Client, support or dual: choosing the agent role

Time · ~3 min Level · Beginner Applies to · every agent

Every LRO agent runs in one of three roles. The role decides which side of a tunnel the agent can play, so picking the right one is the difference between a tunnel that connects and one that never comes up. The names come from the original remote-support use case; here is what they actually mean.

The three roles

Role	Runs on	What it does
Client remote network	The machine that hosts the service you want to reach.	Connects out to the target service on that machine and carries the tunnel’s traffic to it. Endpoints are defined on a client.
Support tech specialist	The machine you sit at and connect from.	Opens the local listener. You point your tool at `localhost:<port>` here and the traffic is carried to the service.
Dual client + support	One machine that needs to be both.	Acts as client and support at the same time — e.g. a hub that both exposes its own services and reaches others.

Rule of thumb: the machine you reach into is the Client; the machine you reach from is the Support. Traffic flows you → support → core → client → service. If that feels backwards, it is because “client” names the customer’s remote machine, not your console.

Pick the role when you register

When you register an agent (Agents → Register), choose the mode in the Agent mode dropdown before you get the token. The exact labels are Client (remote network), Support (tech specialist) and Dual (client + support).

Register new agent dialog with the Agent mode dropdown — Fig 1. Set the role at registration — it is the second field in the Register dialog.

The Agents list then shows each agent’s current mode at a glance:

Agents table showing one Client agent and one Support agent — Fig 2. A client and a support agent — the **Mode** column shows each role.

Change a running agent’s role

You do not have to re-register to change a role. Open the agent, and on the Overview tab use Switch to Client / Support / Dual. The change is pushed to the agent live.

Agent detail showing Current mode with Switch to Support and Switch to Dual buttons — Fig 3. Switching a connected agent’s role from the panel — no re-registration.

There are two ways to set the operating mode, and they interact:

From the panel (the buttons above). An agent started without a forced mode follows whatever the panel says.
On the agent, with a flag: lro --mode client|support|dual. A forced mode wins — the agent ignores panel switches and re-asserts the flag. Use it to pin a machine to one role.

$ lro --mode support # pin this machine as the side you connect from

Which role do I pick?

You want to reach a service on a remote box (its SSH, web panel, database)? That box is the Client; define its service as an endpoint there.
The machine is your own, where you will run ssh / a browser / a DB client against a local port? That is the Support.
One machine must do both — host something and reach elsewhere? Use Dual.

Core only routes the matching commands to each role — a client is asked to open channels, a support to open listeners — so a mismatched role simply will not bind a tunnel.

Know your roles? Open a tunnel end to end.

Your first tunnel →