[Yandex Cloud documentation](../../index.md) > [Yandex BareMetal](../index.md) > [Tutorials](index.md) > Delivering USB devices to a BareMetal server or virtual machine

# Forwarding USB devices to a BareMetal server or Compute Cloud virtual machine

In this tutorial, you will configure forwarding USB devices to a Yandex BareMetal [server](../concepts/servers.md) via a VPN connection over a public internet segment. You will do it using the _USB over IP_ technology and freely distributed software that comes with [Linux](https://en.wikipedia.org/wiki/Linux) distributions.

{% note info %}

In a similar way, you can forward USB devices to a Yandex Compute Cloud [virtual machine](../../compute/concepts/vm.md).

{% endnote %}

_USB over IP_ allows you to transfer data from USB devices over a network (local or internet) as if they were directly connected to the client computer. This is particularly important in situations where it is difficult or impossible to physically connect USB devices to the computer.

With _USB over IP_:
* You can forward USB devices to cloud services, using Compute Cloud VMs or BareMetal servers as clients for remote USB devices.
* You can connect remote USB peripherals, such as printers, scanners, cameras, hardware tokens, and flash drives, to VMs and servers.
* To forward USB devices, you can use both specialized integrated system platforms and open-source software.
* You can place keys, tokens, and smart cards delivered to servers and VMs within a controlled perimeter with limited access.
* You can use common network security tools to restrict connections to remote USB devices.

{% note warning %}

The _USB over IP_ technology requires a highly reliable network for writes to a remote USB device. In addition, this technology is not suitable for connecting USB devices that require high data transfer rates.

{% endnote %}

You can see the solution architecture in the diagram below:

![usb-over-ip](../../_assets/tutorials/usb-over-ip.svg)

* Remote site **USB client**: Windows or Linux-based virtual machine or physical server. In this tutorial, a physical server running Linux Ubuntu 24.04 LTS leased from Yandex BareMetal will serve as a client.
* Remote site **USB server**: Linux-based device with a connection to a local network and VPN access (if the USB device data is delivered via the internet). USB devices will be physically inserted into the USB ports of the USB server. For a server, you can use microcomputers, e.g., [Raspberry Pi](https://en.wikipedia.org/wiki/Raspberry_Pi). In this tutorial, a computer running Linux Ubuntu 22.04 LTS with several USB ports will be used as the server.
* **Software**: In this tutorial, we will use `usbip` with the standard system tools and core modules from the `linux-tools` package to forward USB devices to the client.
* **Connected USB equipment**:
    * USB data drive
    * USB token
* **USB forwarding method**: Remote USB devices will be forwarded through a VPN connection over a public internet segment using [WireGuard](https://www.wireguard.com/). 

    The proposed WireGuard-based arrangement is for demonstration purposes only; you can use any other technology to connect your remote servers.

To forward USB devices to a BareMetal server using USB over IP:

1. [Get your cloud ready](#before-you-begin).
1. [Set up a cloud network](#setup-vpc).
1. [Create a virtual machine for a VPN server](#create-vpn-server).
1. [Create a private BareMetal subnet](#create-subnet).
1. [Rent a BareMetal server](#rent-server)
1. [Set up a VPN](#setup-vpn).
1. [Configure USB over IP](#setup-usbip).
1. [Test the solution](#test-solution).

If you no longer need the resources you created, [delete them](#clear-out).

## Getting started {#before-you-begin}

Sign up for Yandex Cloud and create a [billing account](../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../billing/quickstart/index.md) and [link](../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../resource-manager/concepts/resources-hierarchy.md).

### Required paid resources {#paid-resources}

The cost of the proposed solution includes:

* Fee for using the VM [public IP address](../../vpc/concepts/address.md#public-addresses) (see [Yandex Virtual Private Cloud pricing](../../vpc/pricing.md)).
* Fee for [VM](../../compute/concepts/vm.md) computing resources and disks (see [Yandex Compute Cloud pricing](../../compute/pricing.md)).
* BareMetal server lease fee (see [Yandex BareMetal pricing](../pricing.md)).


## Set up a cloud network {#setup-vpc}

### Create a cloud network and subnet {#setup-network-and-subnet}

Create a cloud network and subnet to connect the Compute Cloud VM (VPN server) to.

{% list tabs group=instructions %}

- Management console {#console} 

  1. In the [management console](https://console.yandex.cloud), select the folder where you are going to create your cloud infrastructure.
  1. Navigate to **Virtual Private Cloud**.
  1. Create a cloud network:

      1. At the top right, click **Create network**.
      1. In the **Name** field, specify `sample-network`.
      1. In the **Advanced** field, disable **Create subnets**.
      1. Click **Create network**.
  1. Create a subnet:

      1. In the left-hand panel, select ![subnets](../../_assets/console-icons/nodes-right.svg) **Subnets**.
      1. At the top right, click **Create subnet**.
      1. In the **Name** field, specify `subnet-ru-central1-b`.
      1. In the **Availability zone** field, select `ru-central1-b`.
      1. In the **Network** field, select `sample-network`.
      1. In the **CIDR** field, specify `192.168.11.0/24`.
      1. Click **Create subnet**.

{% endlist %}

### Create a security group {#crete-sg}

Create a [security group](../../vpc/concepts/security-groups.md) named `vpn-sg` for your VM (VPN server).

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you are deploying your cloud infrastructure.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/shield.svg) **Security groups** and click **Create security group**.
  1. In the **Name** field, specify `vpn-sg`.
  1. In the **Network** field, select `sample-network` you created earlier.
  1. Under **Rules**, [create](../../vpc/operations/security-group-add-rule.md) the following traffic management rules:

      | Traffic<br/>direction | Description | Port range | Protocol | Source /<br/>Destination name | CIDR blocks /<br/>Security group |
      | --- | --- | --- | --- | --- | --- |
      | Ingress | `ssh`            | `22`   | `TCP`  | `CIDR` | `0.0.0.0/0` |
      | Inbound | `vpn`            | `63665`   | `UDP`  | `CIDR` | `0.0.0.0/0` |
      | Egress | `any`           | `All` | `Any` | `CIDR` | `0.0.0.0/0` |
  1. Click **Create**.

{% endlist %}

## Create a virtual machine for a VPN server {#create-vpn-server}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you are deploying your infrastructure.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/server.svg) **Virtual machines** and click **Create virtual machine**.
  1. Under **Boot disk image**, select the [Ubuntu 24.04](https://yandex.cloud/en/marketplace/products/yc/ubuntu-2404-lts-oslogin) image.
  1. Under **Location**, select the `ru-central1-b` [availability zone](../../overview/concepts/geo-scope.md).
  1. Under **Network settings**:

      * In the **Subnet** field, select the `subnet-ru-central1-b` subnet you created earlier.
      * In the **Public IP address** field, select `Auto`.
      * In the **Security groups** field, select `vpn-sg`.

  1. Under **Access**, select **SSH key** and specify the VM access credentials:

      * In the **Login** field, enter the username: `yc-user`.
      * In the **SSH key** field, select the SSH key saved in your [organization user](../../organization/concepts/membership.md) profile.
        
        If there are no SSH keys in your profile or you want to add a new key:
        
        1. Click **Add key**.
        1. Enter a name for the SSH key.
        1. Select one of the following:
        
            * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
            * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
            * `Generate key`: Automatically create an SSH key pair.
            
              When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
        
        1. Click **Add**.
        
        The system will add the SSH key to your organization user profile. If the organization has [disabled](../../organization/operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  1. Under **General information**, specify the VM name: `wireguard-vpn-server`.
  1. Click **Create VM**.

{% endlist %}

{% note tip %}

To keep the VPN connection alive if you stop and restart your VPN server, [make](../../vpc/operations/set-static-ip.md) the VPN server's IP address static.

{% endnote %}


## Create a private BareMetal subnet {#create-subnet}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you are deploying your cloud infrastructure.
  1. Navigate to **BareMetal**.
  1. In the left-hand panel, select ![icon](../../_assets/console-icons/nodes-right.svg) **Private subnets** and click **Create subnet**.
  1. In the **Pool** field, select the `ru-central1-m3` server pool.
  1. In the **Name** field, enter the subnet name: `subnet-m3`.
  1. Without enabling **IP addressing and routing**, click **Create subnet**.

{% endlist %}


## Rent a BareMetal server {#rent-server}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you are deploying your cloud infrastructure.
  1. Navigate to **BareMetal**.
  1. Click **Lease server** and, in the window that opens, select `Stock configurations` and a suitable BareMetal server [configuration](../concepts/server-configurations.md) in the `ru-central1-m3` server pool.

      Do it by selecting the `ru-central1-m3` server pool in the filter on the right side of the window, under **Pool**.

      To select the suitable server configuration, click the section with its name in the central part of the screen.

      {% note tip %}
      
      You can reduce the cost of renting a server in some configurations by ordering server [assembly](../concepts/server-custom-configurations.md#assembly).
      
      To use the discount, hover over **Cheaper with assembly** ![circle-info.svg](../../_assets/console-icons/circle-info.svg) under the configuration at hand and click ![person-nut-hex.svg](../../_assets/console-icons/person-nut-hex.svg) **Go to assembly** in the pop-up window.
      
      When ordering a server with assembly, follow the steps below to configure the server properties. In this case, the server will not be available immediately, but only after the assembly is completed (within four calendar days), and at a lower price.
      
      {% endnote %}

  1. In the server configuration window that opens:

      1. In the **Lease duration** field, select the [lease period](../concepts/servers.md#server-lease): `1 day`, `1 month`, `3 months`, `6 months`, or `1 year`.
         
         When this period expires, server lease will automatically be renewed for the same period. You cannot terminate the lease during the specified lease period, but you can [refuse](../operations/servers/server-lease-cancel.md) to extend the server lease further.
      1. Under **Image**, select the `Ubuntu 24.04` image.
      1. Optionally, under **Disk**, configure [disk](../concepts/disks/disk-types.md) partitioning:
         
         1. Click **Configure disk layout**.
         1. Specify partition settings. To create a new partition, click ![icon](../../_assets/console-icons/plus.svg) **Add partition**.
         
             To configure [RAID](../concepts/disks/raid.md) arrays and disk partitions by yourself, click **Remove RAID**.
         1. Click **Save**.
      1. Under **Network interfaces**:
          1. In the **Private subnet** field, select the `subnet-m3` subnet you created earlier.
          1. In the **Public address** field, select `From ephemeral subnet`.

      1. Under **Access**:

          1. In the **Password** field, select one of the following options to create a root password:
          
              * To generate a new root password, select `New password` and click **Generate**.
          
                  {% note warning %}
                  
                  This option requires you to maintain password security. Save the password you generated in a secure location. Yandex Cloud does not store it, and you will not be able to retrieve it once the server is deployed.
                  
                  {% endnote %}
          
              * To use the root password saved in a Yandex Lockbox [secret](../../lockbox/concepts/secret.md), select `Lockbox secret`.
          
                  In the **Name**, **Version**, and **Key** fields, select the secret containing your password, its version, and its key, respectively.
                  
                  If you do not have a Yandex Lockbox secret, click **Create** to create it.
          
                  Choose the `Custom` secret type to specify a custom password or `Generated` to generate password automatically.
          
          1. In the **Public SSH key** field, select the SSH key saved in your [organization user](../../organization/concepts/membership.md) profile.
          
              If there are no SSH keys in your profile or you want to add a new key:
              
              1. Click **Add key**.
              1. Enter a name for the SSH key.
              1. Select one of the following:
              
                  * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
                  * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
                  * `Generate key`: Automatically create an SSH key pair.
                  
                    When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
              
              1. Click **Add**.
              
              The system will add the SSH key to your organization user profile. If the organization has [disabled](../../organization/operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

      1. Under **Server information**, in the **Name** field, enter the server name: `my-usbip-client`.
      1. Click **Lease server**.

{% endlist %}

{% note info %}

Server setup and OS installation may take up to 45 minutes. The server will have the `Provisioning` status during this time. After OS installation is complete, the server status will change to `Ready`.

{% endnote %}


## Set up a VPN {#setup-vpn}

To enable USB device forwarding to a BareMetal server from a remote computer, set up a VPN connection using a VPN server deployed on a Compute Cloud virtual machine and two VPN clients: one on the BareMetal server and one on the remote computer.

In this tutorial, you will use the [WireGuard](https://www.wireguard.com/) open source solution to set up a VPN connection. However, you can set up your VPN connection using other tools.

{% note info %}

The server must have port `TCP 3240` open and accessible through the VPN connection.

{% endnote %}

### Configure a VPN server {#vpn-server-setup}

1. [Connect over SSH](../../compute/operations/vm-connect/ssh.md) to the `wireguard-vpn-server` virtual machine you created earlier.
1. Install WireGuard and the required dependencies:
   
   ```bash
   sudo apt update && sudo apt install wireguard resolvconf
   ```
1. Enable IP forwarding in the Linux kernel settings:
   
   1. Open the `sysctl.conf` configuration file:
   
       ```bash
       sudo nano /etc/sysctl.conf
       ```
   1. Add this line to end of the `sysctl.conf` file:
   
       ```text
       net.ipv4.ip_forward = 1
       ```
   1. Apply the new kernel settings:
   
       ```bash
       sudo sysctl -p
       ```
1. Generate VPN traffic encryption keys:

    ```bash
    wg genkey | sudo tee server_private.key | wg pubkey | sudo tee server_public.key > /dev/null
    wg genkey | sudo tee bms_private.key | wg pubkey | sudo tee bms_public.key > /dev/null
    wg genkey | sudo tee remote_private.key | wg pubkey | sudo tee remote_public.key > /dev/null
    ```

    These six files were created in the current directory:

    * `server_private.key`: Contains the private encryption key of the VPN server.
    * `server_private.key`: Contains the public encryption key of the VPN server.
    * `bms_private.key`: Contains the private encryption key of the VPN client (BareMetal server).
    * `bms_public.key`: Contains the public encryption key of the VPN client (BareMetal server).
    * `remote_private.key`: Contains the private encryption key of the remote site VPN client.
    * `remote_public.key`: Contains the public encryption key of the remote site VPN client.

    Save all the encryption keys: you will need them to create WireGuard configuration files on the relevant machines.
1. Create a WireGuard VPN server configuration file:

    1. Open the configuration file:
       
       ```bash
       sudo nano /etc/wireguard/wg0.conf
       ```
    1. Add the following configuration to the file using the contents of the encryption keys you got in the previous step:

        ```text
        [Interface]
        Address = 192.168.100.1/24
        ListenPort = 63665
        PrivateKey = <server_private.key_file_contents>

        [Peer]
        PublicKey = <bms_public.key_file_contents>
        AllowedIPs = 192.168.100.2/32

        [Peer]
        PublicKey = <remote_public.key_file_contents>
        AllowedIPs = 192.168.100.3/32
        ```
1. Run WireGuard:
   
   ```bash
   sudo wg-quick up wg0
   ```
   
   Result:
   
   ```text
   [#] ip link add wg0 type wireguard
   [#] wg setconf wg0 /dev/fd/63
   [#] ip -4 address add 192.168.100.1/24 dev wg0
   [#] ip link set mtu 1420 up dev wg0
   ```
   
   To stop WireGuard, run this command: `sudo wg-quick down wg0`.
   
   {% note info %}
   
   To activate WireGuard autostarting, run this command:
   
   ```bash
   sudo systemctl start wg-quick@wg0 && sudo systemctl enable wg-quick@wg0
   ```
   
   {% endnote %}

### Configure VPN clients {#vpn-client-setup}

1. [Connect over SSH](../../compute/operations/vm-connect/ssh.md) to the `my-usbip-client` BareMetal server you leased earlier.
1. Install WireGuard and the required dependencies:
   
   ```bash
   sudo apt update && sudo apt install wireguard resolvconf
   ```
1. Enable IP forwarding in the Linux kernel settings:
   
   1. Open the `sysctl.conf` configuration file:
   
       ```bash
       sudo nano /etc/sysctl.conf
       ```
   1. Add this line to end of the `sysctl.conf` file:
   
       ```text
       net.ipv4.ip_forward = 1
       ```
   1. Apply the new kernel settings:
   
       ```bash
       sudo sysctl -p
       ```
1. Create a WireGuard VPN client configuration file:

    1. Open the configuration file:
       
       ```bash
       sudo nano /etc/wireguard/wg0.conf
       ```
    1. Add the following configuration to the file:

        ```text
        [Interface]
        PrivateKey = <bms_private.key_file_contents>
        Address = 192.168.100.2/32

        [Peer]
        PublicKey = <server_public.key_file_contents>
        Endpoint = <VM_public_IP_address>:63665
        AllowedIPs = 192.168.100.0/24
        PersistentKeepalive = 15
        ```

        Where:

        * `PrivateKey`: Contents of the `bms_private.key` file created when configuring the VPN server. This is the client's private encryption key.
        * `PublicKey`: Contents of the `server_public.key` file created when configuring the VPN server. This is the server's public encryption key.
        * `<VM_public_IP_address>`: Public IP address of the virtual machine with the deployed VPN server. You can look up the VM's public IP address in the [management console](https://console.yandex.cloud): see the **Network** section's **Public IPv4 address** field on the VM information page.
1. Run WireGuard:

    ```bash
    sudo wg-quick up wg0
    ```

    Result:

    ```text
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 192.168.100.2/32 dev wg0
    [#] ip link set mtu 1420 up dev wg0
    [#] ip -4 route add 192.168.100.0/24 dev wg0
    ```
1. Similarly, configure the WireGuard VPN client on the remote site computer; in the `PrivateKey` field of the `wg0.conf` WireGuard configuration file, specify the contents of the `remote_private.key` file created when configuring the VPN server with the private encryption key of the remote site VPN client.

### Test the VPN connection {#check-vpn}

By now, your VPN connection should be successfully established. To test it:

1. [Connect over SSH](../../compute/operations/vm-connect/ssh.md) to the `my-usbip-client` BareMetal server and run this command:

    ```bash
    ping 192.168.100.3 -c 5
    ```

    Result:

    ```text
    PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data.
    64 bytes from 192.168.100.3: icmp_seq=1 ttl=63 time=29.9 ms
    64 bytes from 192.168.100.3: icmp_seq=2 ttl=63 time=30.9 ms
    64 bytes from 192.168.100.3: icmp_seq=3 ttl=63 time=35.5 ms
    64 bytes from 192.168.100.3: icmp_seq=4 ttl=63 time=30.5 ms
    64 bytes from 192.168.100.3: icmp_seq=5 ttl=63 time=28.2 ms

    --- 192.168.100.3 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4005ms
    rtt min/avg/max/mdev = 28.249/30.987/35.453/2.405 ms
    ```

    Network connectivity between the VPN clients has been established with zero packet loss.
1. Run this command in the remote computer's terminal:

    ```bash
    ping 192.168.100.2 -c 5
    ```

    Result:

    ```text
    PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
    64 bytes from 192.168.100.2: icmp_seq=1 ttl=63 time=30.2 ms
    64 bytes from 192.168.100.2: icmp_seq=2 ttl=63 time=28.4 ms
    64 bytes from 192.168.100.2: icmp_seq=3 ttl=63 time=31.6 ms
    64 bytes from 192.168.100.2: icmp_seq=4 ttl=63 time=27.4 ms
    64 bytes from 192.168.100.2: icmp_seq=5 ttl=63 time=27.6 ms

    --- 192.168.100.2 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4007ms
    rtt min/avg/max/mdev = 27.381/29.041/31.600/1.608 ms
    ```

    Network connectivity between the VPN clients has been established with zero packet loss.


## Configure USB over IP {#setup-usbip}

You will use `usbip` to forward your USB device to the BareMetal server.

### Configure a `usbip` server {#setup-usbip-server}

A remote computer equipped with multiple USB ports will act as your `usbip` server. In this computer's terminal:

1. Install additional packages required for `usbip`:
   
   ```bash
   sudo apt install linux-tools-`uname -r`
   ```
1. Load the kernel modules required for `usbip`:
   
   ```bash
   sudo modprobe usbip-core
   sudo modprobe usbip-host
   sudo modprobe vhci-hcd
   ```
   
   Where:
   
   * `usbip-core`: Main server part component.
   * `usbip-host`: Component responsible for USB device management.
   * `vhci-hcd`: Component responsible for exporting USB devices.

    {% note info %}

    To set these modules up to load automatically at system startup, open the `/etc/modules-load.d/modules.conf` file in any text editor and add these lines to it:

    ```
    usbip-core
    usbip-host
    vhci-hcd
    ```

    {% endnote %}

1. Insert USB devices into the computer ports.

    In this tutorial, we will use a [USB flash drive](https://en.wikipedia.org/wiki/USB_flash_drive) and a [YubiKey](https://developers.yubico.com/Passkeys/) USB device as an example.
1. Request a list of USB devices available for publishing:

    ```bash
    sudo usbip list -l
    ```

    Result:

    ```text
    - busid 1-1.2 (0951:1666)
      Kingston Technology : DataTraveler 100 G3/G4/SE9 G2/50 (0951:1666)

    - busid 1-1.3 (058f:a001)
      Alcor Micro Corp. : unknown product (058f:a001)

    - busid 1-1.4 (0cf3:3005)
      Qualcomm Atheros Communications : AR3011 Bluetooth (0cf3:3005)

    - busid 1-1.5 (1050:0407)
      Yubico.com : Yubikey 4/5 OTP+U2F+CCID (1050:0407)

    - busid 2-1.1 (0458:6001)
      KYE Systems Corp. (Mouse Systems) : GF3000F Ethernet Adapter (0458:6001)
    ```
1. Publish devices with `busid 1-1.2` and `busid 1-1.5`:

    ```bash
    sudo usbip bind -b 1-1.2
    sudo usbip bind -b 1-1.5
    ```

    Result:

    ```text
    usbip: info: bind device on busid 1-1.2: complete
    usbip: info: bind device on busid 1-1.5: complete
    ```
1. Run the `usbipd` daemon:

    ```bash
    sudo usbipd -4 -D
    ```

At this step, the selected USB devices are published and available for import over the network on the `usbip` client side.

### Configure the `usbip` client {#setup-usbip-client}

The `my-usbip-client` BareMetal server will serve as your `usbip` client.

1. [Connect over SSH](../../compute/operations/vm-connect/ssh.md) to the `my-usbip-client` BareMetal server.
1. Install additional packages required for `usbip`:
   
   ```bash
   sudo apt install linux-tools-`uname -r`
   ```

    {% note info %}

    If using a Yandex Compute Cloud virtual machine as a `usbip` client, you need to additionally install `linux-image-extra-virtual`:

    ```bash
    sudo apt install linux-image-extra-virtual
    ```

    {% endnote %}

1. Load the kernel modules required for `usbip`:
   
   ```bash
   sudo modprobe usbip-core
   sudo modprobe usbip-host
   sudo modprobe vhci-hcd
   ```
   
   Where:
   
   * `usbip-core`: Main server part component.
   * `usbip-host`: Component responsible for USB device management.
   * `vhci-hcd`: Component responsible for exporting USB devices.
1. Request a list of USB devices available for import from the `usbip` server:

    ```bash
    usbip list -r 192.168.100.3
    ```

    Result:

    ```text
    Exportable USB devices
    ======================
    - 192.168.100.3
          1-1.5: Yubico.com : Yubikey 4/5 OTP+U2F+CCID (1050:0407)
              : /sys/devices/platform/vhci_hcd.0/usb1/1-1/1-1.5
              : (Defined at Interface level) (00/00/00)

          1-1.2: Kingston Technology : DataTraveler 100 G3/G4/SE9 G2/50 (0951:1666)
              : /sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2
              : (Defined at Interface level) (00/00/00)
    ```
1. Import devices from the `usbip` client:

    ```bash
    usbip attach -r 192.168.100.3 -b 1-1.2
    usbip attach -r 192.168.100.3 -b 1-1.5
    ```

By now, the selected USB devices have been imported over the network to the BareMetal server.

## Test the solution {#test-solution}

To test the connection to your remote USB devices, connect to the `my-usbip-client` BareMetal server over SSH and perform these test actions in the terminal:

1. Run this command to view the `dmesg` log:

    ```bash
    dmesg
    ```

    Result:

    {% list tabs group=usb-device-type %}

    - Flash drive {#flash-drive}

      ```text
      ...
      [522540.280156] vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(3)
      [522540.280165] vhci_hcd vhci_hcd.0: devid(65539) speed(3) speed_str(high-speed)
      [522540.280177] vhci_hcd vhci_hcd.0: Device attached
      [522540.500110] usb 3-1: new high-speed USB device number 2 using vhci_hcd
      [522540.618122] usb 3-1: SetAddress Request (2) to port 0
      [522540.671557] usb 3-1: New USB device found, idVendor=0951, idProduct=1666, bcdDevice= 0.01
      [522540.671571] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      [522540.671577] usb 3-1: Product: DataTraveler 3.0
      [522540.671581] usb 3-1: Manufacturer: Kingston
      [522540.671585] usb 3-1: SerialNumber: D067E5162216F1B14605943F
      [522540.690082] usb-storage 3-1:1.0: USB Mass Storage device detected
      [522540.690801] scsi host7: usb-storage 3-1:1.0
      [522540.691020] usbcore: registered new interface driver usb-storage
      [522540.694262] usbcore: registered new interface driver uas
      [522541.728481] scsi 7:0:0:0: Direct-Access     Kingston DataTraveler 3.0      PQ: 0 ANSI: 6
      [522541.729122] sd 7:0:0:0: Attached scsi generic sg2 type 0
      [522541.763235] sd 7:0:0:0: [sdc] 15109516 512-byte logical blocks: (7.74 GB/7.20 GiB)
      [522541.775808] sd 7:0:0:0: [sdc] Write Protect is off
      [522541.775829] sd 7:0:0:0: [sdc] Mode Sense: 4f 00 00 00
      [522541.788402] sd 7:0:0:0: [sdc] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
      [522541.890019]  sdc: sdc1
      [522541.890454] sd 7:0:0:0: [sdc] Attached SCSI removable disk
      ...
      ```

      A `Kingston` USB device, which is a block flash drive, was mounted and made available for remote access on the server side. The device was recognized as `/dev/sdc`.

    - YubiKey device {#yubikey}

      ```text
      ...
      [1039400.471187] vhci_hcd vhci_hcd.0: pdev(0) rhport(1) sockfd(3)
      [1039400.471211] vhci_hcd vhci_hcd.0: devid(65540) speed(2) speed_str(full-speed)
      [1039400.471223] vhci_hcd vhci_hcd.0: Device attached
      [1039400.640976] vhci_hcd: vhci_device speed not set
      [1039400.697969] usb 3-2: new full-speed USB device number 4 using vhci_hcd
      [1039400.763979] vhci_hcd: vhci_device speed not set
      [1039400.820985] usb 3-2: SetAddress Request (4) to port 1
      [1039400.872797] usb 3-2: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.43
      [1039400.872812] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
      [1039400.872818] usb 3-2: Product: YubiKey OTP+FIDO+CCID
      [1039400.872822] usb 3-2: Manufacturer: Yubico
      [1039400.894510] input: Yubico YubiKey OTP+FIDO+CCID as /devices/platform/vhci_hcd.0/usb3/3-2/3-2:1.0/0003:1050:0407.0003/input/input7
      [1039400.977251] hid-generic 0003:1050:0407.0003: input,hidraw2: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-vhci_hcd.0-2/input0
      [1039400.987196] hid-generic 0003:1050:0407.0004: hiddev0,hidraw3: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-vhci_hcd.0-2/input1
      ...
      ```

      A `Yubico` USB device was mounted and made available for remote access on the server side.

    {% endlist %}

1. Make sure you have access to data on remote USB devices:

    {% list tabs group=usb-device-type %}

    - Flash drive {#flash-drive}

      1. Get information about the block devices of the BareMetal server:

          ```bash
          lsblk /dev/sdc
          ```

          Result:

          ```text
          NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
          ...
          sdc      8:32   1  7.2G  0 disk 
          └─sdc1   8:33   1  7.2G  0 part
          ```
      1. Mount the `/dev/sdc1` flash drive partition to the `/mnt/sdc1` directory:

          ```bash
          mkdir -p /mnt/sdc1
          mount /dev/sdc1 /mnt/sdc1
          ```
      1. View the list of mounted devices and disk space available for writing:

          ```bash
          df -h
          ```

          Result:

          ```text
          Filesystem      Size  Used Avail Use% Mounted on
          ...
          /dev/sdc1       7.2G   16K  7.2G   1% /mnt/sdc1
          ```
      1. Copy the WireGuard configuration file to the remote USB drive:

          ```bash
          cp -r /etc/wireguard /mnt/sdc1
          ```
      1. View the list of files on the remote USB drive:

          ```bash
          ls -la /mnt/sdc1/wireguard/
          ```

          Result:

          ```text
          total 48
          drwxr-xr-x 2 root root 16384 Apr 20 19:46 .
          drwxr-xr-x 4 root root 16384 Jan  1  1970 ..
          -rwxr-xr-x 1 root root   247 Apr 20 19:46 wg0.conf
          ```

      The test is complete: your file has been successfully copied to the remote USB drive.

    - YubiKey device {#yubikey}

      1. Install the tools required to work with the YubiKey hardware token:

          ```bash
          apt install yubico-piv-tool
          ```
      1. Get the Yubico hardware status by running this command:

          ```bash
          yubico-piv-tool -a status
          ```

          Result:

          ```text
          Version:        5.4.3
          Serial Number:  ********
          CHUID:  No data available
          CCC:    No data available
          Slot 9c:
                  Algorithm:      RSA2048
                  Subject DN:     CN=5-ay-yubi
                  Issuer DN:      CN=ChangeMe
                  Fingerprint:    15e4ec25********************************************************
                  Not Before:     Feb 19 08:29:13 2025 GMT
                  Not After:      Feb 16 08:29:13 2035 GMT
          PIN tries left: 3
          ```
      1. Get the client's public certificate from the Yubico hardware token storage by specifying in the `-s` parameter the `Slot` field value from the previous command's output:

          ```bash
          yubico-piv-tool -a read-cert -s 9c
          ```

          Result:

          ```text
          -----BEGIN CERTIFICATE-----
          MIIDUjCCA*******************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ****************************************************************
          ***************************************t7Ts9P8CTUsyw=
          -----END CERTIFICATE-----
          ```

      The test is complete: the Yubico token returns the correct status and the certificate data has been read successfully.

    {% endlist %}


## How to delete the resources you created {#clear-out}

To stop paying for the resources you created:

1. [Delete](../../compute/operations/vm-control/vm-delete.md) the VM.
1. You cannot delete a BareMetal server. Instead, [cancel](../operations/servers/server-lease-cancel.md) the server lease renewal.