Versions Compared

Old Version 6

changes.mady.by.user Charles Wernicke

Saved on

compared with

New Version Current

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Without the Terminal VPN, a malicious actor could potentially steal or impersonate your Terminal and clean out your funds. No special hardware is required. VPN support is built into CAS.

Terminal VPNs VPN connections are supported standard on firmwares 20221118 and newer.

...

A VPN is another specific & difficult hurdle for hackersattackers. When enabled, the VPN establishes a secure tunnel between the BATM and CAS that cannot be intercepted or manipulated. A VPN ensures that all data traffic is encrypted end-to-end and builds out a bit further than a mere TLS connection.To implement

Implement the Terminal ↔︎ CAS VPN connection:

Log in to your server’s CLI.

...

Create keys for each Terminal:

Code Block
cd /batm/
./batm-manage vpn-generate [terminal serial number]

...

Example:

Code Block
cd /batm/
./batm-manage vpn-generate BT123456 BT456789

  • generates a VPN certificate for BT123456 and BT456789

  • The VPN status will thereafter be acknowledged in CAS' sidebar status section (bottom left):

...

Firewall Notes:

Info

Terminal VPN clients use TCP port 7742.

It is redirected to port ranges 13000:130xx (xx - number of load balanced interface).

  • Default = 1 per 200 terminals.

  • If you drop all input on your firewall, you will have to re-enable incoming connections to these ports. Configuring Server Firewalls

If you manually restart your firewall:

You have to run this command: source /batm/vpngen/firewall.rules

  • Inserts load balancing and firewall rules at the top of the firewall rules table.

  • The rules are loaded automatically when the server restarts.

Port 7741 can be safely closed after all terminals are connected through the VPN.

  • Anytime a BATM is factory reset, it will attempt to reconnect via port 7741.

  • Open port 7741 as needed to reconnect these orphans.

...

Code Block
rm /batm/vpngen/vpngen-easyrsa-vars.conf
rm /batm/vpngen/vpn-initversion
rm /batm/vpngen/vpn-list-terminal-groups.txt
rm /batm/vpngen/vpn-list-terminals.txt
rm /batm/vpngen/vpn-list-users.txt
rm -R /etc/openvpn/keys/vpnTgroup0
rm /etc/openvpn/vpnTgroup*.conf

...

Troubleshooting

Note

Prior to patch version 20230120.55, your server may not Your server must contain the file hostname in /batm/config/ before you began creating your first terminal keys.

Check if the file exists:

Code Block
sudo ls -l /batm/config/hostname

  • Should return file information.

If the file doesn't exist, run the command below on your server (as user: root).

Code Block
sudo bash
echo $HOSTNAME > "/batm/config/hostname"

  • The entry in the file will be used in URLs sent in emails and links.

  • Restart CAS to apply any changes to the hostname file.

Logs:

Information about connected terminals to all load balancing interfaces:

...