Tag Archives: Networking

Ohio Section Journal – The Technical Coordinator – June 2018 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/2018/OSJ-Jun-18.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

The Wood County Amateur Radio Club (which I’m a member) has a Fusion digital net on Thursday nights. Longtime club member Phil – W8PSK, posed the question: can I operate a Wires-X node mobile from my RV?

A little background about Wires-X setups. Wires-X is part of Yaesu’s System Fusion and is a closed Internet linking system. Only Yaesu hardware is allowed. Other digital devices like the OpenSpot, DVMega, and Pi-Star are not permitted. The obvious answer, if it were a viable choice, would be to use a digital hotspot but Yaesu doesn’t allow them. Wires-X hardware requirements include: a Yaesu FTM-100D or FTM-400XD radio or Fusion repeater, Yaesu HRI-200 interface between the radio and PC, a Windows 7 or 10 PC (yes, it must be Windows machine), and an Internet connection with a global IP address. A common example of a global IP address is one provided to you by your DSL, Cable, or Fiber provider. This IP is accessible from anywhere on the Internet and (generally) unrestricted. Lastly, another radio is required to use the Wires-X node locally.

Having setup my own Wires-X node in addition to LEARA’s repeater node, my first assumption was Phil would be able to connect out from his node in the RV to any other Wires-X node, but no other node could connect to him. This theory was based on the need to open or “port forward” 7 ports from the Internet to the PC running the Wires-X software. Port forwarding is a computer networking method used to allow data to bypass a firewall which would normally block that communication. Those that run websites from their network or have access to IP cameras while away from home will have these port forwards configured in their router.

Phil planned on using his smartphone as the Internet connection to the PC. Modern Smartphones have the ability to use the cellular network to serve an Internet connection to other devices like a laptop or Raspberry Pi via Wi-Fi connection. This is labeled something like “Mobile Hotspot” or “Personal Hotspot” in the phone. Standard disclaimer: check with your provider first in case there is an extra charge for this service or bandwidth cap. Bandwidth is standard for a Voice over Internet system at about 60kpbs/connection or about 30 MB/hour/connection with constant TX/RX. Port forwarding is never allowed on consumer cell plans. The unknown was can the Wires-X software connect without the port forwarding outlined in the configuration.

I tested my theory to see if the Wires-X software functioned by modifying a known working Wires-X configuration. I closed (temporarily disabled) the forwarded ports on my network. This meant communication over those ports would now be blocked, similar to that of a cellular connection. Then restarted the Wires-X software and hoped for the best. Was my theory correct? Drumroll please… the answer was: no. Wah waaaah. Not having the required ports forwarded to the PC did not allow the software to receive data from the Wires-X network. That result almost killed any hope of Phil using Wires-X mobile in his RV.

Phil was determined and we looked further into different solutions. VPNs were an option because they can often bypass network restrictions. However, a small number of VPN providers allowed forwarding ports as part of their service. Reviews weren’t positive and VPNs tend to easily fail with unstable data connections as one might have while mobile. Not something to be messing around with while driving. It introduced another point-of-failure in this setup. Hilariously enough, there were applications that touted the ability to ‘open ports on your phone.’ These wouldn’t work because it might open ports on the phone, almost assuredly the provider was blocking any ports upstream to the phone. Verizon offers a business account which allows port forwards but there is a one-time setup cost of $500 plus the service. Yeah, no. I suggested asking in the Yahoo group. John – N9UPC, Fusion representative for Yaesu, reinforced the conclusion I came to: operating mobile wasn’t possible because wireless providers don’t provide a global IP. Though Phil posted his question in late April, oddly enough John did not give any indication to an announcement at Dayton. One solution that looked promising used AMPRNet which is block of Internet routable IP addresses for ham radio operators. It could give us the global IP address we needed. After finding out more, someone else’s data center was being used and we weren’t sure Phil would have permission to use it as well.

Sensing no way to get around the port forward restriction, an announcement came during the Fusion forum at Dayton that (we hope) will solve Phil’s problem. Yaesu is going to release an update in the coming months that will allow the FT2DR, FTM-100D, as well as the FTM-400XD to operate as a portable node. With additional cables, these radios would connect directly to a computer for Wires-X operation without the need of an HRI-200. This was created specifically for mobile setups and users who don’t have the ability to forward the necessary ports (like in a hotel). Ding, ding, ding, we have a winner!

A couple caveats: purchase of an HRI-200 is still required. To use the portable node, you still need to register on the Wires-X system which requires a serial number from an HRI-200. The portable setup will not have ‘all of the features’ of the traditional setup such as hosting a Room (round table-type node) or messaging. Purchase of two cables is required to make the necessary connections: an SCU-19 USB and CT-44 audio cable. It wasn’t clear if both are needed for the 100/400 radios. There are no plans “at this time” to integrate any other Fusion radio other than the three listed above.

It would have been nice to have a heads-up about this new option before we spent time researching a solution. I think this will solve Phil’s problem and get him mobile with Wires-X. Announcement from the Fusion form, Dayton Hamvention 2018.

Speaking of digital hotspots, my favorite has been discontinued: the openSPOT. Saw it disappeared form dealer sites just after Dayton. June 8th it was removed from the SharkRF website with an announcement that a new product was going to be introduced soon. What could it be??! If you need a digital hotspot device today, I really like the ZUMSpot with the Pi-Star software. I picked up one with a case at Dayton. More info in future articles.

The next big ham holiday, Field Day, is right around the corner. Get out and join your club or find a club to join if you’re not a member of one. It’s a great time to bring friends and get them excited about ham radio. Hams that come out get bitten by the bug to expand their station or learn a new mode. Check the Field Day Locator for operations taking place near you. Sending 10 messages over RF from your site gets you 100 points – including Winlink messages. I love to receive messages about your setup, stations operating, or social activities taking place. These can be sent via the National Traffic System (NTS) or Winlink – K8JTK at Winlink.org – to my station. Winlink post about Field Day points.

With July around the corner, two of my favorite events will be kicking-off soon. The 13 Colonies Special Event is coming up July 1 – 7, along with the RAC Canada Day Contest on July 1st only.

Thanks for reading and 73… de Jeff – K8JTK

Bridge a Remote Site Network with OpenVPN Access Server

Having access to your devices over the Internet is a requirement for any admin deploying a project. Instead of running to a remote site to administer devices (making changes, applying updates and patches), it’s easier to connect remotely and make changes. Remote access poses many issues and concerns.

Security

First and foremost is security. You always, always, ALWAYS want devices connected to the Internet behind a router with a built-in firewall (NAT router). A firewall filters traffic between two networks (your ISP and home for example) and will block attempts to connect to your internal (private) network.

Device manufacturers take security for granted. Little testing and auditing takes place because the analysis is expensive for throw-away devices. This is noted in many stories including Bug Exposes IP Cameras, Baby Monitors where simply clicking “OK” on the login dialog allowed access to the Internet connected video camera. It is trivial to find these devices on the Internet because of Shodan. Shodan is dubbed the “Internet of Things Search Engine.” If you’re not familiar, think of it as the Google for devices connected directly to the internet. These could be: web servers, printers, cameras, industrial machines, bitcoin mining… Putting devices behind a firewall minimizes the risk because anything trying to peer into the network would be blocked by the firewall.

This holds true for networks you don’t control (granted access on someone else’s network). Put your stuff behind a router/firewall so they can’t see your devices and you can’t be exploited by devices on the other network.

Port Forwarding is a popular technique to only allow traffic on a specific port to a device you specify in your firewall (router). This provides little security as it still allows a potentially vulnerable service to accept incoming connections from the Internet.

Choose a good router

Couple of tips for a good router:

  • You get what you pay for. Don’t opt for cheap.
  • Opt for ones that support third-party firmware like DD-WRT and Tomato or setup a dedicated computer running pfsense or Untangle. These have proven to be more secure than stock firmware in addition to offering a more complete feature set.
  • Stick with popular models as found on Amazon, Newegg, or other tech store. They’re more likely to be reliable, well updated models.
  • Look for ones that accept USB cellular modem dongles for installations that have no accessible network connection like a remote site.

Virtual Private Network

The preferred way to connect to a remote network is to use a VPN. A VPN connects to a private network securely over the Internet. It allows the user to exchange data, use services, and connect to devices as if they were directly connected to that network. An open-source project that implements VPN technologies security is OpenVPN. OpenVPN is an application that allows for secure point-to-point communication. There are many implementations of OpenVPN including using it in many third-party router firmware (mentioned above). OpenVPN Access Server is one of the many implementations and the one used for this project.

This project was inspired by Hak5 1921 – Access Internal Networks with Reverse VPN Connections. As an Amateur Radio operator into the newer computer and digital technologies, more devices are located at remote sites.

This setup consists of:

  1. A remote network behind a firewall where devices exist you want to access. This will be a Linux server on the remote network that will act as the gateway and persistently connected to the bridge. This could be a full desktop computer purposed for something else or Raspberry Pi. Also on the same network will be a Windows machine.
  2. An unsecure/unknown network, AKA the Internet.
  3. A private server that will act as the bridge between the remote network and a device you choose.
  4. A device in a separate location that will connect to the cloud server and will be able to access the remote network. I will use a Windows machine to act as a ‘home’ computer.

This setup works in nearly all cases because the only device receiving incoming connections is the bridge server in the cloud. Firewalls block incoming connections by default. Very few block connections originating inside the network out to the Internet (egress). If a device along the way filters by content, connection attempts will be blocked. Many corporate networks are doing this kind of filtering. Otherwise the traffic looks the same as secure web traffic on port 443. No port forwarding is used.

Hosting

I recommend using an infrastructure hosting provider for the bridge server. This can cost anywhere from $5-$15 per month. The device can be anywhere on the public Internet. It must accept multiple connections on different ports but only by a couple users at a time are needed. Minimal configuration is more than sufficient. Bandwidth, latency, and up-time of all points in this setup effect reliability. My personal recommendations for infrastructure hosting providers are: Rackspace and DigitalOcean.

IP addressing

All remote networks and the home user networks cannot overlap in address space. That is they need to be differently numbered. For example, typically home networks have addressing as 192.168.1.x. The remote site(s) can’t have the same numbering (192.168.1.x). It must be different. I suggest making the remote site different enough to not cause conflict with any home users’ networks. Remote sites as 192.168.25.x, 192.168.26.x, and 192.168.27.x would work fine when the home users’ networks is addressed 192.168.0.x, 192.168.1.x, 192.168.2.x, and so on (except 25-27). Similarly addressed networks create routing conflicts and the packets will not reach the correct network.

Downsides

Cost.

In addition to hosting, a downside to using OpenVPN Access Server is licensing. While OpenVPN is Open-Source Software and OpenVPN Access Server is free, the license allows for only two concurrent tunnel connections at any one time. This means the remote site counts as one connection and the home device the second. If a second person (third device) needed access to the remote network, they would get a message saying ‘Access Server has reached its concurrent connections limit.’ The first person would need to disconnect first before the second could connect otherwise current connections will begin to be booted. Additionally, connecting two or more remote sites and a home user is not possible without purchasing licenses or running an additional bridge server. Additional licenses can be purchased for “$9.60 License Fee Per Client Connection Per Year. Support & Updates included. 10 Client minimum purchase.” $96 per year.

An alternative to OpenVPN Access Server is to setup your own (roll your own) OpenVPN server which is free. I hope to do an OVPN server setup at some point in the future.

Assumptions

This guide is step-by-step in nature, meant for beginners, with brief explanations of the steps. It will help to have an understanding of Linux commands and scripting. Capitalization is important in Linux! Understanding of basic networking concepts including determining network prefixes and CIDR notation is also required.

Program versions

I used a Windows 7 64 bit PC for configuration (and Home PC). Applications and versions used in this writeup:

  • OpenVPN Access Server 2.0.24
  • Putty 0.67
  • Ubuntu 14.04 x64 (bridge and remote servers)
  • Filezilla 3.16.0