Ciao Hessu,
just to share our experience in using OpenVPN solution to access CisarNet
(
http://wifi.cisar.it for the map,
http://www.cisarnet.it for other services, ...),
Before to setup the solution (about three years ago), inside our working group we
discussed about using named certificates, Certification Authority, user registration
process, crypto and so on...
At the end, we decided just to share one only common signed key, and also permit free
guest access without user identification (just as equivalence to radio Push-To-Talk
button), no crypto (for regulatory compliance in several country for radio ham radio
communication, Italy included). Storing logs permit us to be compliant to law about taking
care of timestamp, ip source of the VPN client peer and destination ip public address.
Also, in this way we are extending in Italy the usage of amprnet, by managing directly the
CIDR 44.208/16 subnet as Internet IP public Address.
I hope this help you to know our point of view, a little different from yours, but also
useful for share several experiences (thanks to your well done guide on ampr wikis).
We'd like also to know your (and others) opinion about Italian Cisar association
approach to OpenVPN access.
Ciao from Italy.
IW0SAB Renzo.
----Messaggio originale----
Da: hessu(a)hes.iki.fi
Data: 08/05/2013 0.42
A: "AMPRNet working group"<44net(a)hamradio.ucsd.edu>
Ogg: [44net] VPN access to AMPRNet using amateur X.509 certificates
(Please trim inclusions from previous messages)
_______________________________________________
Hi,
The AMPRNet might be more useful if it had:
(1) more services which would be interesting to hams
(2) more access to the AMPRNet
Tonight I tried to attack (2) a bit. Access to the AMPRNet over the
Internet could maybe be made easier to hams by allowing them to connect
over VPNs instead of setting up their own IPIP tunnels at home, or trying
to find a working radio gateway. After getting a VPN running it might be
easier for them to set up a radio gateway, or some services. As discussed
on the other mailing list, VPNs are easier to get up on NATed residential
networks than IPIP tunnels.
Setting up VPN user accounts and maintaining them can be a pain. It
doesn't take a lot of weekly or monthly maintenance work to run a VPN
service, but it can be a major pain to manage an user account database for
thousands of hams and check if your users around the Internet are, in
fact, licensed.
It turns out that ARRL's Logbook of the World has already given out
cryptographic X.509 certificates to 57334 amateur users, after verifying
their license status against the FCC database (they send a postcard with a
random token code to the FCC-listed snail-mail address to make sure they
give the certificate to the right guy) or after looking at a paper
photocopy of a license + a photo ID. I had to physically mail in a photo
of my ham license and my driver's license and wait a couple weeks to get
the cert. If they can get 50k contesters and DXers to work with
certificates, maybe certs can work for the AMPRnet, too.
Technically, we can validate if a VPN user is in possession of one of
those certificates and the respective private key. Politically, K4JH asked
the ARRL guys, and they said that they don't mind if we use them for other
ham authentication needs. We can start accepting other CAs too once they
come around. I plan to help SRAL, the Finnish amateur radio union, to set
up a CA within their web site (they already have user accounts for
members). I know ARRL isn't for everyone, but smaller clubs could set up
CAs too, or even commercial entities - as long as we trust them to do the
license validation in a proper manner.
Tonight I hacked up an OpenVPN setup which authenticates users with LoTW
certs, and wrote a little documentation:
http://wiki.ampr.org/index.php/AMPRNet_VPN
What do you think? Technically, it seems to work - try it out if you like.
It's not very straightforward to set up, but the license validation is
pretty strong, and running the service shouldn't be a lot of work. There
can be many VPN servers around the world, serving the whole customer base
(VPN servers do not need access to any central user database, they just
need the certificates of the trusted CAs). With a little Dynamic DNS
magic, you could get a
oh7lzb.vpn.ampr.org hostname on DNS within a few
seconds after connecting (I've got code for that in another project).
(Yes, eventually certificates need to be revoked after they accidentally
get into wrong hands, or ham licenses are revoked. Technically that can be
done using CRLs and/or OCSP, but ARRL apparently does not do those yet.
Maybe they will, if the need arises. We can also set up a blocked
certificates list of our own.)
- Hessu, OH7LZB
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
http://www.ampr.org/donate.html