> I just followed this, for a CentOS 5 system and it took right off:
>
> http://wiki.ampr.org/index.php/AMPRNet_VPN
>
> Make sure you have these files in your /etc/openvpn directory:
> amprnet-vpn-ca.crt
> client.conf
> client.crt
> client.key
Actually with a modern openvpn client it is possible to combine everything in a single .conf file.
(or .ovpn when you want to use it on Windows)
The certificates and keys van be put in the file "inline". I use this method for distribution of openvpn
configs that can be used with our national VPN gateway (only available for Dutch stations), for which
we generate certificates and send them to the users.
The file for the amprnet vpn system would look like this:
client
dev tun
proto udp
remote amprnet-vpn1.aprs.fi 1773
resolv-retry infinite
persist-key
persist-tun
comp-lzo
verb 3
ca [inline]
cert [inline]
key [inline]
<ca>
contents of the amprnet-vpn-ca.crt file
</ca>
<cert>
contents of the client.crt file
</cert>
<key>
contents of the client.key file
</key>
This makes it easier to move the certificate around, use it on Windows, etc.
Only really old versions of the openvpn client, today only found on devices like NAS that have not
updated for a long time, do not support the [inline] construct.
Rob
I just gave it a try for the first time ever. A couple years back I
applied for a Log of the World certificate and never really took it
any further. I guess I forgot.
Mistake #1 for me was only backing up the KB9MWR.p12 and KB9MWR.tq6
files a couple years ago. That was on a former computer. I should
have backup up the whole, C:\Documents and
Settings\your-username\Application Data\TrustedQSL directory, or just
completed the process and made the openvpn keys back then.
Anyway no big deal, just a few more hoops to have the certificates re-issued.
I just followed this, for a CentOS 5 system and it took right off:
http://wiki.ampr.org/index.php/AMPRNet_VPN
Make sure you have these files in your /etc/openvpn directory:
amprnet-vpn-ca.crt
client.conf
client.crt
client.key
Aside from that we are going to need a bit more detail to further help
you. What does the openvpn daemon say when you start it?
> Subject:
> [44net] PTD
> From:
> Brian <n1uro(a)n1uro.ampr.org>
> Date:
> 10/10/2015 04:13 AM
>
> To:
> 44net(a)hamradio.ucsd.edu
>
>
> Is anyone on PTD.net that's running SNMP?
Please MAKE SURE that you block all incoming SNMP traffic from internet to amprnet!
(especially when you are using community names like "public")
The bad guys use SNMP as an attack amplifier.
One time I moved a switch to another address and it became exposed, and within 3 days I had an abuse report.
Now I have a general rule that drops all SNMP at our gateway.
(of course the real problem is the ISPs that refuse to implement BCP38, source address filtering)
Rob
Is anyone on PTD.net that's running SNMP?
24.115.114.195.res-cmts.flt.ptd.net.54321 > gw.ct.ampr.org.snmp: [udp
sum ok] { SNMPv2c C=AMPRNet_RO { GetRequest(34) R=198102558
E:14988.1.1.1.1.1.7.0 } }
22:08:32.571779 IP (tos 0x0, ttl 114, id 15043, offset 0, flags [none],
proto UDP (17), length 81)
24.115.114.195.res-cmts.flt.ptd.net.54321 > gw.ct.ampr.org.snmp:
[udp sum ok] { SNMPv2c C=AMPRNet_RO { GetRequest(34) R=198102560
E:14988.1.1.1.1.1.4.0 } }
22:08:32.571848 IP (tos 0x0, ttl 114, id 15044, offset 0, flags [none],
proto UDP (17), length 81)
24.115.114.195.res-cmts.flt.ptd.net.54321 > gw.ct.ampr.org.snmp:
[udp sum ok] { SNMPv2c C=AMPRNet_RO { GetRequest(34) R=198102562
E:14988.1.1.1.1.1.3.0 } }
22:08:32.571914 IP (tos 0x0, ttl 114, id 15045, offset 0, flags [none],
proto UDP (17), length 81)
24.115.114.195.res-cmts.flt.ptd.net.54321 > gw.ct.ampr.org.snmp:
[udp sum ok] { SNMPv2c C=AMPRNet_RO { GetRequest(34) R=198102564
E:14988.1.1.1.1.1.2.0 } }
--
Dolphins are so smart that within a few weeks of captivity, they
can train people to stand on the very edge of the pool and throw them
fish.
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.nethttp://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
For those of you using the Portal’s API, this is a “heads up” to check your client code…
It was pointed out to me that the JSON encoding the API returns was slightly non-standard. Having looked into the issue this seems to be the case, so I have today corrected the error and bumped the version.
Just check your client is still decoding the output correctly - most libraries would have happily accepted the JSON variant I was using, so chances are you won’t need to change anything, but if you coded your own JSON decode routine…
Regards,
Chris
You may want to fix this...
ax0: fm PY2ZEN-15 to QST ctl UI pid=CC(IP) len 161
IP: len 161 10.1.1.5->239.255.255.250 ihl 20 ttl 1 DF prot UDP
UDP: len 141 52618->1900 Data 133
0000 M-SEARCH * HTTP/1.1..MX: 2..HOST: 239.255.255.250:1900..MAN: "ss
0040 dp:discover"..ST: urn:schemas-upnp-org:service:WANPPPConnection:
0080 1....
ax0: fm PY2ZEN-15 to QST ctl UI pid=CC(IP) len 161
IP: len 161 10.1.1.5->239.255.255.250 ihl 20 ttl 1 DF prot UDP
UDP: len 141 52618->1900 Data 133
0000 M-SEARCH * HTTP/1.1..MX: 2..HOST: 239.255.255.250:1900..MAN: "ss
0040 dp:discover"..ST: urn:schemas-upnp-org:service:WANPPPConnection:
0080 1....
ax0: fm PY2ZEN-15 to QST ctl UI pid=CC(IP) len 160
IP: len 160 10.1.1.5->239.255.255.250 ihl 20 ttl 1 DF prot UDP
UDP: len 140 52618->1900 Data 132
0000 M-SEARCH * HTTP/1.1..MX: 2..HOST: 239.255.255.250:1900..MAN: "ss
0040 dp:discover"..ST: urn:schemas-upnp-org:service:WANIPConnection:1
0080 ....
--
Dolphins are so smart that within a few weeks of captivity, they
can train people to stand on the very edge of the pool and throw them
fish.
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.nethttp://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
I know a couple of groups now have proper reverse delegation of DNS for their subnets… Wondering who to drop a line to so I can get 44.103.0.0/19 delegated to a.ns.mi6wan.net and b.ns.mi6wan.net ?
Didn’t see it in the portal or wiki and my notes from a few months ago are foggy...
--
Fredric Moses - W8FSM - WQOG498
fred(a)moses.bz
By request a new endpoint has been added to the API:
GET encapSerial
This returns the current serial number for the encap file, so you can poll this and decide whether you need to download the encap data.
Regards,
Chris
