Setting up OpenGear ACM5004 for remote access via mobile/Celluar networks

In this guide we will setup an OpenGear ACM5004 for remote mgmt and remote SSH capabilities (serial ports) over the mobile network, utilizing DynDNS to enable easy connection to the device.

A fair warning first, I would not use the OpenGear over cellular networks as a permanent solution to access any equipment. The reason being that OpenGears own firewall and security settings is the only protection between the bad guys and the console port of your network equipment.
It can be configured to fail over to cellular networks in case remote access over LAN fails, which may be a more feasible solution.
Personally I use OpenGear remote on a case-by-case basis for when I need to be at two locations at once.

Default settings

By default, the device can be accessed through https://192.168.0.1 and using login credentials “root” / “default”

LAN settings

First off, head over to System > IP on the left hand side and configure the network parameters – typically DHCP.

User credentials

Head over to System > administration and change the password for root.
Next, go to Serial & Network > Users & Group and configure a new user.
In my example, I have created a user called “remotessh” with access to all ports, but without any group membership.

opengear-setup-newuser

Cellular settings

Go to System > Dial > The tab Internal Cellular Modem. There you choose “Allow outgoing modem communication” before you enter the pin code, by clicking a button labeled “Unlock”.
Furthermore, you need to acquire an APN from your provider, which gives you a public IP rather than a private address on the cellular modem. In my case, using Telenor, the APN is internet.public. Your mobile services provider can supply your with the correct APN.

opengear-setup-cellularmodemdialsettings

Dynamic DNS

Since the cellular modem will get a new IP address every time it connects to the GSM network, utilizing a dynamic DNS service is a must. Otherwise you would have to connect to LAN-port and retrieve the IP address manually every time you need to connect remote. (Sounds a bit counterproductive, don’t you think?)

The DynDNS settings used are as follows.

opengear-setup-cellularmodemdialsettings2

Verifying cellular connectivity

You can verify connectivity both from the dashboard and from Status > Statistics > The tab Failover & Out-of-band / Celluar as shown in the picture below.

opengear-setup-statscellular

And if you have connectivity, you should also DynDNS updated.

Setting up the serial ports

These settings are edited from the menu Serial & Network > Serial Port

Go into one of the ports (or all of them) and tick off “Console Server Mode” and make sure only SSH is ticked off
opengear-setup-consoleserversettings

After you have edited all the ports, it should look something like this:
opengear-setup-consoleserversettings2

Setting up Security

Now, as mentioned in the warning, the only thing that stands between your equipments console port and the bad guys, are the OpenGear ConsoleServer – which is not created by and infosec company. Regardless, we should secure it as much as possible.

Service access

In System > Services > The Tab Service Access we can ensure that only HTTPS/SSH and SSH to serial ports are ticked off in the coloumn “Dialout/Cellular”

opengear-setup-serivceaccess

Brute force protection

From the same menu, in the tab Brute Force you can enable protection for Brute Force attacks against your OpenGear equipment.

opengear-setup-bruteforce

Firewall rules

Since we have allowed remote management on the Dialout/Cellular Service access anyone can connect the Console Server. Tighting down this can be done in the built in firewall of the device.
You can access the firewall from System > Firewall > The tab Firewall rules.

As shown my example below, I have granted SSH/HTTPS access from my public IP address.
I have allowed access to port 3001-3004 (the serial ports) from anywhere.
And I have blocked everything else.

A small note, if you would like to connect to the serial port menu from anywhere, you would need to allow SSH from anywhere as well. (See “connecting to the serial ports” below)

opengear-setup-firewall

Connecting to the serial ports

To connect to serial port 1 you would simply SSH yourself into the device on port 3001.
Serial port 2: Port 3002
Serial port 3: Port 3003
Serial port 4: Port 3004

putty -ssh opengear.dyndns.com 3001

If you would like to connect to the menu and choose the port from there, you would have to allow SSH access into the device as well.
You will also need to use the username “remotessh:serial” as shown in the picture below

opengear-setup-firewall-remotesshputty

By now you should be good to go for remote access to your equipment! Happy configuration! =)

0.00 avg. rating (0% score) - 0 votes

One Response to Setting up OpenGear ACM5004 for remote access via mobile/Celluar networks

  1. Nice write up! Fair point about layering security, Opengear’s recommendation is to use VPN when your cellular OOB IP isn’t behind carrier NAT:

    https://opengear.zendesk.com/hc/en-us/articles/216375603-Cellular-security-best-practices
    https://opengear.zendesk.com/hc/en-us/articles/216375003-Should-I-use-VPN-to-secure-my-connection-

    Also FYI you can drop back to the serial port menu (pmshell chooser) from any session including a direct connection to e.g. 3001 with this escape sequence:

    ~m

    Disclaimer: I work for Opengear.

Leave a Reply

Your email address will not be published. Required fields are marked *