Tag Archives: Networking

Ohio Section Journal – The Technical Coordinator – August 2019 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. cAUZRdnMNrU?start=2051Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

July 18, 2019. The date ham radio and the Internet changed forever. Most hams didn’t know it or even know that we had a block of 16.7+ million Internet IP addresses for our exclusive use. Keyword: had.

If you’re not familiar with networking and CIDR notation, CIDR (pronounced similar to the drink, cider) is a method used to note networks and ranges of IP addresses. A computer network is a connection of devices or nodes that can communicate and share resources with each other. For example: Your home PC may have the IP address: 192.168.1.100, subnet mask: 255.255.255.0. In CIDR notation, this is written as 192.168.1.100/24. Similarly, the network 192.168.1.0/24 means the same subnet mask and includes the IP above. Usable IP addresses are 192.168.1.1-192.168.1.254. “.0” is unusable as it is the network address, “.255” is not either because that is the broadcast address between all devices on that network. Since the PC has 192.168.1.100, it can communicate with devices in the 192.168.1.0/24 range. Know that smaller CIDR notations mean bigger networks (more IPs). Larger CIDR notations mean smaller networks. Networks can be broken down into smaller networks or combined to form larger ones – maybe not quickly or easily, it can be done.

In the early days of the Internet, it was believed if a node were to communicate on the Internet it had to have a public Internet address. With this thinking, very large /8 networks (16,777,216 IPs each) were assigned to companies and institutions such as: HP, Xerox, IBM, Ford, Boeing, MIT, Halliburton, Stanford, MSU, Bell Labs, DuPont, the USPS, and the DoD. They were cheap and easy to obtain! Having large networks is no longer necessary due to advances in Network Access Translations or NATs which remap one network space into another network space.

Dr. Jon Postel (Wikipedia)

Back 40 years ago when the Internet was new and the original creators thought 4.2 trillion IP address were enough for the entire world, Hank Magnuski, KA6M and others saw the possibilities of the Internet. They obtained an Internet allocation from Dr. Jon Postel who, at that time, was responsible for overseeing allocations on the Internet. Today, allocations are the responsibility of IANA. Much like property, IP address spaces can be bought, sold, squatted, and even taken over in some cases. The non-profit organization Internet Assigned Numbers Authority (IANA) oversees Internet IP address allocations.

The allocation that was obtained is called AMPRNet (AMateur Packet Radio Network) or Network 44. In 1981, it was provided exclusively for Amateur radio operators to use packet radio, TCP/IP, and digital communications between computer networks managed by Amateur radio operators. The network consisted of addresses 44.0.0.0 through 44.255.255.255, in Internet notation 44/8 or 44.0.0.0/8, consisting of 16.7+ million IPv4 addresses.

TCP/IP was, at one time, an emerging standard and in minority use because of the protocol complexity. In typical fashion, packet node owners were outraged with this IP protocol and few systems on HF operated with this protocol because of the amount of overhead. TCP/IP then goes on to become the foundation of the Internet and in use by every device on the Internet today. Think about that anytime someone complains they don’t want to support or do something because they don’t like it.

In 1986, an agreement mandated about 8 million addresses of 44/8 be assigned for use within the United States under FCC regulations (44.0/9) and the other 8 million (44.128/9) for deployments in the rest of the world.

San Diego Supercomputer Center, host of AMPRNet internet gateway, and CAIDA/UCSD network telescope (Wikipedia)

Since 1990, most packets destined for 44/8 were handled by a router at the University of California, San Diego. This forwarding router was originally named mirrorshades.ucsd.edu, later gw.ampr.org or “AmprGW.” This Internet “border” router (gateway) is used to route packets to and from the ordinary Internet to computers or nodes on AMPRNet. When a request hits the Internet for network 44.0.0.0/8, it is routed to UCSD. Different protocols are used to deliver the packet from the Microshades router to the destination IP address in any part of the world. Internet routers like these would be similar to an Internet Service Provider (ISP) router often handling multiple networks at once and at multiple gigabits/second transfer rate.

In 2001, UCSD used 44/8 for research as an Internet Telescope which allows observation of large-scale events taking place on the Internet using Internet Background Noise and backscatter. Backscatter is used to determine Denial of Service (DoS) attackers and victims. They were able to monitor the Code Red computer worm in 2001. All data was captured and used to generate historical trends and data. For example, when attackers on the internet start probing systems with a known set of criteria, they can go back and look when those probes first started appearing on the Internet. In 2003, 0.75 terabytes per month was recorded. In 2016, 37 terabytes per month is seen.

Since hams have had AMPRnet, many have taken advantage of it for single use applications or using small blocks on a long-term lease at zero cost. It has been used for communications ranging from simple TCP/IP connectivity, digital voice, telemetry, and repeater linking. However, not more than half of the network was ever used. Peak usage happened between 1985-1995. According to the group now overseeing 44/8, Amateur Radio Digital Communications (ARDC), a U.S. 501(c)(3) organization, less than one-third of the network is in use today and some address blocks have never been used.

It wasn’t too long ago (5-10 years) that I learned about AMPRnet when I became involved in supporting an APRS Igate. I knew APRS was using the space in some aspect, the EchoLink mobile app uses the 44 network, Michigan is actively using their allocation, and Europe was using it for their HamNET Mesh. I assumed the network probably wasn’t utilized but hopeful it had enough use to keep it in the Amateur Radio community. I would have like to have liked to see ham radio Internet technologies utilize network 44 like mesh, hot spots, and newer digital voice modes (D-STAR, DMR, and Fusion). It’s a cost and complexity issue. While there is no way to put a device on the Internet with a random IP address and expect the Internet to know how to reach that device. Routes and paths need to be established as was done with the UCSD router or other routing equipment which can be very expensive to setup and

HamNET Mesh (Wikipedia)

maintain. Too costly and too complex to support, other easier methods were utilized.

American Registry for Internet Numbers (ARIN), who is responsible for distribution of IP addresses on the Internet, declared on September 24, 2015 their available IPv4 pool was exhausted. The Internet was quickly running out of IP addresses! This lead the push to IPv6, which is exponentially larger. IPv4 has 4.2 trillion IP address (minus some for special uses). IPv6 has 340 undecillion, or 340 billion billion billion billion, addresses. You could assign multiple entire IPv4 sized networks per household under IPv6 and still have some left over! Exhaustion caused IPv4 allocations to become much more valuable.

Companies and institutions who still owned all or large parts of their originally assigned networks were now sitting on a gold mine. Supply and demand: a resource (IPv4 addresses) is scarce but many people want IP addresses. The price will rise, at least until IPv6 is closer to universal adoption.

This led to the ARDC decision to sell off about 4 million addresses from 44/8 on the marketplace. Total network value of 44/8 was estimated to be $100 million. From their press release:

"...in mid-2019, a block of approximately four million consecutive AMPRNet addresses denoted as 44.192.0.0/10 was withdrawn from our reserve for Amateur use, and sold to the highest qualified bidder at the then current fair market value. This leaves some twelve million addresses devoted exclusively to Amateur Radio uses, which is far greater than the number of addresses which are currently or have ever been in use. We believe this is far more than the number of addresses that will ever be needed by hams before IPv6 takes over the Internet. We also believe that was the prudent and proper time for this sale to take place, for a number of good reasons, among which are a recent levelling off in address prices and a lessening demand as only a few large buyers are left in the market for such a large block of addresses."

We now know the highest bidder was Amazon at a price of $50 million completed July 18, 2019. There is no intention by the ARDC to sell any more of the network. Post sale, AMPRNet consists of addresses 44.0.0.0 through 44.191.255.255 (44.0.0.0/9 and 44.128.0.0/10). Portion sold was the uppermost 25% of the address space, 44.192.0.0 through 44.255.255.255 or 44.192.0.0/10.

Some of the guys at work heard about this before I did because it was trending on Reddit. Initially, like most of the comments, I too was outraged. Though, figured it was coming sooner or later. An IPv4 shortage, a valuable /8 not being utilized. Wasn’t hard to put two and two together. I’m never one to say never. ‘We’re never going to use something.’ How do we know? Maybe hams develop the next Internet with that address space. Putting the politicking and whining aside, taking them at their word (continuing from the press release):

"It is our intention to grant funds across all reaches of the educational, research, and development spectrum, with awards being made to support qualified organizations whose programs could well serve to advance the art of digital communication, with special emphasis on that which would benefit Amateur Radio.

Additionally, another way we will be able to help our community is to contract with research firms and consultants to carry out related research and development to produce procedures, techniques, methods, designs, and intellectual property that would then be made freely available for the benefit of all."

While I think this is a monumental asset having this money available to promote the hobby and research, I think it puts us in a dangerous spot. To me, the similarities between this example of limited resources on the Internet and the limited resources of our radio spectrum are uncanny: ‘it’s there and not being utilized,’ ‘we’ll never use it,’ ‘resource sold for public benefit,’ ‘take the money and run,’ ‘sellouts!’ This shows that everything is up for grabs and we cannot take it for granted. Just ask France. WRC-23 is considering a proposal to make Aeronautical Mobile as the primary service in the 2-meter ham band. This is how it starts.

Now more than ever, get on our resources and use them. We have more hams now than ever (in the U.S. anyway). Get on our bands. Get on our IP space. Improve the network. Grab some IPv6 space for Amateur Radio. Get involved with organizations and offer support. Yeah, everyone’s busy. If everyone’s too busy to support these organizations, we may lose all of this. Use it or lose it, so “See ya 44/8.”

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – March 2019 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. cAUZRdnMNrU?start=2051Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

Do you have your Network Radio? I do, well, maybe. Not the way most people define Network Radios. In the last number of years, outside Voice over IP (VoIP) services have found their way into ham radio. Services cAUZRdnMNrU?start=2051utilize mobile data connections like 3G, 4G, and WiFi to connect users over the Internet. The app turns a cell phone or tablet into a HT-like device, complete with PTT button. “Network Radios” has been used to define these types of transceiver and channels available on those transceivers.

Probably 4-5 years ago, and still used today, a number of hams were all abuzz about this service called Zello. Another service called IRN (International Radio Network) is built on TeamSpeak. TeamSpeak is most frequently used as an audio chat service for players in multiplayer video games. Both of these services were probably adopted by ham-radio operators because of the similarities. Use a speaker, microphone, and can carry on round-table style chats. One person talks and the rest receive. These are called “channels” – similar in ham lingo to a reflector, conference, or talk group.

The term “Network Radios” is making the rounds because devices are being sold that integrate with VoIP services and are made to look like an HT or mobile radio. Most run the Android operating system meaning they come with the Google Play store. Having the Play store means any app can be installed, such as other VoIP apps like the EchoLink app or Repeater Book repeater directory.

RFinder was the first to design and sell Network Radios. They took a cellphone and attached a dual-band VHF/UHF transmitter capable of analog or DMR. Make phone calls or phone-calls. A similar tablet version is also available. Their devices are integrated with and promote the RFinder application (digital version of the ARRL repeater directory). Running the application and using the GPS makes it easy to locate near-by repeaters. Clicking a repeater would program the radio for use with the selected repeater, including offsets and sub-audible tones. Press PTT and you’re on the air!

A store with the completely original name, Network-Radios, is selling a whole range of Network Radios including the RFinder devices. The HT Network Radios have, what looks like, an antenna but few lists the capability of transmitting in the ham bands. None of the mobile Network Radios have any kind of RF connector.

This brings up the question: is this ham radio? My definition: if a legal identification is required, it is ham radio. More-or-less, I’m looking for Internet-linked endpoints to be connected to some kind of RF transmitting device in the ham bands that follows Part 97. I would like to have all linked end points transmitting in the ham bands, but I’ll take what I can get. My reasoning: our bands continue to be under attack by commercial entities that would pay big money for our frequencies and EVERYONE always complains our repeaters and frequencies are underutilized. Actually using our bands shows whoever is out there listening (FCC, commercial interests, people scanning the bands, potential hams, …) that ham frequencies are being utilized and we’re doing stuff with our bands. Call me crazy!

I’m not opposed to hams using these Network Radio services to find a better tool. Some Network Radio channels are even linked to repeater systems. That’s OK if private channels are properly controlled, seems like a lot of extra management. However, the overarching use of these services is mobile-device to mobile-device using non-ham bands. That is not at all ham radio. One argument is that some people need a place to let loose a little more than would be allowed on a regular repeater. Whatever.

I heard, from hams, in recent Emcomm situations how great it was that Zello was being used by the public to phone in needed rescues. Other channels were created for family members looking for relatives to make sure they were OK. Great use of technology. If average people can be mobilized at a moment’s notice with boats and rescue gear through a phone app, are hams still relevant? Anyone else see the irony?

The argument is always made: “the cell network can, and will, go down.” The exact opposite argument is being made promoting Network Radios as seen at the beginning of this blog post (some language NSFW, that is “not safe for work”) on the Network-Radios site: “I get 99,99999% of cell signal no matter where I am. I wonder if you can reach a VHF or UHF repeater for 10% of the time of your travelling with a typical 4 Watt handheld with its rubber duck antenna. And if GSM is not available, I could use a global wifi hotspot.” We’re doomed. Too soon?

New Podcast

The ARRL is sponsoring a new podcast that launched March 7. “So Now What?” is geared toward those who have obtained their license and need mentoring on the next steps to get the most out of the hobby. “Topics to be discussed in the first several episodes include getting started, operating modes available to Technician licensees, VEC and licensing issues, sunspots and propagation, mobile operating, contesting, Amateur Radio in pop culture, and perceptions of Technician license holders.” I’m sure there will be ideas for new and old hams alike. Subscribe to this new podcast and get the most out of ham radio!

Networking Basics

I made a career move over a year ago from programming into a networking position and quite enjoy it. Pascal – VA2PV, has a quality Youtube channel where he frequently does product reviews, how-to videos, and shares his experiences with things like PL-259 installation and re-cabling his shack. Video and audio quality are excellent with many videos available in 4K (great opportunity to experience a 4K stream). He released a video on the basics of IP networking. It won’t go in depth to the level of things I do at work, but if you ever wanted to know how devices on your home network can communicate with devices on the Internet, what is DHCP & DNS, then his video is required viewing.

FreeDV QSO Party

A group in Australia has announced the first ever FreeDV QSO party starting on April 27th 0300z to April 28th 0300z 2019. FreeDV is an open source digital voice mode, commonly referred to as Codec 2. I’ve played around with this mode before and was impressed by the resulting audio quality in such a narrow bandwidth. I hope this will create some FreeDV activity on the bands. It does require two sound cards (or sound devices) to operate. If you have an internal soundcard and a SignaLink, you’re set. The internal soundcard records and plays voice audio while the SignaLink (or other) transmits and receives digital modulation to and from your radio. Look for you on the bands using FreeDV!

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – June 2018 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/2018/OSJ-Jun-18.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

The Wood County Amateur Radio Club (which I’m a member) has a Fusion digital net on Thursday nights. Longtime club member Phil – W8PSK, posed the question: can I operate a Wires-X node mobile from my RV?

A little background about Wires-X setups. Wires-X is part of Yaesu’s System Fusion and is a closed Internet linking system. Only Yaesu hardware is allowed. Other digital devices like the OpenSpot, DVMega, and Pi-Star are not permitted. The obvious answer, if it were a viable choice, would be to use a digital hotspot but Yaesu doesn’t allow them. Wires-X hardware requirements include: a Yaesu FTM-100D or FTM-400XD radio or Fusion repeater, Yaesu HRI-200 interface between the radio and PC, a Windows 7 or 10 PC (yes, it must be Windows machine), and an Internet connection with a global IP address. A common example of a global IP address is one provided to you by your DSL, Cable, or Fiber provider. This IP is accessible from anywhere on the Internet and (generally) unrestricted. Lastly, another radio is required to use the Wires-X node locally.

Having setup my own Wires-X node in addition to LEARA’s repeater node, my first assumption was Phil would be able to connect out from his node in the RV to any other Wires-X node, but no other node could connect to him. This theory was based on the need to open or “port forward” 7 ports from the Internet to the PC running the Wires-X software. Port forwarding is a computer networking method used to allow data to bypass a firewall which would normally block that communication. Those that run websites from their network or have access to IP cameras while away from home will have these port forwards configured in their router.

Phil planned on using his smartphone as the Internet connection to the PC. Modern Smartphones have the ability to use the cellular network to serve an Internet connection to other devices like a laptop or Raspberry Pi via Wi-Fi connection. This is labeled something like “Mobile Hotspot” or “Personal Hotspot” in the phone. Standard disclaimer: check with your provider first in case there is an extra charge for this service or bandwidth cap. Bandwidth is standard for a Voice over Internet system at about 60kpbs/connection or about 30 MB/hour/connection with constant TX/RX. Port forwarding is never allowed on consumer cell plans. The unknown was can the Wires-X software connect without the port forwarding outlined in the configuration.

I tested my theory to see if the Wires-X software functioned by modifying a known working Wires-X configuration. I closed (temporarily disabled) the forwarded ports on my network. This meant communication over those ports would now be blocked, similar to that of a cellular connection. Then restarted the Wires-X software and hoped for the best. Was my theory correct? Drumroll please… the answer was: no. Wah waaaah. Not having the required ports forwarded to the PC did not allow the software to receive data from the Wires-X network. That result almost killed any hope of Phil using Wires-X mobile in his RV.

Phil was determined and we looked further into different solutions. VPNs were an option because they can often bypass network restrictions. However, a small number of VPN providers allowed forwarding ports as part of their service. Reviews weren’t positive and VPNs tend to easily fail with unstable data connections as one might have while mobile. Not something to be messing around with while driving. It introduced another point-of-failure in this setup. Hilariously enough, there were applications that touted the ability to ‘open ports on your phone.’ These wouldn’t work because it might open ports on the phone, almost assuredly the provider was blocking any ports upstream to the phone. Verizon offers a business account which allows port forwards but there is a one-time setup cost of $500 plus the service. Yeah, no. I suggested asking in the Yahoo group. John – N9UPC, Fusion representative for Yaesu, reinforced the conclusion I came to: operating mobile wasn’t possible because wireless providers don’t provide a global IP. Though Phil posted his question in late April, oddly enough John did not give any indication to an announcement at Dayton. One solution that looked promising used AMPRNet which is block of Internet routable IP addresses for ham radio operators. It could give us the global IP address we needed. After finding out more, someone else’s data center was being used and we weren’t sure Phil would have permission to use it as well.

Sensing no way to get around the port forward restriction, an announcement came during the Fusion forum at Dayton that (we hope) will solve Phil’s problem. Yaesu is going to release an update in the coming months that will allow the FT2DR, FTM-100D, as well as the FTM-400XD to operate as a portable node. With additional cables, these radios would connect directly to a computer for Wires-X operation without the need of an HRI-200. This was created specifically for mobile setups and users who don’t have the ability to forward the necessary ports (like in a hotel). Ding, ding, ding, we have a winner!

A couple caveats: purchase of an HRI-200 is still required. To use the portable node, you still need to register on the Wires-X system which requires a serial number from an HRI-200. The portable setup will not have ‘all of the features’ of the traditional setup such as hosting a Room (round table-type node) or messaging. Purchase of two cables is required to make the necessary connections: an SCU-19 USB and CT-44 audio cable. It wasn’t clear if both are needed for the 100/400 radios. There are no plans “at this time” to integrate any other Fusion radio other than the three listed above.

It would have been nice to have a heads-up about this new option before we spent time researching a solution. I think this will solve Phil’s problem and get him mobile with Wires-X. Announcement from the Fusion form, Dayton Hamvention 2018.

Speaking of digital hotspots, my favorite has been discontinued: the openSPOT. Saw it disappeared form dealer sites just after Dayton. June 8th it was removed from the SharkRF website with an announcement that a new product was going to be introduced soon. What could it be??! If you need a digital hotspot device today, I really like the ZUMSpot with the Pi-Star software. I picked up one with a case at Dayton. More info in future articles.

The next big ham holiday, Field Day, is right around the corner. Get out and join your club or find a club to join if you’re not a member of one. It’s a great time to bring friends and get them excited about ham radio. Hams that come out get bitten by the bug to expand their station or learn a new mode. Check the Field Day Locator for operations taking place near you. Sending 10 messages over RF from your site gets you 100 points – including Winlink messages. I love to receive messages about your setup, stations operating, or social activities taking place. These can be sent via the National Traffic System (NTS) or Winlink – K8JTK at Winlink.org – to my station. Winlink post about Field Day points.

With July around the corner, two of my favorite events will be kicking-off soon. The 13 Colonies Special Event is coming up July 1 – 7, along with the RAC Canada Day Contest on July 1st only.

Thanks for reading and 73… de Jeff – K8JTK

Bridge a Remote Site Network with OpenVPN Access Server

Having access to your devices over the Internet is a requirement for any admin deploying a project. Instead of running to a remote site to administer devices (making changes, applying updates and patches), it’s easier to connect remotely and make changes. Remote access poses many issues and concerns.

Security

First and foremost is security. You always, always, ALWAYS want devices connected to the Internet behind a router with a built-in firewall (NAT router). A firewall filters traffic between two networks (your ISP and home for example) and will block attempts to connect to your internal (private) network.

Device manufacturers take security for granted. Little testing and auditing takes place because the analysis is expensive for throw-away devices. This is noted in many stories including Bug Exposes IP Cameras, Baby Monitors where simply clicking “OK” on the login dialog allowed access to the Internet connected video camera. It is trivial to find these devices on the Internet because of Shodan. Shodan is dubbed the “Internet of Things Search Engine.” If you’re not familiar, think of it as the Google for devices connected directly to the internet. These could be: web servers, printers, cameras, industrial machines, bitcoin mining… Putting devices behind a firewall minimizes the risk because anything trying to peer into the network would be blocked by the firewall.

This holds true for networks you don’t control (granted access on someone else’s network). Put your stuff behind a router/firewall so they can’t see your devices and you can’t be exploited by devices on the other network.

Port Forwarding is a popular technique to only allow traffic on a specific port to a device you specify in your firewall (router). This provides little security as it still allows a potentially vulnerable service to accept incoming connections from the Internet.

Choose a good router

Couple of tips for a good router:

  • You get what you pay for. Don’t opt for cheap.
  • Opt for ones that support third-party firmware like DD-WRT and Tomato or setup a dedicated computer running pfsense or Untangle. These have proven to be more secure than stock firmware in addition to offering a more complete feature set.
  • Stick with popular models as found on Amazon, Newegg, or other tech store. They’re more likely to be reliable, well updated models.
  • Look for ones that accept USB cellular modem dongles for installations that have no accessible network connection like a remote site.

Virtual Private Network

The preferred way to connect to a remote network is to use a VPN. A VPN connects to a private network securely over the Internet. It allows the user to exchange data, use services, and connect to devices as if they were directly connected to that network. An open-source project that implements VPN technologies security is OpenVPN. OpenVPN is an application that allows for secure point-to-point communication. There are many implementations of OpenVPN including using it in many third-party router firmware (mentioned above). OpenVPN Access Server is one of the many implementations and the one used for this project.

This project was inspired by Hak5 1921 – Access Internal Networks with Reverse VPN Connections. As an Amateur Radio operator into the newer computer and digital technologies, more devices are located at remote sites.

This setup consists of:

  1. A remote network behind a firewall where devices exist you want to access. This will be a Linux server on the remote network that will act as the gateway and persistently connected to the bridge. This could be a full desktop computer purposed for something else or Raspberry Pi. Also on the same network will be a Windows machine.
  2. An unsecure/unknown network, AKA the Internet.
  3. A private server that will act as the bridge between the remote network and a device you choose.
  4. A device in a separate location that will connect to the cloud server and will be able to access the remote network. I will use a Windows machine to act as a ‘home’ computer.

This setup works in nearly all cases because the only device receiving incoming connections is the bridge server in the cloud. Firewalls block incoming connections by default. Very few block connections originating inside the network out to the Internet (egress). If a device along the way filters by content, connection attempts will be blocked. Many corporate networks are doing this kind of filtering. Otherwise the traffic looks the same as secure web traffic on port 443. No port forwarding is used.

Hosting

I recommend using an infrastructure hosting provider for the bridge server. This can cost anywhere from $5-$15 per month. The device can be anywhere on the public Internet. It must accept multiple connections on different ports but only by a couple users at a time are needed. Minimal configuration is more than sufficient. Bandwidth, latency, and up-time of all points in this setup effect reliability. My personal recommendations for infrastructure hosting providers are: Rackspace and DigitalOcean.

IP addressing

All remote networks and the home user networks cannot overlap in address space. That is they need to be differently numbered. For example, typically home networks have addressing as 192.168.1.x. The remote site(s) can’t have the same numbering (192.168.1.x). It must be different. I suggest making the remote site different enough to not cause conflict with any home users’ networks. Remote sites as 192.168.25.x, 192.168.26.x, and 192.168.27.x would work fine when the home users’ networks is addressed 192.168.0.x, 192.168.1.x, 192.168.2.x, and so on (except 25-27). Similarly addressed networks create routing conflicts and the packets will not reach the correct network.

Downsides

Cost.

In addition to hosting, a downside to using OpenVPN Access Server is licensing. While OpenVPN is Open-Source Software and OpenVPN Access Server is free, the license allows for only two concurrent tunnel connections at any one time. This means the remote site counts as one connection and the home device the second. If a second person (third device) needed access to the remote network, they would get a message saying ‘Access Server has reached its concurrent connections limit.’ The first person would need to disconnect first before the second could connect otherwise current connections will begin to be booted. Additionally, connecting two or more remote sites and a home user is not possible without purchasing licenses or running an additional bridge server. Additional licenses can be purchased for “$9.60 License Fee Per Client Connection Per Year. Support & Updates included. 10 Client minimum purchase.” $96 per year.

An alternative to OpenVPN Access Server is to setup your own (roll your own) OpenVPN server which is free. I hope to do an OVPN server setup at some point in the future.

Assumptions

This guide is step-by-step in nature, meant for beginners, with brief explanations of the steps. It will help to have an understanding of Linux commands and scripting. Capitalization is important in Linux! Understanding of basic networking concepts including determining network prefixes and CIDR notation is also required.

Program versions

I used a Windows 7 64 bit PC for configuration (and Home PC). Applications and versions used in this writeup:

  • OpenVPN Access Server 2.0.24
  • Putty 0.67
  • Ubuntu 14.04 x64 (bridge and remote servers)
  • Filezilla 3.16.0