...
Without the Terminal VPN, a malicious actor could potentially steal or impersonate your Terminal and clean out your funds. No special hardware is required. VPN support is built into CAS.
Terminal VPNs VPN connections are supported standard on firmwares 20221118
and newer.
...
A VPN is another specific & difficult hurdle for hackersattackers. When enabled, the VPN establishes a secure tunnel between the BATM and CAS that cannot be intercepted or manipulated. A VPN ensures that all data traffic is encrypted end-to-end and builds out a bit further than a mere TLS connection.To implement
Implement the Terminal ↔︎ CAS VPN connection:
Log in to your server’s CLI.
...
Instructions: https://generalbytes.atlassian.net/l/cp/ZtVaRexM
Create keys for each Terminal:
Code Block |
---|
cd /batm/
./batm-manage vpn-generate [terminal serial number] |
...
Example:
Code Block |
---|
cd /batm/ ./batm-manage vpn-generate BT123456 BT456789 |
generates a VPN certificate for BT123456 and BT456789
The VPN status will thereafter be acknowledged in CAS' sidebar status section (bottom left):
...
Firewall Notes:
Info |
---|
Terminal VPN clients use TCP port 7742.It is redirected to port ranges 13000:130xx (xx - number of load balanced interface).
If you manually restart your firewall: You have to run this command:
Port 7741 can be safely closed after all terminals are connected through the VPN.
|
...
Code Block |
---|
rm /batm/vpngen/vpngen-easyrsa-vars.conf rm /batm/vpngen/vpn-initversion rm /batm/vpngen/vpn-list-terminal-groups.txt rm /batm/vpngen/vpn-list-terminals.txt rm /batm/vpngen/vpn-list-users.txt rm -R /etc/openvpn/keys/vpnTgroup0 rm /etc/openvpn/vpnTgroup*.conf |
...
Troubleshooting
Note | ||||
---|---|---|---|---|
Prior to patch version 20230120.55, your server may not Your server must contain the file hostname in Check if the file exists:
If the file doesn't exist, run the command below on your server (as user: root).
|
Logs:
Information about connected terminals to all load balancing interfaces:
...