE6-BCFD-41C5-9631-71E6ED2B9A4C
2025-01-15 22:46:15,206 INFO uk.arqit.device.registration.registration - Successfully registered device with QuantumCloud(TM)
2025-01-15 22:46:15,207 INFO uk.arqit.device.registration.registration - Stored device metadata at /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:15,209 INFO uk.arqit.device.common.authentication.authentication - About to authenticate device ge3AOPdLKp9dwn/gQezC9egtRvrJXW/3Ds6IugXDiMs=
2025-01-15 22:46:15,967 INFO uk.arqit.device.common.authentication.authentication - Finished successfully authenticating device duid ge3AOPdLKp9dwn/gQezC9egtRvrJXW/3Ds6IugXDiMs=
2025-01-15 22:46:15,974 INFO uk.arqit.device.provisioning.provisioning - Loading device metadata...
2025-01-15 22:46:15,975 INFO uk.arqit.device.provisioning.provisioning - Authenticating Device...
2025-01-15 22:46:15,975 INFO uk.arqit.device.provisioning.provisioning - Provisioning device with QuantumCloud(TM)...
2025-01-15 22:46:15,976 INFO uk.arqit.device.provisioning.provisioning - About to provision with correlationId: 03548452-F942-41AB-98F9-D82CA4DF7E84
2025-01-15 22:46:16,687 INFO uk.arqit.device.provisioning.provisioning - Successfully provisioned device with QuantumCloud(TM)
2025-01-15 22:46:16,687 INFO uk.arqit.device.provisioning.provisioning - Updating device metadata...
2025-01-15 22:46:16,691 INFO uk.arqit.device.provisioning.provisioning - Successfully updated device metadata at /etc/cruxvpn/deviceMetadata.json
2025-01-15 22:46:16,698 INFO uk.arqit.device.common.authentication.authentication - About to authenticate device ge3AOPdLKp9dwn/gQezC9egtRvrJXW/3Ds6IugXDiMs=
2025-01-15 22:46:17,830 INFO uk.arqit.device.common.authentication.authentication - Finished successfully authenticating device duid ge3AOPdLKp9dwn/gQezC9egtRvrJXW/3Ds6IugXDiMs=
2025-01-15 22:46:18,489 INFO procustodibus_agent.pqc.app - pqc update device policies
2025-01-15 22:46:18,502 INFO uk.arqit.device.monitoring.device_properties_client - Loading device metadata & properties...
2025-01-15 22:46:19,719 INFO uk.arqit.device.monitoring.device_properties_client - About to send properties with correlationId: 7BB634D9-AB04-4CA4-9789-465B6D5B2434
2025-01-15 22:46:20,288 INFO uk.arqit.device.monitoring.heartbeat_client - Loading device metadata...
2025-01-15 22:46:20,289 INFO uk.arqit.device.monitoring.heartbeat_client - About to send heartbeat with correlationId: 757799DD-774F-4005-93FD-0A05C32A91E7
2025-01-15 22:46:20,814 INFO procustodibus_agent.pqc.peering - starting pqc receiver on port 8887
See the Common Error Messages page for more information about specific error messages you might see.
Tip
Run the following Powershell command to "tail" the log file (display new log entries as they are written):
PS> Get-Content "C:\Program Files\Sirius Computer\Crux VPN Agent\cnf\stdout.log" -Wait
If the stdout.log file is empty, check the init.log file in the same directory, or the cruxvpn-agent-service.log file in the directory above it (these files normally only contain a few messages like starting logging at level X or service config is Y).
WireGuard
To view the status of the WireGuard tunnels on the host, run the following in an Administrator command prompt:
> wg
interface: crux0
public key: /TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU=
private key: (hidden)
listening port: 51820
peer: fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds=
preshared key: (hidden)
endpoint: 203.0.113.22:42527
allowed ips: 10.0.0.0/24
latest handshake: 28 seconds ago
transfer: 2.48 KiB received, 1.82 KiB sent
Tools
Ping
Use the ping utility to check connectivity through a WireGuard tunnel. For example, to verify that you can connect through the tunnel to a remote host with a private WireGuard address of 10.0.0.2, run the following in a command prompt to "ping" it with its private address:
> ping -n 1 10.0.0.2
Pinging 10.0.0.2 [10.0.0.2] with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=27ms TTL=127
Ping statistics for 10.0.0.2:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 27ms, Average = 27ms
Routing
Use the netsh utility to check the network addresses and routing on a host. For example, run the following in a command prompt to list the host's IPv4 routing table:
> netsh interface ipv4 show route
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- ------------------------
No Manual 0 0.0.0.0/0 15 192.168.1.1
No System 256 10.0.0.0/24 33 crux0
No System 256 10.0.0.1/32 33 crux0
No System 256 10.0.0.255/32 33 crux0
No System 256 127.0.0.0/8 1 Loopback Pseudo-Interface 1
No System 256 127.0.0.1/32 1 Loopback Pseudo-Interface 1
No System 256 127.255.255.255/32 1 Loopback Pseudo-Interface 1
No System 256 192.168.1.0/24 15 Ethernet
No System 256 192.168.1.123/32 15 Ethernet
No System 256 192.168.1.255/32 15 Ethernet
No System 256 224.0.0.0/4 1 Loopback Pseudo-Interface 1
No System 256 224.0.0.0/4 15 Ethernet
No System 256 255.255.255.255/32 1 Loopback Pseudo-Interface 1
No System 256 255.255.255.255/32 15 Ethernet
Firewall
Use Windows Defender Firewall to control what network services (such as file shares or remote desktop) can be accessed through the WireGuard tunnel.