Control Clients

Control clients are NMA users that can access any logger connected to it. Control clients are to be used by technicians and external monitoring servers only.

Caution

Control clients are not to be used by loggers

Control users DO NOT have SSH access to the NMA by default.

Creating a Control Client

SSH into your NMA as the monitor user. If you are using a different account that you set up yourself, the execute cd /home/monitor to access the build scripts.

Once you are at /home/monitor execute the command ./build-key-control <controlname>. Replace <controlname> with the identifier of the control client. Example

monitor@nma:~$ ./build-key-control dealername-jdoe

Running this command will generate the VPN certificates and configuration files needed to connect to loggers.

The control clients files are located in /home/monitor/controlkeys/<controlname> Export these files from the NMA and provide them to your technician or install them on a monitoring server. The .ovpn contains all of the configuration necessary and can be opened by most VPN clients. We recommend the use of Viscocity or OpenVPN Client. Before the client can connect to the server, an IP address must be assigned to them.

Assigning a Control IP Address

Edit the CCD

When the control client is created, a file is created at /etc/openvpn/ccd/<controlname> You must edit this file add assign a /30 subnet to the client. Initially the file looks like this:

ifconfig-push 10.38.8.ODD 10.38.8.EVEN
push "route 10.38.0.0 255.255.248.0"
route 10.38.8.ODD 255.255.255.255

Edit the file and replace the words ODD and EVEN text with the IP address for the client. Example:

ifconfig-push 10.38.8.5 10.38.8.6
push "route 10.38.0.0 255.255.248.0"
route 10.38.8.5 255.255.255.255

Note

The first IP address available for a control client is 10.38.8.5/30. The second 30 bit subnet is 10.38.8.9/30 and it goes up from there to 10.38.8.249/30

Edit OpenVPN

The next step in assigning a control IP address is to edit the file /etc/openvpn/server.conf By default, the route section of this file is pre configured for 9 control clients.

# Set the client's routes, just to the control client
# Each route must increase by a /30 subnet
# The control assigned each IP address is specified in the /etc/openvpn/ccd directory.
# After adding a new route, execute the command "sudo service openvpn restart"
push "route 10.38.0.1 255.255.255.255"
push "route 10.38.8.5 255.255.255.255"
push "route 10.38.8.9 255.255.255.255"
push "route 10.38.8.13 255.255.255.255"
push "route 10.38.8.17 255.255.255.255"
push "route 10.38.8.21 255.255.255.255"
push "route 10.38.8.25 255.255.255.255"
push "route 10.38.8.29 255.255.255.255"
push "route 10.38.8.33 255.255.255.255"
push "route 10.38.8.37 255.255.255.255"

Add another entry at the bottom of this section if you need more than 9 control clients. Each client should be using a unique 30 bit subnet for security.

Restart Openvpn

Restart the OpenVPN service for the new route to take effect. If you did not have to edit the server.conf file, then this step is not necessary. To restart the service, execute the command sudo systemctl restart openvpn