CAS Admin via VPN
DEPRECATED
These instructions are no longer relevant on CAS versions 20230801 (or newer).
Skip to:
A VPN (Virtual Private Network) is a method of ensuring secure & authorized connections to a server. You might use one as an internet broker, but that isn’t the design described here. In this article, we describe how to setup a VPN for exclusive use with the CAS admin service. Using a VPN, only people you grant access to your server will even know your server exists.
This is an essential security measure.
Looking for info on Terminal VPNs?
See: Terminal VPN Setup
This installation can break your CAS if mistakes are made. Be careful to do it during a suitable downtime, and during GB Support’s available hours. See: GENERAL BYTES Contact Hours & Information
We always encourage Operators to HIRE AN EXPERIENCED SERVER ADMINISTRATOR to perform these advanced techniques (and to properly secure your server).
TIP: perform a dry-run installation on a new (disposable) droplet to make sure you’re comfortable with the entire process. It’ll consume about 30 minutes, but it’ll be a well-spent investment of time (and no one gets hurt).
NOTE: The VPN described here is to secure your access to the admin service; your CAS web page.
Do not confuse this with the Terminal VPN.
Enable routing/forwarding.
Uncomment net.ipv4.ip_forward = 1 in /etc/sysctl.conf:
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.confActivate the change:
sudo sysctl -p /etc/sysctl.conf
Confirm that the response appears exactly as shown:
net.ipv4.ip_forward=1
Create a new virtual loopback interface.
In this example, we’ll use the “safe” IP of 10.3.2.2 which is private. You can also use this IP provided that your local wifi router doesn’t conflict. If it does conflict and you cannot access your local network after signing into your VPN, simply try a different quad (replace the first "2" with another number between 7 and 255, e.g. 10.3.7.2). You ca use any other non conflict private ip address.
Create a new network interface device via cas-admin-loop.netdev:
sudo nano /etc/systemd/network/cas-admin-loop.netdev
Add this to the file:
[NetDev]
Name=cas-admin-loop
Kind=dummy
Save & exit (Ctrl-X then Y).
Configure the new network device via cas-admin-loop.network:
sudo nano /etc/systemd/network/cas-admin-loop.networkAdd this to the file:
[Match]
Name=cas-admin-loop
[Network]
Address=10.3.2.2/32
Save & exit (Ctrl-X then Y).
Reload networkd:
sudo systemctl restart systemd-networkd
sudo ip addr show cas-admin-loopThe last line should report something like this:
Shows the properly assigned IP to the new virtual network adapter “cas-admin-loop”.
The remaining information is mostly irrelevant and will vary.
Configure CAS to use the new virtual network loopback device.
The CAS admin service will normally expose the GUI to the public IP. In this example, the public IP is 159.245.128.57 and that number will not be changed. Yours will be different. Your master service (connecting your BATMs) will continue to be exposed at that IP. Your BATMs' Server IP will not change.
Your admin IP WILL change. You will no longer be able to access the admin screen without first logging into your VPN. This is an encouraged security measure to further deter attacks on your network.
Configure CAS to use the new loopback device in: /batm/config/network
sudo nano /batm/config/networkAdd the following line at the bottom:
admin_bind_ip=10.3.2.2If you’ve changed the virtual network interface IP to something else, use that IP (instead).
Save & exit (Ctrl-X then Y).
Restart CAS
sudo /batm/batm-manage stop all
sudo /batm/batm-manage start allThe CAS admin GUI should no longer be publicly available. Test it to be sure.
To reverse this, simply delete the last line (admin_bind) & restart CAS again. The admin screen will return to it’s original (public) IP.
Next: https://generalbytes.atlassian.net/l/cp/z1V3i0DS
Copyright © 2020-2023 General Bytes USA LLC