11. Remote Access
Connectivity Suite offers two options for remote access to Devices (incl. end/child-devices).
Web Proxy Access via Browser The Web Interface of Devices can be reached through a Web Proxy. In addition there you can enable Proxy Records Section 11.1.2, which allow a static and direct web access to devices as well as to end-devices.
Service Access via VPN As per the chapter Section 11.2, a full network service access allows managing devices and end-devices.
11.1. Device access via Web Proxy
The Connectivity Suite web proxy enables access to the web interface of the Child Devices to the Connectivity Suite OpenVPN servers without having to run an OpenVPN client locally.
11.1.1. Default Option (basic)
Accessing the web interface of the devices click on the “Open Web Interface” button in the Device Details (see Fig. 11.1).
Note
Make sure that you have added a devices CNAME DNS record. See (see Section 2.3.2) for more details.
11.1.2. Proxy Records Option (advanced)
Besides the basic option of accessing devices and end-devices one at a time, the feature Proxy Records can be configured. This offers two benefits:
Multiple sessions open at once by using the following url pattern
xxx-xxx-xxx-xxx.devices.mycs.com
, e.g.10-240-3-45.devices.mycs.com
.Proxy Records mapping an Alias to a specific IP and Port of any Device, such as a CCTV camera, e.g.
camera-1-bus-23.devices.mycs.com
.
11.1.3. Enable Proxy Records
You must use the cs-cmd
tool to enable or disable the Proxy Records feature. This can be done through the command line interface by navigating to the > Configure Proxy Records Feature
menu and setting the status to > enable
.
Depending on which HTTPS CA is being used, the corresponding configurations need to be made.
- LetsEncrypt
Add CNAME according to instructions provided in cs-cmd.
Configure the DNS challenge
Set the Provider Code and Variables, corresponding to Traefik Let’s Encrypt Documentation
> set provider / > edit provider
Environment Variables
> add variable / > edit variable / > delete variable
Save settings with
> save and exit
- Own HTTPS Certificates
Add CNAME according to instructions
Generate new certificates including the given wildcard SAN
Replace the certificates
- Generated Certificates
Add CNAME according to instructions
11.1.4. Configure Proxy Records
Proxy Records are managed under Global Settings. For each Device or End-Device that needs to be reached through a custom DNS record, a Proxy Record is required, as illustrated in the image below. Each record covers only one TCP Port, so two or more records are required if multiple targets on a device using different ports need to be reached.
Table Controls
Create a new Proxy Record
Save entry / entries
Update table
Note
Changes may take up to 5 Minutes to take effect.
Explanation & meaning of table entries:
Column |
Explanation |
Example |
Alias |
Alias name, used for accessing the corresponding device via DNS through HTTPS |
camera7-tram3-nw1 |
Target Address |
Specify the target IP of the corresponding device or end-device |
10.236.1.38 |
Target Port |
Specify the target port of the corresponding device or end-device |
443 |
Network |
Corresponding VPN Network, owning the matched IP Address Block |
Network1 |
Device |
Corresponding Device, owning the matched IP Address Block |
tram3 |
Proxy Records are not updated automatically, if a router gets a different address (e.g., by moving to another network), the corresponding proxy records will no longer work or must be updated manually (Target Address).
For proxy records that point to a connected device, we recommend configuring the router to assign a fixed IP to the connected device. Otherwise, the proxy record can also become invalid suddenly if the connected device receives a different IP.
11.2. Device access via OpenVPN client
To access the Devices, Connectivity Suite provides OpenVPN to access. A VPN connection to the Provisioning, the Backend or any custom VPN Network Server must be established. This means the user needs to run an OpenVPN client. The configuration and certificates needed for the VPN connection can be downloaded from the Connectivity Suite via the Service Access function.
11.2.1. Installing OpenVPN Client
The OpenVPN client to access the devices can be downloaded from https://openvpn.net/community-downloads/.
Warning
While the VPN Connect client often works, make sure you are using the Community Edition of the OpenVPN client. The commercial version of the OpenVPN client is not officially supported by the Connectivity Suite.
11.2.2. OpenVPN access
There are three types of Service Access:
VPN Network: The user can access any Device within the VPN Network by using the VPN Address of the Device.This is helpfull if the user shall access only Devices of a specific VPN Network.
Platform Network: The user can access any Device within the Platform Network by using the Platform Address of the Device. This is helpfull if the user shall access Devices of different VPN Networks.
Provisioning Network: The user can access any Device within the Provisioning Network by using the Provisioning Address of the Device.
Navigate to the page “Network” of the Connectivity Suite. Select the Network where the required Device is assigned.
Click on “Download OpenVPN client configuration” at the Detail dialogue box to download the OpenVPN client configuration.
Start the OpenVPN client on your client pc and upload the downloaded file from step 1 into the OpenVPN client to establish a connection with the Connectivity Suite.
After the connection has been established Navigate to the page “Devices” and select the required Device in the main dialogue table.
Use the IP-address shown in the Detail dialogue box to access the Device.
11.3. Child Device Remote Access
To access Child Devices the router must perform a network NAT. In order to carry out a NAT, following router settings are necessary:
Open the web interface of the router, open the Firewall/Inbound Rules page and create a new rule
Select “network” for the mapping to execute a network NAT.
Select the interface. The interface must be the OpenVPN tunnel which is used to connect to the Connectivity Suite.
Add the Device VPN Network Block Address. If its unclear what the Device VPN Network Block Address ist check chapter Section 13.
Add the LAN as Redirect address/netmask and apply the settings.
Select now the router in the Device Liste and open the tab Child Device in the Detail dialogue box and click on the “Scan again” button. The Child Devices are now displayed in the table.