Terminal communications with your CAS are protected, but only to an extent. The Terminal VPN enhancement prevents exploitation of any vulnerabilities via that route.
Without the Terminal VPN, a malicious actor could potentially steal or impersonate your Terminal and clean out your funds. No special hardware is required. VPN support is built into CAS.
Terminal VPNs are supported on firmwares 20221118
and newer.
Activation
A VPN is another specific hurdle for hackers. When enabled, the VPN establishes a secure tunnel between the BATM and CAS that cannot be intercepted or manipulated. A VPN ensures that all data traffic is encrypted end-to-end and builds out a bit further than a mere TLS connection.
To implement the Terminal ↔︎ CAS VPN connection:
Log in to your server’s CLI.
Create keys for each Terminal:
batm-manage vpn-generate [terminal serial number]
e.g.
batm-manage vpn-generate BT123456
generates a VPN certificate for BT123456.
Navigate to Terminal >> Settings in the CAS GUI and activate the VPN for the Terminal.
The VPN status will be acknowledged in CAS' sidebar status section (bottom left):
Firewall Notes:
Terminal VPN clients use TCP port 7742.
It is redirected to port ranges 13000:130xx (xx - number of load balanced interface).
Default = 1 per 200 terminals.
If you drop all input on your firewall, you will have to re-enable incoming connections to these ports. Configuring Server Firewalls
If you manually restart your firewall:
You have to run this command: . /batm/vpngen/firewall-rules
Inserts load balancing and firewall rules at the top of the firewall rules table.
The rules are loaded automatically when the server restarts.
Port 7741 can be safely closed after all terminals are connected through the VPN.
Anytime a BATM is factory reset, it will attempt to reconnect via port 7741.
Open port 7741 as needed to reconnect these orphans.
Maintenance
Use only in the specific situation where a terminal is sold, stolen or discarded.
batm-manage vpn-revoke BT123456
revokes access to BT123456 to your CAS.
Deactivation
Once installed, the VPN will protect your system. If you decide to remove this protection then:
Remove the VPN protection installed by batm-manage
:
Automatic removal:
If you’ve already attempted to create keys for a Terminal without the hostname file, run:
/batm/batm-manage vpn-clean
(Optional) Manual file removal:
rm /batm/vpngen/vpngen-easyrsa-vars.conf rm /batm/vpngen/vpn-initversion rm /batm/vpngen/vpn-list-terminal-groups.txt rm /batm/vpngen/vpn-list-terminals.txt rm /batm/vpngen/vpn-list-users.txt rm -R /etc/openvpn/keys/vpnTgroup0 rm /etc/openvpn/vpnTgroup*.conf
Troubleshooting
Prior to patch version 20230120.55, your server may not contain the file hostname in /batm/config/
before you began creating your first terminal keys.
If the file doesn't exist, run the command below on your server (as user: root).
sudo bash echo $HOSTNAME > "/batm/config/hostname"
The entry in the file will be used in URLs sent in emails and links.
Restart CAS to apply any changes to the
hostname
file.
Logs:
Information about connected terminals to all load balancing interfaces:
cat /var/log/openvpn/vpnTgroup*.log
Information about a specific terminal:
cat /var/log/openvpn/vpnTgroup*.log | grep BTxxxxxx