44net

44net@mailman.ampr.org

3191 discussions

R: Re: VPN access to AMPRNet using amateur X.509 certificates

by renzorossi＠libero.it

Ciao Hessu,To answer shortly...a) Connecting via OpenVPN we permit to access to all of 44/8 amprnet, to all our "private" management network 10/8; we are vorking just these days to publish to big Internet radioham services reaching CisarNet via OpenVPN, using static 44.208/16 ip addresses directly routed to big Internet (under amprnet agreement);b) More or less we are using the same verify procedure around amprnet...We could not say that it is a strong authentication or biometrics solution, but it's working ;-): are you interested on ?c) We are using 44.208/16 addresses also directly on radio link, for radioham purpose but exposed on big Internet. In some case VPN links are used to backup radio link (using OSPF routing protocol with different weighted routes), and we are simply considering big Internet as Radio...so, same rules! Full compliance to regulatories and amprnet policy. Concluding, at the beginning we supported OpenVPN extension to try to find an easy "workaround" when you have not radio connection to CisarNet/amprnet, nor a public ip address for tunneling using ip2ip, but at the same time you'd like to connect to CisarNet and/or amprnet. Now, in a classic solution, you have a main gateway using OpenVPN client connect to CisarNet backbone, and your "local" ham wireless network around you covering your near towns. In this way we consolidated new isolated wireless radioham small networks, using ready-to-connect CisarNet ip addressing, rules, services, and so on. Ciao from Italy. Thank you for this opportunity to "compare" different approach, I believe anyway both of them are interesting. IW0SAB Renzo. I'm not sure if I understood right... just to check, are you allowing access to all of 44/8 amprnet via this VPN? Or just to your local 10.x network over there? Are you giving VPN access to anyone with a common signed key? Do you somehow verify that those users are amateurs, or can anyone download the key+certificate from somewhere? Our regulations over here prevent us from using crypto on radio, which is good and fine. The regulations don't prohibit using crypto on the Internet. The VPN provides strong authentication, the encryption is a side-effect which does not really matter much to one direction or the other. We need to do authentication and license verification to prevent non-ham access to the radio channels - looking up from logs afterwards isn't of much use. - Hessu

12 years, 9 months

Re: [44net] VPN access to AMPRNet using amateur X.509 certificates

by kb9mwr＠gmail.com

I never really had an interest in log book of the world till now. So I just signed up, and awaiting their postcard or whatever. Using those certificates sure seems like a logical way to keep the network secure. I have been wondering if anyone running a IPIP gateway applies any security by locking it down with iptables to only the other known gateways. Perhaps this could be worked into rip44d as an option? This is essentially what D-Star the dssecd D-STAR Gateway security enhancement application/daemon does. At that point the only issue is who is allowed to create a gateway in the portal. And perhaps that is where this ham verification technique could be applied.

12 years, 9 months

Re: [44net] private tunnel?

by kb9mwr＠gmail.com

I realized it was a return route issue on my way to work yesterday. It's all working now. Thanks again ------------ Quote ------------ One thing to check would be if the VPN client has a route for 44/8 pointing through the VPN ("ip route" on the client). The VPN server should give the client the route using a directive in the server config: push "route 44.0.0.0 255.0.0.0"

12 years, 9 months

R: VPN access to AMPRNet using amateur X.509 certificates

by renzorossi＠libero.it

Ciao Hessu, just to share our experience in using OpenVPN solution to access CisarNet (http://wifi.cisar.it for the map, http://www.cisarnet.it for other services, ...), Before to setup the solution (about three years ago), inside our working group we discussed about using named certificates, Certification Authority, user registration process, crypto and so on... At the end, we decided just to share one only common signed key, and also permit free guest access without user identification (just as equivalence to radio Push-To-Talk button), no crypto (for regulatory compliance in several country for radio ham radio communication, Italy included). Storing logs permit us to be compliant to law about taking care of timestamp, ip source of the VPN client peer and destination ip public address. Also, in this way we are extending in Italy the usage of amprnet, by managing directly the CIDR 44.208/16 subnet as Internet IP public Address. I hope this help you to know our point of view, a little different from yours, but also useful for share several experiences (thanks to your well done guide on ampr wikis). We'd like also to know your (and others) opinion about Italian Cisar association approach to OpenVPN access. Ciao from Italy. IW0SAB Renzo. >----Messaggio originale---- >Da: hessu(a)hes.iki.fi >Data: 08/05/2013 0.42 >A: "AMPRNet working group"<44net(a)hamradio.ucsd.edu> >Ogg: [44net] VPN access to AMPRNet using amateur X.509 certificates > >(Please trim inclusions from previous messages) >_______________________________________________ > >Hi, > >The AMPRNet might be more useful if it had: > >(1) more services which would be interesting to hams >(2) more access to the AMPRNet > >Tonight I tried to attack (2) a bit. Access to the AMPRNet over the >Internet could maybe be made easier to hams by allowing them to connect >over VPNs instead of setting up their own IPIP tunnels at home, or trying >to find a working radio gateway. After getting a VPN running it might be >easier for them to set up a radio gateway, or some services. As discussed >on the other mailing list, VPNs are easier to get up on NATed residential >networks than IPIP tunnels. > >Setting up VPN user accounts and maintaining them can be a pain. It >doesn't take a lot of weekly or monthly maintenance work to run a VPN >service, but it can be a major pain to manage an user account database for >thousands of hams and check if your users around the Internet are, in >fact, licensed. > >It turns out that ARRL's Logbook of the World has already given out >cryptographic X.509 certificates to 57334 amateur users, after verifying >their license status against the FCC database (they send a postcard with a >random token code to the FCC-listed snail-mail address to make sure they >give the certificate to the right guy) or after looking at a paper >photocopy of a license + a photo ID. I had to physically mail in a photo >of my ham license and my driver's license and wait a couple weeks to get >the cert. If they can get 50k contesters and DXers to work with >certificates, maybe certs can work for the AMPRnet, too. > >Technically, we can validate if a VPN user is in possession of one of >those certificates and the respective private key. Politically, K4JH asked >the ARRL guys, and they said that they don't mind if we use them for other >ham authentication needs. We can start accepting other CAs too once they >come around. I plan to help SRAL, the Finnish amateur radio union, to set >up a CA within their web site (they already have user accounts for >members). I know ARRL isn't for everyone, but smaller clubs could set up >CAs too, or even commercial entities - as long as we trust them to do the >license validation in a proper manner. > >Tonight I hacked up an OpenVPN setup which authenticates users with LoTW >certs, and wrote a little documentation: > >http://wiki.ampr.org/index.php/AMPRNet_VPN > >What do you think? Technically, it seems to work - try it out if you like. >It's not very straightforward to set up, but the license validation is >pretty strong, and running the service shouldn't be a lot of work. There >can be many VPN servers around the world, serving the whole customer base >(VPN servers do not need access to any central user database, they just >need the certificates of the trusted CAs). With a little Dynamic DNS >magic, you could get a oh7lzb.vpn.ampr.org hostname on DNS within a few >seconds after connecting (I've got code for that in another project). > >(Yes, eventually certificates need to be revoked after they accidentally >get into wrong hands, or ham licenses are revoked. Technically that can be >done using CRLs and/or OCSP, but ARRL apparently does not do those yet. >Maybe they will, if the need arises. We can also set up a blocked >certificates list of our own.) > > - Hessu, OH7LZB > >_________________________________________ >44Net mailing list >44Net(a)hamradio.ucsd.edu >http://hamradio.ucsd.edu/mailman/listinfo/44net >http://www.ampr.org/donate.html >

12 years, 9 months

Re: [44net] private tunnel?

by kb9mwr＠gmail.com

Thanks for refreshing my memory. I am really rusty at this, since they have made home networking plug and play. I have IP forwarding enabled. root@ampr-test:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Could you give an example of what I need for iptables forwarding rules.? Steve

12 years, 9 months

Dayton

by Donald Jacob

Anybody going to Dayton. Maybe we can have a quick(!) meetup Don Jacob WB5EKU

12 years, 9 months

Re: [44net] private tunnel?

by kb9mwr＠gmail.com

I have been playing with openvpn. Works great to establish a connection to a remote firewalled host. Problem: I have a rip IPIP gateway. I have subnets 44.92.20.0/24 and 44.92.21.0/24 set in the portal 44.92.20.1 is my ampr gateway address. That is working, pingable. tunl0 Link encap:IPIP Tunnel HWaddr inet addr:44.92.21.1 Mask:255.0.0.0 UP RUNNING NOARP MULTICAST MTU:1480 Metric:1 RX packets:138952 errors:0 dropped:0 overruns:0 frame:0 TX packets:89710 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:37916347 (36.1 MiB) TX bytes:15979452 (15.2 MiB) I have a openvpn server also running on this box. It's address is 44.92.20.1. The client connecting is: 44.92.20.6 The server can ping the client, the client can ping the server. tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:44.92.20.1 P-t-P:44.92.20.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1184 (1.1 KiB) TX bytes:756 (756.0 B) I don't understand why 44.92.20.6 is not reachable from the outside world? (If nothing else, you'd think some simple route add command would make is so) And yes I have these routes for the IPIP gateway: /sbin/ip route add default via 169.228.66.251 dev tunl0 proto static onlink table 10 /sbin/ip rule add from 44.92.21.0/24 table 10 /sbin/ip rule add from 44.92.20.0/24 table 10 Can anyone see anything I am overlooking?

12 years, 9 months

domain cleanup idea

by kb9mwr＠gmail.com

First, Hessu your VPN idea looks interesting. Hopefully I'll have some time in the coming weeks to give it a try. Thanks for your efforts. Regarding cleaning up the DNS. Someone mentioned the idea of sorting hosts that are theoretically reachable via a tunnel. Then possibly purging ones that are not, or at least further review of these. So we gave it a shot, seemed simple enough. Look at the encap.txt file, look for hosts in each CIDR... (checking this file: ftp://hamradio.ucsd.edu/pub/amprhosts.) A quick google search yielded this nifty function that is the magic to the whole thing http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-… http://pastebin.com/CCiX4Upd It's not quite working, maybe someone who knows more can fix it? I get some errors about Undefined offsets. Steve, KB9MWR

12 years, 10 months

use of 44-net behind NAT

by Jim Alles

from the wiki at http://en.wikipedia.org/wiki/AMPRNet: *44.128.0.0/16* *44.128.x.x is the testing subnet and consists of 65,536 (216) addresses. Much akin to 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16 or 192.168.0.0/16, this is an unroutable private IP block<http://en.wikipedia.org/wiki/Private_network>. Connectivity to the rest of the network should be given through router gateways <http://en.wikipedia.org/wiki/Gateway_(telecommunications)> much as one would do with Network address translation<http://en.wikipedia.org/wiki/Network_address_translation> in any other private IP block.* There is no attribution to that statement, and nothing I could find at AMPR.org Is this the best way to address devices when doing NAT into a private network? Any issues? Or are there advantages to requesting assigned numbers? thanks & 73, Jim Alles

12 years, 10 months

How to update DNS?

by Matt VK2RQ

I just made some requests via the AMPRNet portal to create some DNS records in the ampr.org domain, and the requests were rejected with the following remark: "DNS is not active yet, please subscribe to the 44-Net mailing list to keep advised of progress." I presume they are referring to this mail list. So, how do I get DNS records created in the ampr.org domain? I understand that in the past, there was an email robot, but I have been unable to find any details on how to use it. Can anyone point me in the right direction? Many thanks, Matt VK2RQ

12 years, 10 months

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net