44net March 2016

44net@mailman.ampr.org

52 participants
87 discussions

by Steve L

>Ok, so you're trying to generate a server certificate for your VPN server. I am trying to generate/gather all the files I need for the server side so that when its done it works like yours. Where I don't have to issue client keys, and all that. (Just a config file and the public key ca.crt file). They can just follow the well documented steps in the wiki that work for yours. So I don't need to build a Certificate Signing Request after all? > >For this step, we actually do not need *anything* from LotW/TQSL side (and >can not use any)! Just use any openvpn server setup guide's instructions >for setting up a CA and generating a server certificate out from that CA. >That CA cert is then given to the openvpn client, so that the client can >make sure it is talking to the correct server. This is what I have done before. Builds a private root ca, and all the rest. ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-dh The first line makes sure we start from scratch. The second generates a key for the Certificate Authority (ca.crt and ca.key). The key for the server itself is generated on the third line (server.crt, server.key, and server.csr) . Repeat the forth line for each client that needs to connect (client1.key, client1.csr, client.crt, etc). Finally, we need the Diffie Hellman key as well, which is generated on the fifth line (dh1024.pem). In my server config file: ca ca.crt cert server.crt key server.key dh dh1024.pem >The LotW certificates are only used for authenticating the client. The >server's "ca" config option points to the LotW root certs bundle. The >cleint's "ca" config option points to the private CA which signed the >server's certificate. A paragraph ago I thought you said build ones own private root ca... But it sounds like you are now saying I just copy: C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root over to the server, rename it to ca.crt?

8 years, 8 months

Re: [44net] OpenVPN

by Steve L

Tal, thanks for the follow up. Most of that I already knew. As I have said, I have a functioning openvpn server. The only thing it lacks is the ability to work with client keys that folks extract from their lotw credentials. I have to issue client keys to people and that is what I am trying to get away from. I really need a watered down step by step guide on how to do this till it all clicks in my mind. Multi-factor authentication is pretty confusing and new to me yet. As I have said the client key extraction and documentation in the wiki is easy to understand, I just wish the same existed for the server end. http://wiki.ampr.org/wiki/AMPRNet_VPN It appears I need to build certificate signing request (maybe I am wrong). Again its not clear to me where/how to extract the root certificate from the ARRL LOTW program.

8 years, 8 months

Re: [44net] OpenVPN

by Steve L

My callsign.tq6 is binary data. However it looks like the root certificate is locate here: C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root I noticed it looks like three stacked into one file based on the begin/end markings. But from the link Tom shared, it looks like you don't have to do anything different like break them apart, with a chained vs single. Step one (./build-req server ) went ok however stuck at step two:, root@test:/etc/openvpn/easy-rsa/2.0# ./build-key server pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/2.0/keys Try pkitool --initca to build a root certificate/key. root@test:/etc/openvpn/easy-rsa/2.0# I simply copied the TQSL root file over to /etc/openvpn/easy-rsa/2.0/keys and renamed it ca.crt So I am guessing I need to split each certificate into its own file? Is there anyway to support more than one?

8 years, 8 months

Re: [44net] Help Not receiving ampr-ripd encap route broadcast

by Rob Janssen

> If it works without it, don't. > The -r flag will make ampr-ripd receive ALL interface traffic and filter out > multicasts in user space, while in regular operation mode that's left to the > kernel and is more efficient. > While on a big system it probably doesn't make much difference, on a limited > resource device like the PI it could. > Marius, YO2LOJ I fully agree with that! Do you have any idea why it was broken and if this has been fixed? Of course it may depend on the details like which IP address was assigned to which interface, just like the problem that you fixed in version 1.6... Probably I should test again on some different systems and kernels... Rob

8 years, 8 months

Re: [44net] Help Not receiving ampr-ripd encap route broadcast

by Rob Janssen

> How can I diagnose why my ampr-ripd is not receiving the broadcast? Any > tools? Likely your problem is caused by a kernel bug that was introduced some time ago, I don't know if it has been fixed in the meantime or if it was defined as 'desirable behaviour' and left that way. Some time ago I faced the same problem, and I could only fix it by adding the -r flag ("Use raw socket instead of multicast") to ampr-ripd. In multicast mode, which used to work fine, it simply did not work anymore on the Pi. Rob

8 years, 8 months

Help Not receiving ampr-ripd encap route broadcast

by Jose Ng

Last year I followed this instructions http://www.qsl.net/kb9mwr/wapr/tcpip/ampr-ripd.html and was able to get a Amprnet Gateway working on a Raspberry Pi 2 with a second USB Ethernet and VPN working OK. Few months later, I have problem connecting with VPN. i found out later, I have 2 IPs one static and one dynamic on the RPI. This was due to the new dhcpcd.conf implementation. No longer you declare the static IP in interfaces and some say to add it at the end of dhcpcd.conf. I disable dhcpcd at boot and now 1 static IP and no trouble with VPN. Now, I have problem not receiving the ampr-ripd encap route broadcast. ip route show table 44 only shows: default via 169.228.66.251 dev tunl0 onlink 44.163.22.0/24 dev eth1 scope link 44.163.22.128/25 dev tun0 scope link tcpdump -i etho proto 4 monitor for a long time a no broadcast I use this tool to ping 44.163.22.1 http://yo2tm.ampr.org/nettools.php 100% packet lost But with tcpdump -i eth0 proto 4 it shows the ping arriving but my gateway with no route then no answer: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:33:08.740142 IP mail.yo2loj.ro > 192.168.1.112: IP yo2tm.ampr.org > onx.hp2at.ampr.org: ICMP echo request, id 44708, seq 1, length 64 (ipip-proto-4) How can I diagnose why my ampr-ripd is not receiving the broadcast? Any tools? Jose / HP2AT

8 years, 8 months

Re: [44net] OpenVPN

by Steve L

Brian, thanks for the update. I know I asked before on how to build openvpn server keys and other configuration details that will let a openvpn server I build work with any hams lotw key clients that has previously documented: http://wiki.ampr.org/wiki/AMPRNet_VPN This is what I have built my own generated certificate authority, server keys, with before using the ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-dh I could really use something detailed on the values for the keys and certificates parameters to make a server work with the lotw based keys Its not clear to me where one gets the the LoTW root CA certificate(s) that need to be installed on the server. And I assume these are Diffie hellman parameters? Steve

8 years, 8 months

ideas to uutomatic updates of gateway file to Cisco Routers ?

by R P

Hi there My CS8251 works very well I need a idea how to make it get the Updated encap file automatically I do it now by Cut and paste but know that TFTP can do the job as well I need a solution that this can be done automatic (by batch or script) Any ideas , Solutions welcome Regards Ronen - 4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com

8 years, 8 months

Re: [44net] ideas to uutomatic updates of gateway file to Cisco Routers ?

by Assi Friedman

Ronen: Keep in mind that TFTP is horribly insecure and not very robust. It should only be used on local area networks. Assi -----Original Message----- From: 44Net [mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of R P Sent: Friday, March 11, 2016 12:33 PM To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] ideas to uutomatic updates of gateway file to Cisco Routers ? (Please trim inclusions from previous messages) _______________________________________________ I have made some tests with uploading config file to cisco in few ways The Telnet way is very slow it take to upload the whole gateways command about 5 minutes Today i have done config network (it is doing TFTP for the config file ) the whole procedure took 3 seconds The disadvantage that this way require TFTP server ... but i know it can be done with web also i will check tat too ... The script is also very simple all it have to do is to connect ... to wait for # prompt then to give the command conf network and to give some parameters such as the TFTP server address and file name and in the end to wait for OK When i will have fully automatic and running script (i will have to ask some of the local Script gurus to make it for me ) i will post it here and update the WIKI page Regards Ronen - 4Z4ZQ http://www.ronen.org

8 years, 8 months

Re: [44net] need someone that use Cisco with Policy routing

by Jesse Hindmarsh

Ronen, Below is a code snippet I use on my AmprNet router to direct any traffic with a 44/8 source or destination address to use Tunnel1 as my default interface. This allows any non-44 sourced traffic to route back to UCSD. The “ip local policy” command tells the router to apply the route-map to any locally generated traffic. ip local policy route-map NET44-ROUTE-MAP interface Loopback0 ip address 44.56.193.1 255.255.255.0 interface Tunnel1 description Default AMPRNet tunnel ip unnumbered Loopback0 ip tcp adjust-mss 1360 tunnel source 24.229.88.253 tunnel destination 169.228.66.251 tunnel mode ipip interface FastEthernet0/1 ip address 44.56.192.254 255.255.255.240 ip policy route-map NET44-ROUTE-MAP duplex auto speed auto ip access-list extended NET44-PBR permit ip any 44.0.0.0 0.255.255.255 permit ip 44.0.0.0 0.255.255.255 any route-map NET44-ROUTE-MAP permit 10 match ip address NET44-PBR set default interface Tunnel1 Thanks Jesse - WC3XS On 3/11/16, 1:57 PM, "44Net on behalf of R P" <44net-bounces+jesse=hindmarsh.cc(a)hamradio.ucsd.edu on behalf of ronenp(a)hotmail.com> wrote: >(Please trim inclusions from previous messages) >_______________________________________________ >Hi there > >Is there any one that use Cisco as Gateway and use Policy routing for redirecting the 44 Net Traffic ? > >I would like to get the Policy routing lines and the access list that belong to it > >and also the static route command specially the one that refer to the default route and to the route to AMPR Gateway (the main 44 net router) > >I am writing in the ampr wiki page how to set up a gateway with Cisco Router and i cant succeed to make my policy route work correct and dont want to publish example that doesn't work > >Thanks in advance > >Ronen - 4Z4ZQ > >http://www.ronen.org > >Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> >www.ronen.org >ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com > > >

8 years, 8 months

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net March 2016