3. Control Clients¶
Control clients are NAA users that can access any logger connected to it. Control clients are to be used by technicians and external monitoring servers only. Control clients are not to be used by loggers
Note
Control users DO NOT have SSH access to the NAA by default.
3.1. Creating a Control Client¶
SSH into your NAA as the monitor user. If you are using a different account that you set up yourself, the execute cd /opt/NAA to access the build scripts.
Once you are at /opt/NAA` execute the command `./build-key-control <controlname>. Replace <controlname> with the identifier of the control client.
- Example
monitor@NAA:~$ ./build-key-control dealername-jdoe
Running this command will generate the VPN certificates and configuration files needed to connect to loggers.
The control clients files are located in /opt/NAA/controlkeys/<controlname> Export these files from the NAA and provide them to your technician or install them on a monitoring server. The .ovpn contains all of the configuration necessary and can be opened by most VPN clients. We recommend the use of [Viscocity](https://www.sparklabs.com/viscosity/) or [OpenVPN Client](https://openvpn.net/community-downloads/). Before the client can connect to the server, an IP address must be assigned to them.
3.2. Assigning a Control IP Address¶
3.2.1. Edit the CCD¶
When the control client is created, a file is created at /etc/openvpn/ccd/<controlname> You must edit this file add assign a /30 subnet to the client. Initially the file looks like this:
ifconfig-push 10.38.8.ODD 10.38.8.EVEN push “route 10.38.0.0 255.255.248.0” route 10.38.8.ODD 255.255.255.255
Edit the file and replace the words ODD` and `EVEN text with the IP address for the client.
- Example
ifconfig-push 10.38.8.5 10.38.8.6 push "route 10.38.0.0 255.255.248.0" route 10.38.8.5 255.255.255.255
Note
The first IP address available for a control client is 10.38.8.5/30. The second 30 bit subnet is 10.38.8.9/30 and it goes up from there to 10.38.8.249/30
3.2.2. Edit OpenVPN¶
The next step in assigning a control IP address is to edit the file /etc/openvpn/server.conf By default, the route section of this file is pre configured for 9 control clients.
# Set the client's routes, just to the control client
# Each route must increase by a /30 subnet
# The control assigned each IP address is specified in the /etc/openvpn/ccd directory.
# After adding a new route, execute the command "sudo service openvpn restart"
push "route 10.38.0.1 255.255.255.255"
push "route 10.38.8.5 255.255.255.255"
push "route 10.38.8.9 255.255.255.255"
push "route 10.38.8.13 255.255.255.255"
push "route 10.38.8.17 255.255.255.255"
push "route 10.38.8.21 255.255.255.255"
push "route 10.38.8.25 255.255.255.255"
push "route 10.38.8.29 255.255.255.255"
push "route 10.38.8.33 255.255.255.255"
push "route 10.38.8.37 255.255.255.255"
Add another entry at the bottom of this section if you need more than 9 control clients. Each client should be using a unique 30 bit subnet for security.
3.2.3. Restart Openvpn¶
Restart the OpenVPN service for the new route to take effect. If you did not have to edit the server.conf file, then this step is not necessary. To restart the service, execute the command sudo systemctl restart openvpn