11. Remote Access

Connectivity Suite offers two options for remote access to Devices (incl. end/child-devices).

  • Web Proxy Access via Browser The Web Interface of Devices can be reached through a Web Proxy. In addition there you can enable Proxy Records Section 11.1.2, which allow a static and direct web access to devices as well as to end-devices.

  • Service Access via VPN As per the chapter Section 11.2, a full network service access allows managing devices and end-devices.

11.1. Device access via Web Proxy

The Connectivity Suite web proxy enables access to the web interface of the Child Devices to the Connectivity Suite OpenVPN servers without having to run an OpenVPN client locally.

11.1.1. Default Option (basic)

Accessing the web interface of the devices click on the “Open Web Interface” button in the Device Details (see Fig. 11.1).

_images/openwebinterface_webproxy.png

Fig. 11.1 Open web interface via web proxy

Note

Make sure that you have added a devices CNAME DNS record. See (see Section 2.3.2) for more details.

11.1.2. Proxy Records Option (advanced)

Besides the basic option of accessing devices and end-devices one at a time, the feature Proxy Records can be configured. This offers two benefits:

  • Multiple sessions open at once by using the following url pattern xxx-xxx-xxx-xxx.devices.mycs.com, e.g. 10-240-3-45.devices.mycs.com.

  • Proxy Records mapping an Alias to a specific IP and Port of any Device, such as a CCTV camera, e.g. camera-1-bus-23.devices.mycs.com.

_images/ui-proxy-graphic.png

Fig. 11.2 Proxy Records Principle

11.1.3. Enable Proxy Records

You must use the cs-cmd tool to enable or disable the Proxy Records feature. This can be done through the command line interface by navigating to the > Configure Proxy Records Feature menu and setting the status to > enable.

Depending on which HTTPS CA is being used, the corresponding configurations need to be made.

  • LetsEncrypt

    • Add CNAME according to instructions provided in cs-cmd.

    • Configure the DNS challenge

    • Set the Provider Code and Variables, corresponding to Traefik Let’s Encrypt Documentation > set provider / > edit provider

    • Environment Variables > add variable / > edit variable / > delete variable

    • Save settings with > save and exit

  • Own HTTPS Certificates

    • Add CNAME according to instructions

    • Generate new certificates including the given wildcard SAN

    • Replace the certificates

  • Generated Certificates

    • Add CNAME according to instructions

11.1.4. Configure Proxy Records

Proxy Records are managed under Global Settings. For each Device or End-Device that needs to be reached through a custom DNS record, a Proxy Record is required, as illustrated in the image below. Each record covers only one TCP Port, so two or more records are required if multiple targets on a device using different ports need to be reached.

_images/ui-proxy-settings.png

Fig. 11.3 Proxy Records Configuration

Table Controls

  1. Create a new Proxy Record

  2. Save entry / entries

  3. Update table

Note

Changes may take up to 5 Minutes to take effect.

Explanation & meaning of table entries:

Column

Explanation

Example

Alias

Alias name, used for accessing the corresponding device via DNS through HTTPS

camera7-tram3-nw1

Target Address

Specify the target IP of the corresponding device or end-device

10.236.1.38

Target Port

Specify the target port of the corresponding device or end-device

443

Network

Corresponding VPN Network, owning the matched IP Address Block

Network1

Device

Corresponding Device, owning the matched IP Address Block

tram3

  1. Proxy Records are not updated automatically, if a router gets a different address (e.g., by moving to another network), the corresponding proxy records will no longer work or must be updated manually (Target Address).

  2. For proxy records that point to a connected device, we recommend configuring the router to assign a fixed IP to the connected device. Otherwise, the proxy record can also become invalid suddenly if the connected device receives a different IP.

11.2. Device access via OpenVPN client

To access the Devices, Connectivity Suite provides OpenVPN to access. A VPN connection to the Provisioning, the Backend or any custom VPN Network Server must be established. This means the user needs to run an OpenVPN client. The configuration and certificates needed for the VPN connection can be downloaded from the Connectivity Suite via the Service Access function.

11.2.1. Installing OpenVPN Client

The OpenVPN client to access the devices can be downloaded from https://openvpn.net/community-downloads/.

Warning

While the VPN Connect client often works, make sure you are using the Community Edition of the OpenVPN client. The commercial version of the OpenVPN client is not officially supported by the Connectivity Suite.

11.2.2. OpenVPN access

There are three types of Service Access:

  1. VPN Network: The user can access any Device within the VPN Network by using the VPN Address of the Device.This is helpfull if the user shall access only Devices of a specific VPN Network.

  2. Platform Network: The user can access any Device within the Platform Network by using the Platform Address of the Device. This is helpfull if the user shall access Devices of different VPN Networks.

  3. Provisioning Network: The user can access any Device within the Provisioning Network by using the Provisioning Address of the Device.

  4. Navigate to the page “Network” of the Connectivity Suite. Select the Network where the required Device is assigned.

  5. Click on “Download OpenVPN client configuration” at the Detail dialogue box to download the OpenVPN client configuration.

_images/download_vpn.png

Fig. 11.4 Download VPN config

  1. Start the OpenVPN client on your client pc and upload the downloaded file from step 1 into the OpenVPN client to establish a connection with the Connectivity Suite.

  2. After the connection has been established Navigate to the page “Devices” and select the required Device in the main dialogue table.

  3. Use the IP-address shown in the Detail dialogue box to access the Device.

_images/openwebinterface_webproxy.png

Fig. 11.5 Open web interface

11.3. Child Device Remote Access

To access Child Devices the router must perform a network NAT. In order to carry out a NAT, following router settings are necessary:

  1. Open the web interface of the router, open the Firewall/Inbound Rules page and create a new rule

  2. Select “network” for the mapping to execute a network NAT.

  3. Select the interface. The interface must be the OpenVPN tunnel which is used to connect to the Connectivity Suite.

  4. Add the Device VPN Network Block Address. If its unclear what the Device VPN Network Block Address ist check chapter Section 13.

  5. Add the LAN as Redirect address/netmask and apply the settings.

_images/natsettingsrouter.png

Fig. 11.6 NAT Settings NetModule Router

  1. Select now the router in the Device Liste and open the tab Child Device in the Detail dialogue box and click on the “Scan again” button. The Child Devices are now displayed in the table.

_images/natscandevices.png

Fig. 11.7 End Devices View Connectivity Suite