CAS Admin via VPN


These instructions are no longer relevant on CAS versions 20230801 (or newer).

Skip to:

A VPN (Virtual Private Network) is a method of ensuring secure & authorized connections to a server. You might use one as an internet broker, but that isn’t the design described here. In this article, we describe how to setup a VPN for exclusive use with the CAS admin service. Using a VPN, only people you grant access to your server will even know your server exists.

This is an essential security measure.

Looking for info on Terminal VPNs?

See: Terminal VPN Setup

This installation can break your CAS if mistakes are made. Be careful to do it during a suitable downtime, and during GB Support’s available hours. See: GENERAL BYTES Contact Hours & Information

We always encourage Operators to HIRE AN EXPERIENCED SERVER ADMINISTRATOR to perform these advanced techniques (and to properly secure your server).

TIP: perform a dry-run installation on a new (disposable) droplet to make sure you’re comfortable with the entire process. It’ll consume about 30 minutes, but it’ll be a well-spent investment of time (and no one gets hurt).

NOTE: The VPN described here is to secure your access to the admin service; your CAS web page.

Do not confuse this with the Terminal VPN.

Enable routing/forwarding.

Uncomment net.ipv4.ip_forward = 1 in /etc/sysctl.conf:

sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

Activate the change:

sudo sysctl -p /etc/sysctl.conf
  • Confirm that the response appears exactly as shown: net.ipv4.ip_forward=1

Create a new virtual loopback interface.

In this example, we’ll use the “safe” IP of which is private. You can also use this IP provided that your local wifi router doesn’t conflict. If it does conflict and you cannot access your local network after signing into your VPN, simply try a different quad (replace the first "2" with another number between 7 and 255, e.g. You ca use any other non conflict private ip address.

Create a new network interface device via cas-admin-loop.netdev:

sudo nano /etc/systemd/network/cas-admin-loop.netdev


Add this to the file:

[NetDev] Name=cas-admin-loop Kind=dummy
  • Save & exit (Ctrl-X then Y).

Configure the new network device via

sudo nano /etc/systemd/network/

Add this to the file:

[Match] Name=cas-admin-loop [Network] Address=
  • Save & exit (Ctrl-X then Y).

Reload networkd:

sudo systemctl restart systemd-networkd sudo ip addr show cas-admin-loop

The last line should report something like this:

  • Shows the properly assigned IP to the new virtual network adapter “cas-admin-loop”.

  • The remaining information is mostly irrelevant and will vary.

Configure CAS to use the new virtual network loopback device.

The CAS admin service will normally expose the GUI to the public IP. In this example, the public IP is and that number will not be changed. Yours will be different. Your master service (connecting your BATMs) will continue to be exposed at that IP. Your BATMs' Server IP will not change.

Your admin IP WILL change. You will no longer be able to access the admin screen without first logging into your VPN. This is an encouraged security measure to further deter attacks on your network.

Configure CAS to use the new loopback device in: /batm/config/network

sudo nano /batm/config/network

Add the following line at the bottom:

  • If you’ve changed the virtual network interface IP to something else, use that IP (instead).

  • Save & exit (Ctrl-X then Y).

Restart CAS

sudo /batm/batm-manage stop all sudo /batm/batm-manage start all

The CAS admin GUI should no longer be publicly available. Test it to be sure.

  • To reverse this, simply delete the last line (admin_bind) & restart CAS again. The admin screen will return to it’s original (public) IP.


Copyright © 2020-2023 General Bytes USA LLC