I never really had an interest in log book of the world till now.
So I just signed up, and awaiting their postcard or whatever.
Using those certificates sure seems like a logical way to keep the
network secure.
I have been wondering if anyone running a IPIP gateway applies any
security by locking it down with iptables to only the other known
gateways.
Perhaps this could be worked into rip44d as an option?
This is essentially what D-Star the dssecd D-STAR Gateway security
enhancement application/daemon does.
At that point the only issue is who is allowed to create a gateway in
the portal. And perhaps that is where this ham verification technique
could be applied.
I realized it was a return route issue on my way to work yesterday.
It's all working now.
Thanks again
------------ Quote ------------
One thing to check would be if the VPN client has a route for 44/8 pointing
through the VPN ("ip route" on the client). The VPN server should give the
client the route using a directive in the server config:
push "route 44.0.0.0 255.0.0.0"
Ciao Hessu,
just to share our experience in using OpenVPN solution to access CisarNet (http://wifi.cisar.it for the map, http://www.cisarnet.it for other services, ...),
Before to setup the solution (about three years ago), inside our working group we discussed about using named certificates, Certification Authority, user registration process, crypto and so on...
At the end, we decided just to share one only common signed key, and also permit free guest access without user identification (just as equivalence to radio Push-To-Talk button), no crypto (for regulatory compliance in several country for radio ham radio communication, Italy included). Storing logs permit us to be compliant to law about taking care of timestamp, ip source of the VPN client peer and destination ip public address. Also, in this way we are extending in Italy the usage of amprnet, by managing directly the CIDR 44.208/16 subnet as Internet IP public Address.
I hope this help you to know our point of view, a little different from yours, but also useful for share several experiences (thanks to your well done guide on ampr wikis). We'd like also to know your (and others) opinion about Italian Cisar association approach to OpenVPN access.
Ciao from Italy.
IW0SAB Renzo.
>----Messaggio originale----
>Da: hessu(a)hes.iki.fi
>Data: 08/05/2013 0.42
>A: "AMPRNet working group"<44net(a)hamradio.ucsd.edu>
>Ogg: [44net] VPN access to AMPRNet using amateur X.509 certificates
>
>(Please trim inclusions from previous messages)
>_______________________________________________
>
>Hi,
>
>The AMPRNet might be more useful if it had:
>
>(1) more services which would be interesting to hams
>(2) more access to the AMPRNet
>
>Tonight I tried to attack (2) a bit. Access to the AMPRNet over the
>Internet could maybe be made easier to hams by allowing them to connect
>over VPNs instead of setting up their own IPIP tunnels at home, or trying
>to find a working radio gateway. After getting a VPN running it might be
>easier for them to set up a radio gateway, or some services. As discussed
>on the other mailing list, VPNs are easier to get up on NATed residential
>networks than IPIP tunnels.
>
>Setting up VPN user accounts and maintaining them can be a pain. It
>doesn't take a lot of weekly or monthly maintenance work to run a VPN
>service, but it can be a major pain to manage an user account database for
>thousands of hams and check if your users around the Internet are, in
>fact, licensed.
>
>It turns out that ARRL's Logbook of the World has already given out
>cryptographic X.509 certificates to 57334 amateur users, after verifying
>their license status against the FCC database (they send a postcard with a
>random token code to the FCC-listed snail-mail address to make sure they
>give the certificate to the right guy) or after looking at a paper
>photocopy of a license + a photo ID. I had to physically mail in a photo
>of my ham license and my driver's license and wait a couple weeks to get
>the cert. If they can get 50k contesters and DXers to work with
>certificates, maybe certs can work for the AMPRnet, too.
>
>Technically, we can validate if a VPN user is in possession of one of
>those certificates and the respective private key. Politically, K4JH asked
>the ARRL guys, and they said that they don't mind if we use them for other
>ham authentication needs. We can start accepting other CAs too once they
>come around. I plan to help SRAL, the Finnish amateur radio union, to set
>up a CA within their web site (they already have user accounts for
>members). I know ARRL isn't for everyone, but smaller clubs could set up
>CAs too, or even commercial entities - as long as we trust them to do the
>license validation in a proper manner.
>
>Tonight I hacked up an OpenVPN setup which authenticates users with LoTW
>certs, and wrote a little documentation:
>
>http://wiki.ampr.org/index.php/AMPRNet_VPN
>
>What do you think? Technically, it seems to work - try it out if you like.
>It's not very straightforward to set up, but the license validation is
>pretty strong, and running the service shouldn't be a lot of work. There
>can be many VPN servers around the world, serving the whole customer base
>(VPN servers do not need access to any central user database, they just
>need the certificates of the trusted CAs). With a little Dynamic DNS
>magic, you could get a oh7lzb.vpn.ampr.org hostname on DNS within a few
>seconds after connecting (I've got code for that in another project).
>
>(Yes, eventually certificates need to be revoked after they accidentally
>get into wrong hands, or ham licenses are revoked. Technically that can be
>done using CRLs and/or OCSP, but ARRL apparently does not do those yet.
>Maybe they will, if the need arises. We can also set up a blocked
>certificates list of our own.)
>
> - Hessu, OH7LZB
>
>_________________________________________
>44Net mailing list
>44Net(a)hamradio.ucsd.edu
>http://hamradio.ucsd.edu/mailman/listinfo/44net
>http://www.ampr.org/donate.html
>
Thanks for refreshing my memory. I am really rusty at this, since
they have made home networking plug and play.
I have IP forwarding enabled.
root@ampr-test:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Could you give an example of what I need for iptables forwarding rules.?
Steve
I have been playing with openvpn. Works great to establish a
connection to a remote firewalled host.
Problem:
I have a rip IPIP gateway. I have subnets 44.92.20.0/24 and
44.92.21.0/24 set in the portal
44.92.20.1 is my ampr gateway address. That is working, pingable.
tunl0 Link encap:IPIP Tunnel HWaddr
inet addr:44.92.21.1 Mask:255.0.0.0
UP RUNNING NOARP MULTICAST MTU:1480 Metric:1
RX packets:138952 errors:0 dropped:0 overruns:0 frame:0
TX packets:89710 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:37916347 (36.1 MiB) TX bytes:15979452 (15.2 MiB)
I have a openvpn server also running on this box. It's address is
44.92.20.1. The client connecting is: 44.92.20.6
The server can ping the client, the client can ping the server.
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:44.92.20.1 P-t-P:44.92.20.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1184 (1.1 KiB) TX bytes:756 (756.0 B)
I don't understand why 44.92.20.6 is not reachable from the outside world?
(If nothing else, you'd think some simple route add command would make is so)
And yes I have these routes for the IPIP gateway:
/sbin/ip route add default via 169.228.66.251 dev tunl0 proto static
onlink table 10
/sbin/ip rule add from 44.92.21.0/24 table 10
/sbin/ip rule add from 44.92.20.0/24 table 10
Can anyone see anything I am overlooking?
First, Hessu your VPN idea looks interesting. Hopefully I'll have
some time in the coming weeks to give it a try. Thanks for your
efforts.
Regarding cleaning up the DNS. Someone mentioned the idea of sorting
hosts that are theoretically reachable via a tunnel. Then possibly
purging ones that are not, or at least further review of these.
So we gave it a shot, seemed simple enough. Look at the encap.txt
file, look for hosts in each CIDR... (checking this file:
ftp://hamradio.ucsd.edu/pub/amprhosts.)
A quick google search yielded this nifty function that is the magic to
the whole thing
http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-…http://pastebin.com/CCiX4Upd
It's not quite working, maybe someone who knows more can fix it?
I get some errors about Undefined offsets.
Steve, KB9MWR
from the wiki at http://en.wikipedia.org/wiki/AMPRNet:
*44.128.0.0/16*
*44.128.x.x is the testing subnet and consists of 65,536 (216) addresses.
Much akin to 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16 or 192.168.0.0/16,
this is an unroutable private IP
block<http://en.wikipedia.org/wiki/Private_network>.
Connectivity to the rest of the network should be given through router
gateways <http://en.wikipedia.org/wiki/Gateway_(telecommunications)> much
as one would do with Network address
translation<http://en.wikipedia.org/wiki/Network_address_translation>
in
any other private IP block.*
There is no attribution to that statement, and nothing I could find at
AMPR.org
Is this the best way to address devices when doing NAT into a private
network? Any issues?
Or are there advantages to requesting assigned numbers?
thanks & 73,
Jim Alles
I just made some requests via the AMPRNet portal to create some DNS records in the ampr.org domain, and the requests were rejected with the following remark:
"DNS is not active yet, please subscribe to the 44-Net mailing list to keep advised of progress."
I presume they are referring to this mail list.
So, how do I get DNS records created in the ampr.org domain? I understand that in the past, there was an email robot, but I have been unable to find any details on how to use it. Can anyone point me in the right direction?
Many thanks,
Matt VK2RQ
What are your thoughts about where do we go with IPv6?
We (PSARC) are about to request a backbone connection with IPv6 addressing.
What if I wanted to map an assigned 44net address to a IPv6 address?
Or, is tunneling the answer?
It looks like the possibilities are endless
http://en.wikipedia.org/wiki/IPv6_transition_mechanisms
Jim A.