A VPN (Virtual Private Network) is a method of ensuring secure & authorized connections to a server. You might use one as an internet broker, but that isn’t the design described here. In this article, we describe how to setup a VPN for exclusive use with the CAS admin service. Using a VPN, only people you grant access to your server will even know your server exists.
We always encourage Operators to HIRE AN EXPERIENCED SERVER ADMINISTRATOR to perform these advanced techniques (and to properly secure your server).
TIP: perform a dry-run installation on a new (disposable) droplet to make sure you’re comfortable with the entire process. It’ll consume about 30 minutes, but it’ll be a well-spent investment of time (and no one gets hurt).
NOTE: The VPN described here is to secure your access to the admin service; your CAS web page.
Uncomment net.ipv4.ip_forward = 1 in /etc/sysctl.conf:
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
Activate the change:
sudo sysctl -p /etc/sysctl.conf
Confirm that the response appears exactly as shown: net.ipv4.ip_forward=1
Create a new virtual loopback interface.
In this example, we’ll use the “safe” IP of 10.3.2.2 which is private. You can also use this IP provided that your local wifi router doesn’t conflict. If it does conflict and you cannot access your local network after signing into your VPN, simply try a different quad (replace the first "2" with another number between 7 and 255, e.g. 10.3.7.2). You ca use any other non conflict private ip address.
Create a new network interface device via cas-admin-loop.netdev:
sudo systemctl restart systemd-networkd
sudo ip addr show cas-admin-loop
The last line should report something like this:
Shows the properly assigned IP to the new virtual network adapter “cas-admin-loop”.
The remaining information is mostly irrelevant and will vary.
Configure CAS to use the new virtual network loopback device.
The CAS admin service will normally expose the GUI to the public IP. In this example, the public IP is 188.8.131.52 and that number will not be changed. Yours will be different. Your master service (connecting your BATMs) will continue to be exposed at that IP. Your BATMs' Server IP will not change.
Your admin IP WILL change. You will no longer be able to access the admin screen without first logging into your VPN. This is an encouraged security measure to further deter attacks on your network.
Configure CAS to use the new loopback device in: /batm/config/network
sudo nano /batm/config/network
Add the following line at the bottom:
If you’ve changed the virtual network interface IP to something else, use that IP (instead).
Save & exit (Ctrl-X then Y).
sudo /batm/batm-manage stop all
sudo /batm/batm-manage start all
The CAS admin GUI should no longer be publicly available. Test it to be sure.
To reverse this, simply delete the last line (admin_bind) & restart CAS again. The admin screen will return to it’s original (public) IP.