44net

44net@mailman.ampr.org

1 participants
3179 discussions

by kb9mwr＠gmail.com

I realized it was a return route issue on my way to work yesterday. It's all working now. Thanks again ------------ Quote ------------ One thing to check would be if the VPN client has a route for 44/8 pointing through the VPN ("ip route" on the client). The VPN server should give the client the route using a directive in the server config: push "route 44.0.0.0 255.0.0.0"

11 years, 11 months

R: VPN access to AMPRNet using amateur X.509 certificates

by renzorossi＠libero.it

Ciao Hessu, just to share our experience in using OpenVPN solution to access CisarNet (http://wifi.cisar.it for the map, http://www.cisarnet.it for other services, ...), Before to setup the solution (about three years ago), inside our working group we discussed about using named certificates, Certification Authority, user registration process, crypto and so on... At the end, we decided just to share one only common signed key, and also permit free guest access without user identification (just as equivalence to radio Push-To-Talk button), no crypto (for regulatory compliance in several country for radio ham radio communication, Italy included). Storing logs permit us to be compliant to law about taking care of timestamp, ip source of the VPN client peer and destination ip public address. Also, in this way we are extending in Italy the usage of amprnet, by managing directly the CIDR 44.208/16 subnet as Internet IP public Address. I hope this help you to know our point of view, a little different from yours, but also useful for share several experiences (thanks to your well done guide on ampr wikis). We'd like also to know your (and others) opinion about Italian Cisar association approach to OpenVPN access. Ciao from Italy. IW0SAB Renzo. >----Messaggio originale---- >Da: hessu(a)hes.iki.fi >Data: 08/05/2013 0.42 >A: "AMPRNet working group"<44net(a)hamradio.ucsd.edu> >Ogg: [44net] VPN access to AMPRNet using amateur X.509 certificates > >(Please trim inclusions from previous messages) >_______________________________________________ > >Hi, > >The AMPRNet might be more useful if it had: > >(1) more services which would be interesting to hams >(2) more access to the AMPRNet > >Tonight I tried to attack (2) a bit. Access to the AMPRNet over the >Internet could maybe be made easier to hams by allowing them to connect >over VPNs instead of setting up their own IPIP tunnels at home, or trying >to find a working radio gateway. After getting a VPN running it might be >easier for them to set up a radio gateway, or some services. As discussed >on the other mailing list, VPNs are easier to get up on NATed residential >networks than IPIP tunnels. > >Setting up VPN user accounts and maintaining them can be a pain. It >doesn't take a lot of weekly or monthly maintenance work to run a VPN >service, but it can be a major pain to manage an user account database for >thousands of hams and check if your users around the Internet are, in >fact, licensed. > >It turns out that ARRL's Logbook of the World has already given out >cryptographic X.509 certificates to 57334 amateur users, after verifying >their license status against the FCC database (they send a postcard with a >random token code to the FCC-listed snail-mail address to make sure they >give the certificate to the right guy) or after looking at a paper >photocopy of a license + a photo ID. I had to physically mail in a photo >of my ham license and my driver's license and wait a couple weeks to get >the cert. If they can get 50k contesters and DXers to work with >certificates, maybe certs can work for the AMPRnet, too. > >Technically, we can validate if a VPN user is in possession of one of >those certificates and the respective private key. Politically, K4JH asked >the ARRL guys, and they said that they don't mind if we use them for other >ham authentication needs. We can start accepting other CAs too once they >come around. I plan to help SRAL, the Finnish amateur radio union, to set >up a CA within their web site (they already have user accounts for >members). I know ARRL isn't for everyone, but smaller clubs could set up >CAs too, or even commercial entities - as long as we trust them to do the >license validation in a proper manner. > >Tonight I hacked up an OpenVPN setup which authenticates users with LoTW >certs, and wrote a little documentation: > >http://wiki.ampr.org/index.php/AMPRNet_VPN > >What do you think? Technically, it seems to work - try it out if you like. >It's not very straightforward to set up, but the license validation is >pretty strong, and running the service shouldn't be a lot of work. There >can be many VPN servers around the world, serving the whole customer base >(VPN servers do not need access to any central user database, they just >need the certificates of the trusted CAs). With a little Dynamic DNS >magic, you could get a oh7lzb.vpn.ampr.org hostname on DNS within a few >seconds after connecting (I've got code for that in another project). > >(Yes, eventually certificates need to be revoked after they accidentally >get into wrong hands, or ham licenses are revoked. Technically that can be >done using CRLs and/or OCSP, but ARRL apparently does not do those yet. >Maybe they will, if the need arises. We can also set up a blocked >certificates list of our own.) > > - Hessu, OH7LZB > >_________________________________________ >44Net mailing list >44Net(a)hamradio.ucsd.edu >http://hamradio.ucsd.edu/mailman/listinfo/44net >http://www.ampr.org/donate.html >

11 years, 11 months

Re: [44net] private tunnel?

by kb9mwr＠gmail.com

Thanks for refreshing my memory. I am really rusty at this, since they have made home networking plug and play. I have IP forwarding enabled. root@ampr-test:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Could you give an example of what I need for iptables forwarding rules.? Steve

11 years, 11 months

Dayton

by Donald Jacob

Anybody going to Dayton. Maybe we can have a quick(!) meetup Don Jacob WB5EKU

11 years, 11 months

Re: [44net] private tunnel?

by kb9mwr＠gmail.com

I have been playing with openvpn. Works great to establish a connection to a remote firewalled host. Problem: I have a rip IPIP gateway. I have subnets 44.92.20.0/24 and 44.92.21.0/24 set in the portal 44.92.20.1 is my ampr gateway address. That is working, pingable. tunl0 Link encap:IPIP Tunnel HWaddr inet addr:44.92.21.1 Mask:255.0.0.0 UP RUNNING NOARP MULTICAST MTU:1480 Metric:1 RX packets:138952 errors:0 dropped:0 overruns:0 frame:0 TX packets:89710 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:37916347 (36.1 MiB) TX bytes:15979452 (15.2 MiB) I have a openvpn server also running on this box. It's address is 44.92.20.1. The client connecting is: 44.92.20.6 The server can ping the client, the client can ping the server. tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:44.92.20.1 P-t-P:44.92.20.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1184 (1.1 KiB) TX bytes:756 (756.0 B) I don't understand why 44.92.20.6 is not reachable from the outside world? (If nothing else, you'd think some simple route add command would make is so) And yes I have these routes for the IPIP gateway: /sbin/ip route add default via 169.228.66.251 dev tunl0 proto static onlink table 10 /sbin/ip rule add from 44.92.21.0/24 table 10 /sbin/ip rule add from 44.92.20.0/24 table 10 Can anyone see anything I am overlooking?

11 years, 11 months

domain cleanup idea

by kb9mwr＠gmail.com

First, Hessu your VPN idea looks interesting. Hopefully I'll have some time in the coming weeks to give it a try. Thanks for your efforts. Regarding cleaning up the DNS. Someone mentioned the idea of sorting hosts that are theoretically reachable via a tunnel. Then possibly purging ones that are not, or at least further review of these. So we gave it a shot, seemed simple enough. Look at the encap.txt file, look for hosts in each CIDR... (checking this file: ftp://hamradio.ucsd.edu/pub/amprhosts.) A quick google search yielded this nifty function that is the magic to the whole thing http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-… http://pastebin.com/CCiX4Upd It's not quite working, maybe someone who knows more can fix it? I get some errors about Undefined offsets. Steve, KB9MWR

11 years, 11 months

use of 44-net behind NAT

by Jim Alles

from the wiki at http://en.wikipedia.org/wiki/AMPRNet: *44.128.0.0/16* *44.128.x.x is the testing subnet and consists of 65,536 (216) addresses. Much akin to 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16 or 192.168.0.0/16, this is an unroutable private IP block<http://en.wikipedia.org/wiki/Private_network>. Connectivity to the rest of the network should be given through router gateways <http://en.wikipedia.org/wiki/Gateway_(telecommunications)> much as one would do with Network address translation<http://en.wikipedia.org/wiki/Network_address_translation> in any other private IP block.* There is no attribution to that statement, and nothing I could find at AMPR.org Is this the best way to address devices when doing NAT into a private network? Any issues? Or are there advantages to requesting assigned numbers? thanks & 73, Jim Alles

11 years, 11 months

How to update DNS?

by Matt VK2RQ

I just made some requests via the AMPRNet portal to create some DNS records in the ampr.org domain, and the requests were rejected with the following remark: "DNS is not active yet, please subscribe to the 44-Net mailing list to keep advised of progress." I presume they are referring to this mail list. So, how do I get DNS records created in the ampr.org domain? I understand that in the past, there was an email robot, but I have been unable to find any details on how to use it. Can anyone point me in the right direction? Many thanks, Matt VK2RQ

11 years, 11 months

Going Forward: IPv6

by Jim Alles

What are your thoughts about where do we go with IPv6? We (PSARC) are about to request a backbone connection with IPv6 addressing. What if I wanted to map an assigned 44net address to a IPv6 address? Or, is tunneling the answer? It looks like the possibilities are endless http://en.wikipedia.org/wiki/IPv6_transition_mechanisms Jim A.

11 years, 11 months

tunnel alternates

by Jim Alles

Brian K.: *"This is precisely the situation that our longstanding method of tunnel gateways is designed to overcome. You do this by setting up a Linux host that is assigned a single PSU address, probably something that isn't too hard to do. You shouldn't need to have them open any holes in the firewall or ask for special treatment as long as the existing firewall allows IPIP (internet protocol #4) through, which most do because the firewall managers never thought to block it, and also because some VPN schemes used to use it. The PSU folks don't have to do anything about network 44 routing or BGP or whatever. You then get a subnet allocation from your regional AMPRNet IP address coordinator and register a gateway for that subnet (via the PSU address) on the portal. Voila', you now have a subnet of AMPRNet routed to your Linux host via IP-IP encapsulation, and through the technique of tunnel gatewaying that Linux host is now connected to the AMPRNet, albeit at a somewhat limited bandwidth."* * * I am not opposed to this, especially since I have not tried it yet. However, PSU has resources, that if they can be tapped, might enable PSARC do something equivalant to what USC is doing, but for the state of Pennsylvania. For one, to further experiment, and also to improve the bandwidth limitations down the road. The 'Backbone" connection I expect to get through PSU will be 1 gigabit/sec. If co-located w/ PennREN, we would be sitting on a statewide 10Gb/s middle mile network. And, that is IPv6 now. It would be a heck of a way to learn! 73, Jim A.

11 years, 11 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net