I am looking for some directions on setting this up with a cellular Hotspot modem. I am trying to get this to work with a DStar gateway. I have looked at the wiki for the setting up the MikroTik route
Sincerely David Harris KE6GAE
Sent from my Galaxy
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Ken KC2IDB
Get Outlook for Androidhttps://aka.ms/AAb9ysg ________________________________ From: David Harris via 44net 44net@mailman.ampr.org Sent: Wednesday, February 8, 2023 10:44:00 PM To: 44net@mailman.AMPR.org 44net@mailman.AMPR.org Subject: [44net] IPIP Tunnel
I am looking for some directions on setting this up with a cellular Hotspot modem. I am trying to get this to work with a DStar gateway. I have looked at the wiki for the setting up the MikroTik route
Sincerely David Harris KE6GAE
Sent from my Galaxy
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager
While it is not a panacea, the still developing HamGate project could help. Go to http://hamgate.ampr.org and make sure to click the docs link. There are operating HamGates in ME, MA, RI, CT, NY, NJ & PA. There is movement for one in MD and possibly OH. This was all borne out of the frustration of 44net allocation holders with IPIP issues or those behind NAT situations.
On 2/13/2023 12:21 PM, Kris Kirby via 44net wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net 44net@mailman.ampr.org wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
I've done this for myself, with my BGP block. This way I have multiple clients in different locations all able to use the block via wireguard.
Get Outlook for Androidhttps://aka.ms/AAb9ysg ________________________________ From: Mark Phillips enicomms@gmail.com Sent: Monday, February 13, 2023 4:18:57 PM To: Joshua McDonald josh@2cold.net Cc: Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: Re: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
How did you get the Wireguard VPN account assigned to you? Kun ________________________________ From: Mark Phillips via 44net 44net@mailman.ampr.org Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald josh@2cold.net Cc: Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN dnwk@linkun.info wrote:
How did you get the Wireguard VPN account assigned to you? Kun
*From:* Mark Phillips via 44net 44net@mailman.ampr.org *Sent:* Monday, February 13, 2023 13:18 *To:* Joshua McDonald josh@2cold.net *Cc:* Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org < 44net@mailman.ampr.org> *Subject:* [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Well, Chris denied my /24 request to build a Wireguard VPN service. He claimed 44Net would have a official one out there. How did you get your assignment approved? Kun ________________________________ From: Mark Phillips enicomms@gmail.com Sent: Wednesday, February 22, 2023 16:21 To: KUN LIN dnwk@linkun.info Cc: Joshua McDonald josh@2cold.net; Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: Re: [44net] Re: IPIP Tunnel
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: How did you get the Wireguard VPN account assigned to you? Kun ________________________________ From: Mark Phillips via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net> Cc: Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
Chris is not the only issuer of numbers in this space. My group manages the allocations for 10 States here on the East Coast. Find your local co-ordinator and ask him.
AFAIK, we are the ONLY group offering Wireguard VPN that you can actually use.
Chris (FEF) is trying to get away from the regional allocation of IP addresses and simply issue them from the top of the pile. This suggests to me that ARDC are aligning themselves for another selloff? If they can get everyone below 44.128/10 they can sell that off too?
On Thu, Feb 23, 2023 at 12:41 PM KUN LIN dnwk@linkun.info wrote:
Well, Chris denied my /24 request to build a Wireguard VPN service. He claimed 44Net would have a official one out there. How did you get your assignment approved? Kun
*From:* Mark Phillips enicomms@gmail.com *Sent:* Wednesday, February 22, 2023 16:21 *To:* KUN LIN dnwk@linkun.info *Cc:* Joshua McDonald josh@2cold.net; Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org *Subject:* Re: [44net] Re: IPIP Tunnel
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN dnwk@linkun.info wrote:
How did you get the Wireguard VPN account assigned to you? Kun
*From:* Mark Phillips via 44net 44net@mailman.ampr.org *Sent:* Monday, February 13, 2023 13:18 *To:* Joshua McDonald josh@2cold.net *Cc:* Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org < 44net@mailman.ampr.org> *Subject:* [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
There is no sell off plan that I know off after being for my 3rd year in the TAC committee 2 of wich as the chairman.
The reason for using the lower part of the IP addresses is to answer to the internet ip routing community to use the ip space properly not is small batch here and there.
Pierre VE2PF
Obtenir Outlook pour Androidhttps://aka.ms/AAb9ysg ________________________________ From: Mark Phillips via 44net 44net@mailman.ampr.org Sent: Thursday, February 23, 2023 1:24:58 PM To: KUN LIN dnwk@linkun.info Cc: Joshua McDonald josh@2cold.net; Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: [44net] Re: IPIP Tunnel
Chris is not the only issuer of numbers in this space. My group manages the allocations for 10 States here on the East Coast. Find your local co-ordinator and ask him.
AFAIK, we are the ONLY group offering Wireguard VPN that you can actually use.
Chris (FEF) is trying to get away from the regional allocation of IP addresses and simply issue them from the top of the pile. This suggests to me that ARDC are aligning themselves for another selloff? If they can get everyone below 44.128/10 they can sell that off too?
On Thu, Feb 23, 2023 at 12:41 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: Well, Chris denied my /24 request to build a Wireguard VPN service. He claimed 44Net would have a official one out there. How did you get your assignment approved? Kun ________________________________ From: Mark Phillips <enicomms@gmail.commailto:enicomms@gmail.com> Sent: Wednesday, February 22, 2023 16:21 To: KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> Cc: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net>; Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: Re: [44net] Re: IPIP Tunnel
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: How did you get the Wireguard VPN account assigned to you? Kun ________________________________ From: Mark Phillips via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net> Cc: Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
It was noted that some users would find key generation, etc. to be quite advanced/expert. It's interesting that was noted. A main reason I understood some commercial companies generate a private key for you - is so that they can offer you a complete Wireguard configuration file for setup purposes. They would be unable to do that via a public-key-only exchange/setup with the remote peer.
73,
- LynwoodKB3VWG
Actually, providers generate public and the corresponding private certificates to their users since it is the easiest way to sign a certificate with an intermediate authority certificate and verify their authenticity on their servers. This is much more complicated if the user would provide his self-generated public key only.
Marius, YO2LOJ
On 23/02/2023 20:53, lleachii--- via 44net wrote:
It was noted that some users would find key generation, etc. to be quite advanced/expert.
It's interesting that was noted.
A main reason I understood some commercial companies generate a private key for you - is so that they can offer you a complete Wireguard configuration file for setup purposes. They would be unable to do that via a public-key-only exchange/setup with the remote peer.
73,
- Lynwood
KB3VWG
44net mailing list --44net@mailman.ampr.org To unsubscribe send an email to44net-leave@mailman.ampr.org
FYI, Wireguard doesn't use PKI infrastructure, unless a commercial company is using it with some other technology to store accounts/keys.
They're the private key is just randomly generated.
- Lynwood
I don't contest that. But key generation and management is a thing that is usually above the regular user's pay grade. So companies usually go the easy way, especially if a PKI trust chain is involved.
On 23/02/2023 21:05, lleachii@aol.com wrote:
FYI, Wireguard doesn't use PKI infrastructure, unless a commercial company is using it with some other technology to store accounts/keys.
They're the private key is just randomly generated.
- Lynwood
There is no need for a private key to sign a certificate with a PKI.
73, Ruben - ON3RVH
On 23 Feb 2023, at 20:02, Marius Petrescu via 44net 44net@mailman.ampr.org wrote:
Actually, providers generate public and the corresponding private certificates to their users since it is the easiest way to sign a certificate with an intermediate authority certificate and verify their authenticity on their servers. This is much more complicated if the user would provide his self-generated public key only.
Marius, YO2LOJ
On 23/02/2023 20:53, lleachii--- via 44net wrote: It was noted that some users would find key generation, etc. to be quite advanced/expert.
It's interesting that was noted.
A main reason I understood some commercial companies generate a private key for you - is so that they can offer you a complete Wireguard configuration file for setup purposes. They would be unable to do that via a public-key-only exchange/setup with the remote peer.
73,
- Lynwood KB3VWG
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
I was getting ready to say the same thing. A vpn service provider is MUST issue you a private key for your connection only (that is the only way the service works). BUT they are NEVER going to send you the private key for their server. That is exactly what we do for IRLP VPN to provide basic connectivity. We are now approaching 500 repeaters (nodes) with 44.127.x.x IP addresses.
OTOH, we use PGP to authenticate all connections in to the IRLP network and connections between repeaters (regardless of VPN use). The private key is generated during their installation of the software, but never leaves the IRLP computer. Public keys are collected and circulated throughout the network. A human reviews and authorizes a specific key be added to the public key ring. But this is completely separate from the use of a VPN.
— Dave K9DC, K9IP
On Feb 23, 2023, at 13:53, lleachii--- via 44net 44net@mailman.ampr.org wrote:
It was noted that some users would find key generation, etc. to be quite advanced/expert.
It's interesting that was noted.
A main reason I understood some commercial companies generate a private key for you - is so that they can offer you a complete Wireguard configuration file for setup purposes. They would be unable to do that via a public-key-only exchange/setup with the remote peer. 73,
- Lynwood
KB3VWG
That's exactly why we dictate all the keys. We send you a complete setup file which you import into your client/router/whatever.
The file looks like this (this one does not work!!) Pull this into your client application and bingo; you're on the 44Net. Note how we do not share our private key? We do tell you what your private key is going to be but we only share our public key. We even use a different PSK for each client. And, we only support 44net routing. No internet access via us.
[Interface] Address = 44.56.0.220/26 ListenPort = 51844 PrivateKey = AD/zd1stXzehSRe68YHf+lKGlquitR8FN0YAAL1YZWs=
[Peer] PublicKey = nW9HaYfZeM5opuqiBdPMb1kW0Eo42+CKH6SxWvKmLWM= PresharedKey = Ky17b00UsqJ+mcZ3QjL720UWWQZKXKLKI1H4SaB8IQk= AllowedIPs = 44.0.0.0/9, 44.128.0.0/10 Endpoint = hamgatepa.ampr.org:51844
On Thu, Feb 23, 2023 at 1:56 PM lleachii--- via 44net < 44net@mailman.ampr.org> wrote:
It was noted that some users would find key generation, etc. to be quite advanced/expert.
It's interesting that was noted.
A main reason I understood some commercial companies generate a private key for you - is so that they can offer you a complete Wireguard configuration file for setup purposes. They would be unable to do that via a public-key-only exchange/setup with the remote peer.
73,
- Lynwood
KB3VWG _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
My local coordinator forwards my case to Chris because I am asking for BGP. I believe Nathan Sales KJ7DMC also has a /24 and runs wireguard for public at Fremont location. I can't find his website right now. Kun Nathan Sales 34553 KJ7DMC ________________________________ From: Mark Phillips enicomms@gmail.com Sent: Thursday, February 23, 2023 10:24 To: KUN LIN dnwk@linkun.info Cc: Joshua McDonald josh@2cold.net; Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: Re: [44net] Re: IPIP Tunnel
Chris is not the only issuer of numbers in this space. My group manages the allocations for 10 States here on the East Coast. Find your local co-ordinator and ask him.
AFAIK, we are the ONLY group offering Wireguard VPN that you can actually use.
Chris (FEF) is trying to get away from the regional allocation of IP addresses and simply issue them from the top of the pile. This suggests to me that ARDC are aligning themselves for another selloff? If they can get everyone below 44.128/10 they can sell that off too?
On Thu, Feb 23, 2023 at 12:41 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: Well, Chris denied my /24 request to build a Wireguard VPN service. He claimed 44Net would have a official one out there. How did you get your assignment approved? Kun ________________________________ From: Mark Phillips <enicomms@gmail.commailto:enicomms@gmail.com> Sent: Wednesday, February 22, 2023 16:21 To: KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> Cc: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net>; Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: Re: [44net] Re: IPIP Tunnel
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: How did you get the Wireguard VPN account assigned to you? Kun ________________________________ From: Mark Phillips via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net> Cc: Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
@Kun
VPN is me, guilty… Nate and I run ARIX and I’ve been experimenting with Wireguard VPN in Fremont.
Try using the approach with Chris, requesting IP's for BGP experimentation. -Learning/Experimentation is one of the driving goals of ARDC.
For me, It was a hard-sell for getting IP’s for IX and VPN.
BTW: If anyone has a design for a VPN , DM me, I’d be interested in your approach !
Adam (KC7GDY)
On Feb 23, 2023, at 12:50 PM, KUN LIN via 44net 44net@mailman.ampr.org wrote:
My local coordinator forwards my case to Chris because I am asking for BGP. I believe Nathan Sales KJ7DMC also has a /24 and runs wireguard for public at Fremont location. I can't find his website right now. Kun Nathan Sales 34553 KJ7DMC From: Mark Phillips <enicomms@gmail.com mailto:enicomms@gmail.com> Sent: Thursday, February 23, 2023 10:24 To: KUN LIN <dnwk@linkun.info mailto:dnwk@linkun.info> Cc: Joshua McDonald <josh@2cold.net mailto:josh@2cold.net>; Kris Kirby <kris@catonic.us mailto:kris@catonic.us>; ken boyle <ken@kc2idb.net mailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.com mailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.org mailto:44net@mailman.AMPR.org <44net@mailman.ampr.org mailto:44net@mailman.ampr.org> Subject: Re: [44net] Re: IPIP Tunnel
Chris is not the only issuer of numbers in this space. My group manages the allocations for 10 States here on the East Coast. Find your local co-ordinator and ask him.
AFAIK, we are the ONLY group offering Wireguard VPN that you can actually use.
Chris (FEF) is trying to get away from the regional allocation of IP addresses and simply issue them from the top of the pile. This suggests to me that ARDC are aligning themselves for another selloff? If they can get everyone below 44.128/10 they can sell that off too?
On Thu, Feb 23, 2023 at 12:41 PM KUN LIN <dnwk@linkun.info mailto:dnwk@linkun.info> wrote: Well, Chris denied my /24 request to build a Wireguard VPN service. He claimed 44Net would have a official one out there. How did you get your assignment approved? Kun From: Mark Phillips <enicomms@gmail.com mailto:enicomms@gmail.com> Sent: Wednesday, February 22, 2023 16:21 To: KUN LIN <dnwk@linkun.info mailto:dnwk@linkun.info> Cc: Joshua McDonald <josh@2cold.net mailto:josh@2cold.net>; Kris Kirby <kris@catonic.us mailto:kris@catonic.us>; ken boyle <ken@kc2idb.net mailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.com mailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.org mailto:44net@mailman.AMPR.org <44net@mailman.ampr.org mailto:44net@mailman.ampr.org> Subject: Re: [44net] Re: IPIP Tunnel
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN <dnwk@linkun.info mailto:dnwk@linkun.info> wrote: How did you get the Wireguard VPN account assigned to you? Kun From: Mark Phillips via 44net <44net@mailman.ampr.org mailto:44net@mailman.ampr.org> Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald <josh@2cold.net mailto:josh@2cold.net> Cc: Kris Kirby <kris@catonic.us mailto:kris@catonic.us>; ken boyle <ken@kc2idb.net mailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.com mailto:KE6GAE@hotmail.com>;44net@mailman.AMPR.org mailto:44net@mailman.AMPR.org <44net@mailman.ampr.org mailto:44net@mailman.ampr.org> Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f... http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20for%2044net%20VPN%20use.pdf
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.org mailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.org mailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.org mailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org mailto:44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org mailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org mailto:44net-leave@mailman.ampr.org _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org mailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org mailto:44net-leave@mailman.ampr.org
@Adam
I do find your service very helpful. So I didn't push further for getting IP assignment. Thanks a lot for the valuable service. Kun ________________________________ From: air gapped airgapped1@gmail.com Sent: Friday, February 24, 2023 10:34 To: KUN LIN dnwk@linkun.info Cc: 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: Re: [44net] IPIP Tunnel
@Kun
VPN is me, guilty… Nate and I run ARIX and I’ve been experimenting with Wireguard VPN in Fremont.
Try using the approach with Chris, requesting IP's for BGP experimentation. -Learning/Experimentation is one of the driving goals of ARDC.
For me, It was a hard-sell for getting IP’s for IX and VPN.
BTW: If anyone has a design for a VPN , DM me, I’d be interested in your approach !
Adam (KC7GDY)
On Feb 23, 2023, at 12:50 PM, KUN LIN via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
My local coordinator forwards my case to Chris because I am asking for BGP. I believe Nathan Sales KJ7DMC also has a /24 and runs wireguard for public at Fremont location. I can't find his website right now. Kun Nathan Sales 34553 KJ7DMC ________________________________ From: Mark Phillips <enicomms@gmail.commailto:enicomms@gmail.com> Sent: Thursday, February 23, 2023 10:24 To: KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> Cc: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net>; Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: Re: [44net] Re: IPIP Tunnel
Chris is not the only issuer of numbers in this space. My group manages the allocations for 10 States here on the East Coast. Find your local co-ordinator and ask him.
AFAIK, we are the ONLY group offering Wireguard VPN that you can actually use.
Chris (FEF) is trying to get away from the regional allocation of IP addresses and simply issue them from the top of the pile. This suggests to me that ARDC are aligning themselves for another selloff? If they can get everyone below 44.128/10 they can sell that off too?
On Thu, Feb 23, 2023 at 12:41 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: Well, Chris denied my /24 request to build a Wireguard VPN service. He claimed 44Net would have a official one out there. How did you get your assignment approved? Kun ________________________________ From: Mark Phillips <enicomms@gmail.commailto:enicomms@gmail.com> Sent: Wednesday, February 22, 2023 16:21 To: KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> Cc: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net>; Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: Re: [44net] Re: IPIP Tunnel
You create one when you build a Wireguard server on your BGP host.
On Wed, Feb 22, 2023 at 6:42 PM KUN LIN <dnwk@linkun.infomailto:dnwk@linkun.info> wrote: How did you get the Wireguard VPN account assigned to you? Kun ________________________________ From: Mark Phillips via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net> Cc: Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>;44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org _______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
That guide has a fundamental security flaw. The *private* key should be only be known by the end-user. This is randomly generated locally. The end-user then tells the "sysop" what their *public* key is.
This is nothing specific to Wireguard, hamnet, etc. It's basic public-private key cryptography.
Quote from guide: *"Delete the contents of the “Private Key” field and paste the private key from the config file supplied by your * *local sysop". (WRONG!)*
On Wed, Feb 22, 2023, 6:42 PM KUN LIN via 44net 44net@mailman.ampr.org wrote:
How did you get the Wireguard VPN account assigned to you? Kun
*From:* Mark Phillips via 44net 44net@mailman.ampr.org *Sent:* Monday, February 13, 2023 13:18 *To:* Joshua McDonald josh@2cold.net *Cc:* Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org < 44net@mailman.ampr.org> *Subject:* [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
"fundemental security flaw"
I disagree. You want to use my system? You use the keys I provide. You will find that any other vendor using wireguard (e.g. private VPN companies) will supply you a file in this same manner. It's not like I'm then advertising the keys out to the world.
Plus, this has to be as idiot proof as possible. In our experience, the majority of our VPN clients (we are approaching 50) could not find their arse with both hands and so asking them for a key is rocket science. Its a whole world of pain that frankly I just don't want.
You can all throw your objections out into the list but the difference is that we are doing it while you are bitching about it.
On Thu, Feb 23, 2023 at 8:06 AM Nicholas Justin njustin444@gmail.com wrote:
That guide has a fundamental security flaw. The *private* key should be only be known by the end-user. This is randomly generated locally. The end-user then tells the "sysop" what their *public* key is.
This is nothing specific to Wireguard, hamnet, etc. It's basic public-private key cryptography.
Quote from guide: *"Delete the contents of the “Private Key” field and paste the private key from the config file supplied by your * *local sysop". (WRONG!)*
On Wed, Feb 22, 2023, 6:42 PM KUN LIN via 44net 44net@mailman.ampr.org wrote:
How did you get the Wireguard VPN account assigned to you? Kun
*From:* Mark Phillips via 44net 44net@mailman.ampr.org *Sent:* Monday, February 13, 2023 13:18 *To:* Joshua McDonald josh@2cold.net *Cc:* Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org < 44net@mailman.ampr.org> *Subject:* [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module,
which
means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Hi Guys,
Just following the conversation here. I agree that users should *NEVER* divulge their private keys, in any normal use scenario!! This is the whole security premise that Diffie-Hellman key pairs are built on.
This is indeed a fundamental security flaw! Absolutely no doubt about that! However, this being said, I realize this is a "no security" ham VPN application for 44net and it is up to the provider to dictate their usage specifications.
Hams should always remember that to be taken seriously, we need to follow best-practice approaches whenever practical, where security professionals won't roll their eyes at us and ultimately say "you're not plugging that device into our network!"
As for "any other commercial vendor using wireguard" providing the private/public keypair for me to use: really?? I've always just exchanged public keys. If a commercial vendor demanded that I only use the keys they provided, they wouldn't even get my consideration and I would send my data (and money!) elsewhere.
73, David K4FXC
On Thu, 23 Feb 2023, Mark Phillips via 44net wrote:
"fundemental security flaw"
I disagree. You want to use my system? You use the keys I provide. You will find that any other vendor using wireguard (e.g. private VPN companies) will supply you a file in this same manner. It's not like I'm then advertising the keys out to the world.
Plus, this has to be as idiot proof as possible. In our experience, the majority of our VPN clients (we are approaching 50) could not find their arse with both hands and so asking them for a key is rocket science. Its a whole world of pain that frankly I just don't want.
You can all throw your objections out into the list but the difference is that we are doing it while you are bitching about it.
On Thu, Feb 23, 2023 at 8:06 AM Nicholas Justin njustin444@gmail.com wrote:
That guide has a fundamental security flaw. The *private* key should be only be known by the end-user. This is randomly generated locally. The end-user then tells the "sysop" what their *public* key is.
This is nothing specific to Wireguard, hamnet, etc. It's basic public-private key cryptography.
Quote from guide: *"Delete the contents of the âPrivate Keyâ field and paste the private key from the config file supplied by your * *local sysop". (WRONG!)*
On Wed, Feb 22, 2023, 6:42 PM KUN LIN via 44net 44net@mailman.ampr.org wrote:
How did you get the Wireguard VPN account assigned to you? Kun
*From:* Mark Phillips via 44net 44net@mailman.ampr.org *Sent:* Monday, February 13, 2023 13:18 *To:* Joshua McDonald josh@2cold.net *Cc:* Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org < 44net@mailman.ampr.org> *Subject:* [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to âVPN Concentratorâ somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module,
which
means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Mark Phillips via 44net 44net@mailman.ampr.org wrote:
You vant to use my system? You use the keys I provide!
Wireguard was designed to provide remarkably foolproof privacy and security, but apparently fools are getting more ingenious these days.
The majority of our VPN clients (we are approaching 50) could not find their arse with both hands and so ...
... so they don't know to avoid a VPN provider who insists on having a database containing all the private keys that protect all the clients' identities and traffic.
Yeah, I know, this ham radio networking stuff is a toy. It just causes trouble to teach naive users, they're better left in the dark. The net is mostly only used for ragchewing anyway, except when a regional disaster or an armed attack occurs. <irony> Nobody would ever want to interfere with government responses to emergencies, nor spy on how effective an armed attack was. </irony>
John
PS: When I worked at Data General in the 1970s, it was the software department policy that everyone must give their login password to the department secretary. Working late one night, we examined her desk, and found the sheets of paper where all the passwords were written down. Then we could impersonate anyone in the whole department. <irony>Luckily, we were just writing DG's operating system software! What national intelligence agencies would want to throw any untraceable back doors into that??? DG machines were often used for process control, like in dams and chemical plants and nuclear installations.
Since it is an amateur radio endeavor, we treat it like it is on the open airwaves. You know, unencrypted and able to be listened to. All that is being done with the VPN is to provide access to the 44net to those who are having networking issues. Did you ever watch the screen while people were connecting to the local packet bbs? Besides, the only person with the "keys" is the issuer/sysop. Look, it works, it's relatively easy to set up and it provides a needed service within Part 97 for others.
On 2/24/2023 4:42 AM, John Gilmore via 44net wrote:
... so they don't know to avoid a VPN provider who insists on having a database containing all the private keys that protect all the clients' identities and traffic.
-- Charles J. Hargrove - N2NOV NYC-ARECS/RACES Citywide Radio Officer/Skywarn Coord.
44net Coordinator - Northeast USA
"Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders." - Ronald Reagan
"The more corrupt the state, the more it legislates." - Tacitus
"Molann an obair an fear" - Irish Saying (The work praises the man.)
"No matter how big and powerful government gets, and the many services it provides, it can never take the place of volunteers." - Ronald Reagan
Correct. For our use in the IRLP network, we are not trying to provide any security enhancements at all. We are simply trying to make a link work, over an otherwise incompatible infrastructure. Encryption is simply a side effect of OpenVPN. If we could turn encryption off, we would. In fact we point this out in our FAQ that is sent to all of our users.
Is my VPN traffic secure and anonymous? Absolutely not. In fact quite the opposite. Most commercial VPN products are designed to hide or obfuscate customer traffic. IRLP VPN actually does the opposite of that. IRLP VPN brings a public Internet address directly to your node. All traffic is monitored, tracked and measured as it crosses the VPN hub. Your address is registered in global DNS as soon as your connection comes up, and tied directly to your node number. Confidentiality and privacy are absolutely NOT features of IRLP VPN. In other words, we know who you are, where you live and with whom you communicate.
IRLP does use PGP (PKI) to authenticate all connections inside the IRLP network, but there is no encryption natively in IRLP itself. IRLP does not keep a database of each users private keys. Private keys only ever exist on each IRLP node. Public keys for all nodes are widely circulated. But this has nothing to do with the use of IRLP VPN, when needed.
[FWIW, we chose OpenVPN over Wireguard because OpenVPN supports TCP based tunnels. WireGuard is UDP only. We found, quite by accident, that some ISPs, mostly Cable operators, are not particularly good at delivering packets in order. Using TCP ensures packet ordering and retransmits any dropped packets. There is a performance penalty. But we only need roughly 80 kbps unidirectionally per connection, when it is actually talking. It also plays better over some folks really crappy routers that seem to have trouble with maintaining a connection over UDP.]
— Dave K9DC, K9IP
On Feb 24, 2023, at 07:04, Charles Hargrove via 44net 44net@mailman.ampr.org wrote:
Since it is an amateur radio endeavor, we treat it like it is on the open airwaves. You know, unencrypted and able to be listened to. All that is being done with the VPN is to provide access to the 44net to those who are having networking issues. Did you ever watch the screen while people were connecting to the local packet bbs? Besides, the only person with the "keys" is the issuer/sysop. Look, it works, it's relatively easy to set up and it provides a needed service within Part 97 for others.
On 2/24/2023 4:42 AM, John Gilmore via 44net wrote:
... so they don't know to avoid a VPN provider who insists on having a database containing all the private keys that protect all the clients' identities and traffic.
-- Charles J. Hargrove - N2NOV NYC-ARECS/RACES Citywide Radio Officer/Skywarn Coord. 44net Coordinator - Northeast USA
Many of our users cannot spell TCP/IP! I'm sure you have them too.
On Fri, Feb 24, 2023 at 4:42 AM John Gilmore gnu@toad.com wrote:
Mark Phillips via 44net 44net@mailman.ampr.org wrote:
You vant to use my system? You use the keys I provide!
Wireguard was designed to provide remarkably foolproof privacy and security, but apparently fools are getting more ingenious these days.
The majority of our VPN clients (we are approaching 50) could not find their arse with both hands and so ...
... so they don't know to avoid a VPN provider who insists on having a database containing all the private keys that protect all the clients' identities and traffic.
Yeah, I know, this ham radio networking stuff is a toy. It just causes trouble to teach naive users, they're better left in the dark. The net is mostly only used for ragchewing anyway, except when a regional disaster or an armed attack occurs. <irony> Nobody would ever want to interfere with government responses to emergencies, nor spy on how effective an armed attack was. </irony>
JohnPS: When I worked at Data General in the 1970s, it was the software department policy that everyone must give their login password to the department secretary. Working late one night, we examined her desk, and found the sheets of paper where all the passwords were written down. Then we could impersonate anyone in the whole department. <irony>Luckily, we were just writing DG's operating system software! What national intelligence agencies would want to throw any untraceable back doors into that??? DG machines were often used for process control, like in dams and chemical plants and nuclear installations.
You are maybe right if you are doing a large corporation networking vpn system.
But we are only linking ham radio devices to a network of ip addresses that are routable to the internet.
It is a convenience service not a security service. We don't want to hide from the government or the film industry to share illegal video or software.
It would be nice to put things in perspective.
Pierre VE2PF
Obtenir Outlook pour Androidhttps://aka.ms/AAb9ysg ________________________________ From: Nicholas Justin via 44net 44net@mailman.ampr.org Sent: Thursday, February 23, 2023 8:06:00 AM To: KUN LIN dnwk@linkun.info Cc: Joshua McDonald josh@2cold.net; Mark Phillips enicomms@gmail.com; Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org 44net@mailman.ampr.org Subject: [44net] Re: IPIP Tunnel
That guide has a fundamental security flaw. The private key should be only be known by the end-user. This is randomly generated locally. The end-user then tells the "sysop" what their public key is.
This is nothing specific to Wireguard, hamnet, etc. It's basic public-private key cryptography.
Quote from guide: "Delete the contents of the “Private Key” field and paste the private key from the config file supplied by your local sysop". (WRONG!)
On Wed, Feb 22, 2023, 6:42 PM KUN LIN via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: How did you get the Wireguard VPN account assigned to you? Kun ________________________________ From: Mark Phillips via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Sent: Monday, February 13, 2023 13:18 To: Joshua McDonald <josh@2cold.netmailto:josh@2cold.net> Cc: Kris Kirby <kris@catonic.usmailto:kris@catonic.us>; ken boyle <ken@kc2idb.netmailto:ken@kc2idb.net>; David Harris <KE6GAE@hotmail.commailto:KE6GAE@hotmail.com>; 44net@mailman.AMPR.orgmailto:44net@mailman.AMPR.org <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> Subject: [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote: On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to “VPN Concentrator” somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <44net@mailman.ampr.orgmailto:44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module, which means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
_______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org _______________________________________________ 44net mailing list -- 44net@mailman.ampr.orgmailto:44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.orgmailto:44net-leave@mailman.ampr.org
I use a Mikrotik LTE router with an IOT SIM on Wireguard to connect a D-STAR repeater over 44Net
-
air gapped -
Charles Hargrove -
Dave Gingrich -
David Harris -
David McGough -
John D. Hays -
John Gilmore -
Joshua McDonald -
ken boyle -
Kris Kirby -
KUN LIN -
lleachii@aol.com -
Marius Petrescu -
Mark Phillips -
Nicholas Justin -
pete M -
Ruben ON3RVH