Hi everyone!
I am trying to use the access to the AMPRNet by VPN via amprnet-vpn1.aprs.fi
I already got hold of a lotw certificate but cannot get access. Is this to place to hope for further help?
73 de oe1rsa
Hello Roland.
I use occassionally OH7LZB's AMPRNet VPN. While ago, checked from my Sony Xperia Z1 and I confirm that it works perfectly as of now.
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com --------------------------------------------------------
On 13 Oct 2015, at 21:44, Roland Schwarz roland.schwarz@blackspace.at wrote:
I am trying to use the access to the AMPRNet by VPN via amprnet-vpn1.aprs.fi
I already got hold of a lotw certificate but cannot get access. Is this to place to hope for further help?
I’ve got that experimentally set up:
$ sudo openvpn2 —config client.conf —verb 6
And my client.conf:
client dev tun0 proto udp remote amprnet-vpn1.aprs.fi 1773 resolv-retry infinite persist-key persist-tun ca amprnet-vpn-ca.crt cert client.crt key client.key comp-lzo verb 3
IIRC the amprnet-vpn-ca.crt, client.crt and client.key were generated as: http://wiki.ampr.org/index.php/AMPRNet_VPN
This could be set up more automatically, but ok so far. Bill (M1BKF)
I tried to proceed as close as possible.
1) Obtained my LoTW cert. 2) extracted cat ~/.tqsl/certs/user ~/.tqsl/certs/authorities > client.crt
3) filled in Gateway address and port, set LZO compression
To make sure my NAT router does not get in between I exposed my computer dircetly to the internet.
Please see the attached log for the results. (No connection was made.)
Ah before I forget to tell, I am running on ubuntu 15.04 x86_64
Thank you for taking care, oe1rsa
A non-text attachment was scrubbed...
Hmm is UTF-8 considered non-text? Trying again...
Ok, the list obviously scrubs any attachements. So sorry for the ugly formatting:
Oct 16 17:34:32 gauss NetworkManager[912]: <info> Starting VPN service 'openvpn'... Oct 16 17:34:32 gauss NetworkManager[912]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 3254 Oct 16 17:34:32 gauss NetworkManager[912]: <info> VPN service 'openvpn' appeared; activating connections Oct 16 17:34:32 gauss NetworkManager[912]: <info> VPN plugin state changed: starting (3) Oct 16 17:34:32 gauss NetworkManager[912]: nm-openvpn-Message: openvpn started with pid 3260 Oct 16 17:34:32 gauss NetworkManager[912]: <info> VPN connection 'AMPRNet' (ConnectInteractive) reply received. Oct 16 17:34:32 gauss nm-openvpn[3260]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Apr 13 2015 Oct 16 17:34:32 gauss nm-openvpn[3260]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 16 17:34:32 gauss nm-openvpn[3260]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 16 17:34:32 gauss nm-openvpn[3260]: UDPv4 link local: [undef] Oct 16 17:34:32 gauss nm-openvpn[3260]: UDPv4 link remote: [AF_INET]85.188.1.118:1773 Oct 16 17:35:11 gauss NetworkManager[912]: <warn> VPN connection 'AMPRNet' connect timeout exceeded. Oct 16 17:35:11 gauss NetworkManager[912]: nm-openvpn-Message: Terminated openvpn daemon with PID 3260. Oct 16 17:35:11 gauss nm-openvpn[3260]: SIGTERM[hard,] received, process exiting
Seems to me the remote site isn't responding to your VPN request.
Oct 16 17:34:32 gauss nm-openvpn[3260]: UDPv4 link remote: [AF_INET]85.188.1.118:1773 Oct 16 17:35:11 gauss NetworkManager[912]: <warn> VPN connection 'AMPRNet' connect timeout exceeded.
I'm not currently using this VPN service but can you reach / ping 85.188.1.118 ? It pings for me but a telnet (TCP) connection attempt to port 1773 is refused from my IP.
--David KI6ZHD
Am 16.10.2015 um 18:35 schrieb David Ranch:
I'm not currently using this VPN service but can you reach / ping 85.188.1.118 ?
$ ping 85.188.1.118 PING 85.188.1.118 (85.188.1.118) 56(84) bytes of data. 64 bytes from 85.188.1.118: icmp_seq=1 ttl=49 time=53.0 ms 64 bytes from 85.188.1.118: icmp_seq=2 ttl=49 time=52.7 ms
$ nmap 85.188.1.118 -p 1773
Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-16 18:52 CEST Nmap scan report for amprgw.rats.fi (85.188.1.118) Host is up (0.051s latency). PORT STATE SERVICE 1773/tcp closed unknown
Hmm, strange. William claimed he was able to connect...
73 oe1rsa
On 16/10/15 18:21, Roland Schwarz wrote:
Oct 16 17:34:32 gauss nm-openvpn[3260]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Hello Roland.
Above WARNING message pinpoint the cause...
Best regards.
Am 27.10.2015 um 15:43 schrieb Tom SP2L:
(Please trim inclusions from previous messages) _______________________________________________ On 16/10/15 18:21, Roland Schwarz wrote:
Oct 16 17:34:32 gauss nm-openvpn[3260]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Hello Roland.
Above WARNING message pinpoint the cause...
Unfortunately no. As the message says it is just a warning that I have not installed a means to verify the server (note: that has nothing to do with the server trusting me - which is mandatory and would be an error). I think this is what the amprnet-vpn-ca.cert is for. However I do not know then how I should plug the root certificate from lotw (there is no place within the gui) and most important: I do not know which of the three - and seemingly no other has this problem:-(
It would be helpful if someone could show me which root certs they are using. You can send me your client.crt, which should contain only public information anyways.
Regards, Roland
On 27/10/15 16:05, Roland Schwarz wrote:
However I do not know then how I should plug the root certificate from lotw
Roland.
The ONLY CA certificate you need is:
amprnet-vpn-ca.cert
Best regards.
Hello Roland.
Correct file name is:
amprnet-vpn-ca.crt
Best regards.
Am 27.10.2015 um 16:40 schrieb Tom SP2L:
The ONLY CA certificate you need is:
amprnet-vpn-ca.cert
Sorry Tom, now I am completly lost!
My lotw cert is _not_ signed by this CA. This is the CA from AMPRnet and not the lotw one.
I would be glad if you could explain to me why you thin I need this and how I should put this to work. The closest I can think of is the --extra-certs parameter from openvpn cite:
--extra-certs file Specify a file containing one or more PEM certs (concatenated together) that complete the local certificate chain.
This option is useful for "split" CAs, where the CA for server certs is different than the CA for client certs. Putting certs in this file allows them to be used to complete the local cer‐ tificate chain without trusting them to verify the peer-submit‐ ted certificate, as would be the case if the certs were placed in the ca file.
BUT: I have no idea how I could plug this into my gui :-(
Also the recipie on the wiki dows not mention it. So it must work somehow without, just how?
Roland
On 27/10/15 20:19, Roland Schwarz wrote:
My lotw cert is_not_ signed by this CA
Hello Roland.
Also my LoTW callsign certificate
___IS NOT signed___ by amprnet-vpn-ca.crt
Yes, you're right: amprnet-vpn-ca.crt is NOT LoTW certificate!
I use AMPRNet VPN quite a while, almost two years on various operating systems: Windows XP, Windows 7/32b Windows 8/64b, Debian 7.7, Debian-8 and also Android 5.1.1
NEVER needed any of the root CA certificates form LoTW.
Everything prepared accordingly to nice manual by Hessu OH7LZB on [44] AMPRNet VPN wiki page.
Personally I do not use any Network Manager to maintain AMPRNet VPN connections, (in fact, ANY connections at all), Hi! Instead, I start client VPN by means of few shortcuts prepared by myself and placed on the Desktop.
If you'll be interested I may send small archive containing files I am talking about.
Best regards.
When using openvpn, you should be establishing trust in both directions. The server needs to know you are who you say you are. You also need to know that the openvpn server is who it says it is and not an impostor. In the first direction, trust is established using your end-user LotW cert and verified by the server using the LotW root CA cert. In the other direction, you need a way to verify the server's certificate should be trusted. However, LotW doesn't sign server certs, so he had to create a server cert himself. He's giving you the CA cert file that was used to sign his server cert.
Not too confusing, right? ;)
On Tue, Oct 27, 2015 at 12:54 PM, Tom SP2L SP2L@wp.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ On 27/10/15 20:19, Roland Schwarz wrote:
My lotw cert is_not_ signed by this CA
Hello Roland.
Also my LoTW callsign certificate
___IS NOT signed___ by amprnet-vpn-ca.crt
Yes, you're right: amprnet-vpn-ca.crt is NOT LoTW certificate!
I use AMPRNet VPN quite a while, almost two years on various operating systems: Windows XP, Windows 7/32b Windows 8/64b, Debian 7.7, Debian-8 and also Android 5.1.1
NEVER needed any of the root CA certificates form LoTW.
Everything prepared accordingly to nice manual by Hessu OH7LZB on [44] AMPRNet VPN wiki page.
Personally I do not use any Network Manager to maintain AMPRNet VPN connections, (in fact, ANY connections at all), Hi! Instead, I start client VPN by means of few shortcuts prepared by myself and placed on the Desktop.
If you'll be interested I may send small archive containing files I am talking about.
Best regards.
-- Tom - SP2L
It is nice to be important. But it is more important to be nice!
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Hello Cory et al.
Simple and PERFECT explanation!
Best regards.
Am 27.10.2015 um 21:20 schrieb Tom SP2L:
Simple and PERFECT explanation!
I agree. Exactly what I always understood.
Why do we have/need three (unrelated) lotw root CA's then? Where do they fit into this picture?
Regards, Roland
Roland,
The oldest of the three LotW root CAs hasn't been in-use for several years and can be discarded. I think I heard that they lost the private key for it, or something silly like that.
The second one is their SHA1 root CA cert that they've been using up until this year, but should be kept around for a while because some people still have call sign certs in that chain. Since call sign certs are only signed for two years, you can discard that root CA too once the existing call sign certs expire.
The lastest LotW root CA was created this year using modern crypto tech. It was necessary because it's expected that SHA1 will be broken within a few year, so everyone's in a hurry to move away from it.
-Cory NQ1E
On Tue, Oct 27, 2015 at 1:28 PM, Roland Schwarz roland.schwarz@blackspace.at wrote:
(Please trim inclusions from previous messages) _______________________________________________ Am 27.10.2015 um 21:20 schrieb Tom SP2L:
Simple and PERFECT explanation!
I agree. Exactly what I always understood.
Why do we have/need three (unrelated) lotw root CA's then? Where do they fit into this picture?
Regards, Roland
-- _________________________________________ _ _ | Roland Schwarz |_)(_ | | __) | mailto:roland.schwarz@blackspace.at ________| http://www.blackspace.at _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Hi Cory,
thank you for this info. It makes perfect sense.
Am 27.10.2015 um 21:37 schrieb Cory (NQ1E):
The oldest of the three LotW root CAs hasn't been in-use for several years and can be discarded. I think I heard that they lost the private key for it, or something silly like that.
Bad things happen ...
The second one is their SHA1 root CA cert that they've been using up until this year, but should be kept around for a while because some people still have call sign certs in that chain. Since call sign certs are only signed for two years, you can discard that root CA too once the existing call sign certs expire.
I guess this is the cert with serial 0xe7b27ba978517c65 as Heikki has shown. So it looks like it still also is the current active cert that the OpenVPN ist tested against.
The lastest LotW root CA was created this year using modern crypto tech. It was necessary because it's expected that SHA1 will be broken within a few year, so everyone's in a hurry to move away from it.
Ok, and this is the cert of the CA that was used to sign my certificate.
I guess this is my problem, no?
Roland
Hi there Where can i find the AMPR hosts file that was usd to be on UCSD.EDU ? Thanks Forward Ronen - 4Z4ZQ http://www.ronen.org
--- This email is free from viruses and malware because avast! Antivirus protection is active. https://www.avast.com/antivirus
On Sun, 15 Nov 2015 21:56:44 +0200, Drorap drorap@netvision.net.il wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi there Where can i find the AMPR hosts file that was usd to be on UCSD.EDU ? Thanks Forward Ronen - 4Z4ZQ
I think you might find what you need here: ftp://hamradio.ucsd.edu/pub/
Strange.. those files say they are a year old!
Index of ftp://hamradio.ucsd.edu/pub/
Up to higher level directory Name Size Last Modified File:44.rev 1339 KB 11/16/2014 02:01:00 AM File:ampr.org 1168 KB 11/16/2014 02:01:00 AM File:ampr.tar.gz 536 KB 11/16/2014 02:01:00 AM File:amprhosts 1542 KB 11/16/2014 02:01:00 AM
--David KI6ZHD
On 11/15/2015 05:23 PM, Geoff Joy wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Sun, 15 Nov 2015 21:56:44 +0200, Drorap drorap@netvision.net.il wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi there Where can i find the AMPR hosts file that was usd to be on UCSD.EDU ? Thanks Forward Ronen - 4Z4ZQ
I think you might find what you need here: ftp://hamradio.ucsd.edu/pub/
When I look at them, they are dated 20151116 02:01
Not sure why yours show 2014 and mine 2015. Odd.
Bill KG6BAJ
At 08:14 PM 11/15/2015, you wrote:
(Please trim inclusions from previous messages) _______________________________________________
Strange.. those files say they are a year old!
Index of ftp://hamradio.ucsd.edu/pub/
Up to higher level directory Name Size Last Modified File:44.rev 1339 KB 11/16/2014 02:01:00 AM File:ampr.org 1168 KB 11/16/2014 02:01:00 AM File:ampr.tar.gz 536 KB 11/16/2014 02:01:00 AM File:amprhosts 1542 KB 11/16/2014 02:01:00 AM
--David KI6ZHD
On 11/15/2015 05:23 PM, Geoff Joy wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Sun, 15 Nov 2015 21:56:44 +0200, Drorap drorap@netvision.net.il wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi there Where can i find the AMPR hosts file that was usd to be on UCSD.EDU ? Thanks Forward Ronen - 4Z4ZQ
I think you might find what you need here: ftp://hamradio.ucsd.edu/pub/
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
David et al;
On Sun, 2015-11-15 at 20:14 -0800, David Ranch wrote:
Strange.. those files say they are a year old!
Index of ftp://hamradio.ucsd.edu/pub/
Up to higher level directory Name Size Last Modified File:44.rev 1339 KB 11/16/2014 02:01:00 AM File:ampr.org 1168 KB 11/16/2014 02:01:00 AM File:ampr.tar.gz 536 KB 11/16/2014 02:01:00 AM File:amprhosts 1542 KB 11/16/2014 02:01:00 AM
I'm showing the dates spot on: Index of ftp://hamradio.ucsd.edu/pub/
Up to higher level directory Name Size Last Modified File:44.rev 1339 KB 11/16/2015 11:01:00 AM File:ampr.org 1168 KB 11/16/2015 11:01:00 AM File:ampr.tar.gz 536 KB 11/16/2015 11:01:00 AM File:amprhosts 1542 KB 11/16/2015 11:01:00 AM
Since that's actually a URL, I'd suggest the ol' F5 refresh...
On Sun, 15 Nov 2015 20:14:03 -0800, David Ranch amprgw@trinnet.net wrote:
(Please trim inclusions from previous messages) _______________________________________________
Strange.. those files say they are a year old!
Index of ftp://hamradio.ucsd.edu/pub/
Up to higher level directory Name Size Last Modified File:44.rev 1339 KB 11/16/2014 02:01:00 AM File:ampr.org 1168 KB 11/16/2014 02:01:00 AM File:ampr.tar.gz 536 KB 11/16/2014 02:01:00 AM File:amprhosts 1542 KB 11/16/2014 02:01:00 AM
--David KI6ZHD
Stranger still... I see this:
11/16/2015 11:01AM 1,370,642 44.rev 11/16/2015 11:01AM 1,195,710 ampr.org 11/16/2015 11:01AM 548,667 ampr.tar.gz 11/16/2015 11:01AM 1,578,925 amprhosts
11:01AM PST for me would be 19:01UTC
A little bit off-topics...
Lately I come across weird issue... Could not compile tQSL-2.1.3 on Debian Wheezy. Few hours of digging Internet and looking for really working solution and finally GOT IT!
If subject is interesting I may post details.
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com --------------------------------------------------------
If nothing else, us at the https://lists.debian.org/debian-hams/ mailing list will probably be interested :)
On 29 October 2015 12:09:52 GMT+00:00, SP2L - Tom SP2L@wp.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ A little bit off-topics...
Lately I come across weird issue... Could not compile tQSL-2.1.3 on Debian Wheezy. Few hours of digging Internet and looking for really working solution and finally GOT IT!
If subject is interesting I may post details.
Best regards.
Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
For anyone stumbling across this thread:
As Cory (NQ1E) has explained lotw is making a transition to a newer certificate authority which IS NOT signed by the older ca, i.e. it is unrelated.
With the help from Tom SP2L I have figured out that the current certificate of the openvpn access point is the older lotw cert.
If you got signed by the newer cert you likely will not be able to access the openvpn like me. (I cannot prove that but since cannot access it and I only have the newer cert I have the strong suspicion that my claim is true)
73 de Roland, oe1rsa
On 27.10.2015 at 21:37 wrote Cory (NQ1E):
The oldest of the three LotW root CAs hasn't been in-use for several years and can be discarded. I think I heard that they lost the private key for it, or something silly like that.
The second one is their SHA1 root CA cert that they've been using up until this year, but should be kept around for a while because some people still have call sign certs in that chain. Since call sign certs are only signed for two years, you can discard that root CA too once the existing call sign certs expire.
The lastest LotW root CA was created this year using modern crypto tech. It was necessary because it's expected that SHA1 will be broken within a few year, so everyone's in a hurry to move away from it.
-Cory NQ1E
Am 27.10.2015 um 20:54 schrieb Tom SP2L:
Personally I do not use any Network Manager to maintain AMPRNet VPN connections, (in fact, ANY connections at all), Hi! Instead, I start client VPN by means of few shortcuts prepared by myself and placed on the Desktop.
Yes, of course. I could do this as well. I am just the one who likes to understand how things work, how they should work and if they don't, try to make them work. This is hard at times I know. But this is what freedom is all about isn't it?
If you'll be interested I may send small archive containing files I am talking about.
Yes, please. But please take care you do not inadvertently send me your private key. (I know I shouldn't need to say this because you know that already. I just want to be polite.)
If I find out what is going wrong eventually I will write a small summary for others.
vy 73 de Roland, oe1rsa
BTW.: I am writing to you oof-list because the list doesn't like attachements, and I am not sure if you already have my offlist-address.
Hmm, you do have --+ | v
Am 27.10.2015 um 21:17 schrieb Roland Schwarz:
BTW.: I am writing to you oof-list because the list doesn't like attachements, and I am not sure if you already have my offlist-address.
Obviously this wasn't off-list, hi.
I have an IPSEC + XAUTH VPN node in Tampa that's free to use. If you want access shoot me a unicast with a callsign and a password choice. I'll provision it and you can setup your end.
73's W9CR
-
Brian -
Bryan Fields -
Cory (NQ1E) -
David Ranch -
Drorap -
Geoff Joy -
Hibby -
Roland Schwarz -
SP2L - Tom -
Tom SP2L
-
William Hill -
William Lewis