>Ok, so you're trying to generate a server certificate for your VPN server.
I am trying to generate/gather all the files I need for the server
side so that when its done it works like yours. Where I don't have to
issue client keys, and all that. (Just a config file and the public
key ca.crt file). They can just follow the well documented steps in
the wiki that work for yours.
So I don't need to build a Certificate Signing Request after all?
>
>For this step, we actually do not need *anything* from LotW/TQSL side (and
>can not use any)! Just use any openvpn server setup guide's instructions
>for setting up a CA and generating a server certificate out from that CA.
>That CA cert is then given to the openvpn client, so that the client can
>make sure it is talking to the correct server.
This is what I have done before. Builds a private root ca, and all the rest.
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
The first line makes sure we start from scratch. The second generates
a key for the Certificate Authority (ca.crt and ca.key). The key for
the server itself is generated on the third line (server.crt,
server.key, and server.csr) . Repeat the forth line for each client
that needs to connect (client1.key, client1.csr, client.crt, etc).
Finally, we need the Diffie Hellman key as well, which is generated on
the fifth line (dh1024.pem).
In my server config file:
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
>The LotW certificates are only used for authenticating the client. The
>server's "ca" config option points to the LotW root certs bundle. The
>cleint's "ca" config option points to the private CA which signed the
>server's certificate.
A paragraph ago I thought you said build ones own private root ca...
But it sounds like you are now saying I just copy:
C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root
over to the server, rename it to ca.crt?
Tal, thanks for the follow up.
Most of that I already knew. As I have said, I have a functioning
openvpn server. The only thing it lacks is the ability to work with
client keys that folks extract from their lotw credentials. I have to
issue client keys to people and that is what I am trying to get away
from.
I really need a watered down step by step guide on how to do this till
it all clicks in my mind. Multi-factor authentication is pretty
confusing and new to me yet.
As I have said the client key extraction and documentation in the wiki
is easy to understand, I just wish the same existed for the server
end.
http://wiki.ampr.org/wiki/AMPRNet_VPN
It appears I need to build certificate signing request (maybe I am
wrong). Again its not clear to me where/how to extract the root
certificate from the ARRL LOTW program.
My callsign.tq6 is binary data.
However it looks like the root certificate is locate here:
C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root
I noticed it looks like three stacked into one file based on the
begin/end markings.
But from the link Tom shared, it looks like you don't have to do
anything different like break them apart, with a chained vs single.
Step one (./build-req server ) went ok however stuck at step two:,
root@test:/etc/openvpn/easy-rsa/2.0# ./build-key server
pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
root@test:/etc/openvpn/easy-rsa/2.0#
I simply copied the TQSL root file over to
/etc/openvpn/easy-rsa/2.0/keys and renamed it ca.crt
So I am guessing I need to split each certificate into its own file?
Is there anyway to support more than one?
> If it works without it, don't.
> The -r flag will make ampr-ripd receive ALL interface traffic and filter out
> multicasts in user space, while in regular operation mode that's left to the
> kernel and is more efficient.
> While on a big system it probably doesn't make much difference, on a limited
> resource device like the PI it could.
> Marius, YO2LOJ
I fully agree with that!
Do you have any idea why it was broken and if this has been fixed?
Of course it may depend on the details like which IP address was assigned to
which interface, just like the problem that you fixed in version 1.6...
Probably I should test again on some different systems and kernels...
Rob
> How can I diagnose why my ampr-ripd is not receiving the broadcast? Any
> tools?
Likely your problem is caused by a kernel bug that was introduced some time ago, I
don't know if it has been fixed in the meantime or if it was defined as 'desirable behaviour'
and left that way.
Some time ago I faced the same problem, and I could only fix it by adding the -r flag
("Use raw socket instead of multicast") to ampr-ripd. In multicast mode, which used to
work fine, it simply did not work anymore on the Pi.
Rob
Last year I followed this instructions
http://www.qsl.net/kb9mwr/wapr/tcpip/ampr-ripd.html
and was able to get a Amprnet Gateway working on a Raspberry Pi 2 with a
second USB Ethernet and VPN working OK.
Few months later, I have problem connecting with VPN. i found out later, I
have 2 IPs one static and one dynamic on the RPI. This was due to the new
dhcpcd.conf implementation. No longer you declare the static IP in
interfaces and some say to add it at the end of dhcpcd.conf. I disable
dhcpcd at boot and now 1 static IP and no trouble with VPN.
Now, I have problem not receiving the ampr-ripd encap route broadcast.
ip route show table 44 only shows:
default via 169.228.66.251 dev tunl0 onlink
44.163.22.0/24 dev eth1 scope link
44.163.22.128/25 dev tun0 scope link
tcpdump -i etho proto 4
monitor for a long time a no broadcast
I use this tool to ping 44.163.22.1
http://yo2tm.ampr.org/nettools.php
100% packet lost
But with tcpdump -i eth0 proto 4 it shows the ping arriving but my gateway
with no route then no answer:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:33:08.740142 IP mail.yo2loj.ro > 192.168.1.112: IP yo2tm.ampr.org >
onx.hp2at.ampr.org: ICMP echo request, id 44708, seq 1, length 64
(ipip-proto-4)
How can I diagnose why my ampr-ripd is not receiving the broadcast? Any
tools?
Jose / HP2AT
Brian, thanks for the update.
I know I asked before on how to build openvpn server keys and other
configuration details that will let a openvpn server I build work with
any hams lotw key clients that has previously documented:
http://wiki.ampr.org/wiki/AMPRNet_VPN
This is what I have built my own generated certificate authority,
server keys, with before using the
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
I could really use something detailed on the values for the keys and
certificates parameters to make a server work with the lotw based keys
Its not clear to me where one gets the the LoTW root CA certificate(s)
that need to be installed on the server. And I assume these are
Diffie hellman parameters?
Steve
Hi there
My CS8251 works very well
I need a idea how to make it get the Updated encap file automatically
I do it now by Cut and paste but know that TFTP can do the job as well
I need a solution that this can be done automatic (by batch or script)
Any ideas , Solutions welcome
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Ronen:
Keep in mind that TFTP is horribly insecure and not very robust. It should
only be used on local area networks.
Assi
-----Original Message-----
From: 44Net [mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On
Behalf Of R P
Sent: Friday, March 11, 2016 12:33 PM
To: AMPRNet working group <44net(a)hamradio.ucsd.edu>
Subject: Re: [44net] ideas to uutomatic updates of gateway file to Cisco
Routers ?
(Please trim inclusions from previous messages)
_______________________________________________
I have made some tests with uploading config file to cisco in few ways The
Telnet way is very slow it take to upload the whole gateways command about
5 minutes
Today i have done config network (it is doing TFTP for the config file )
the whole procedure took 3 seconds
The disadvantage that this way require TFTP server ... but i know it can be
done with web also i will check tat too ...
The script is also very simple
all it have to do is to connect ... to wait for # prompt then to give
the command conf network and to give some parameters such as the TFTP
server address and file name and in the end to wait for OK
When i will have fully automatic and running script (i will have to ask
some of the local Script gurus to make it for me ) i will post it here and
update the WIKI page
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen,
Below is a code snippet I use on my AmprNet router to direct any traffic with a 44/8 source or destination address to use Tunnel1 as my default interface. This allows any non-44 sourced traffic to route back to UCSD. The “ip local policy” command tells the router to apply the route-map to any locally generated traffic.
ip local policy route-map NET44-ROUTE-MAP
interface Loopback0
ip address 44.56.193.1 255.255.255.0
interface Tunnel1
description Default AMPRNet tunnel
ip unnumbered Loopback0
ip tcp adjust-mss 1360
tunnel source 24.229.88.253
tunnel destination 169.228.66.251
tunnel mode ipip
interface FastEthernet0/1
ip address 44.56.192.254 255.255.255.240
ip policy route-map NET44-ROUTE-MAP
duplex auto
speed auto
ip access-list extended NET44-PBR
permit ip any 44.0.0.0 0.255.255.255
permit ip 44.0.0.0 0.255.255.255 any
route-map NET44-ROUTE-MAP permit 10
match ip address NET44-PBR
set default interface Tunnel1
Thanks
Jesse - WC3XS
On 3/11/16, 1:57 PM, "44Net on behalf of R P" <44net-bounces+jesse=hindmarsh.cc(a)hamradio.ucsd.edu on behalf of ronenp(a)hotmail.com> wrote:
>(Please trim inclusions from previous messages)
>_______________________________________________
>Hi there
>
>Is there any one that use Cisco as Gateway and use Policy routing for redirecting the 44 Net Traffic ?
>
>I would like to get the Policy routing lines and the access list that belong to it
>
>and also the static route command specially the one that refer to the default route and to the route to AMPR Gateway (the main 44 net router)
>
>I am writing in the ampr wiki page how to set up a gateway with Cisco Router and i cant succeed to make my policy route work correct and dont want to publish example that doesn't work
>
>Thanks in advance
>
>Ronen - 4Z4ZQ
>
>http://www.ronen.org
>
>Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
>www.ronen.org
>ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
>
>
>
