Repeater linking: Difference between revisions

From Wildsong
Jump to navigationJump to search
← Older edit
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,470 edits
mNo edit summary
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,470 edits
 
(8 intermediate revisions by the same user not shown)
Line 15: Line 15:


Brian has this (on loan)
Brian has this (on loan)
* [https://wiki.tarra.link/index.php/Pi-Repeater-2X Pi Repeater 2X] from [https://ics-ctrl.com/pi-repeater/ ICS controllers] which uses [https://svxlink.org/ SvxLink]
* [https://wiki.tarra.link/index.php/Pi-Repeater-2X Pi Repeater 2X] from [https://ics-ctrl.com/pi-repeater/ ICS controllers] which uses [[SVXLink]]
* 1 12V/2.1A wall wart with coax connector
* 1 12V/2.1A wall wart with coax connector
* Pi Zero W in transparent Vilros case, with several lids including one for a camera
* Pi Zero W in transparent Vilros case, with several lids including one for a camera
Line 49: Line 49:
== AllStarLink ==
== AllStarLink ==


Status: running ASL, Echolink, SIP phones are working. Looking at USB soundcard now.
We evaluated this and decided it's far too complex for this project. Still and all there is a page now [[All Star Link]]
 
AllStarLink (https://allstarlink.org) is a fork of [[Asterisk]] Henceforth "ASL".
 
The [https://github.com/allstarlink ASL github repo] says ASL-Asterisk is based on
Asterisk 1.4.23pre, making it [https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions ludicrously outdated],
EOL 2012, ten years ago.
 
For TARRA we will be running ASL at each repeater and linking them over Internet connections via cellular modems. Brian has to learn repeaters and Mick has to learn Asterisk.
 
I am setting up ASL here at my house with a Pi 3 ([[Violet]]) and a handheld.
 
I downloaded the complete Pi image v 1.0.1. I could not install it because the IMG file was the wrong size.
I downloaded beta 6 of version 2. It installed. It boots. I have it on Ethernet right now. HDMI does not work, so I unplugged the monitor and keyboard. Checked Wenda to see what the IP address it pulled is.
Log in as repeater/allstarlink and run asl-menu. ssh [/cdn-cgi/l/email-protection <nowiki>[email protected]</nowiki>] -- works -- fancy!
 
=== Network settings ===
 
Edited /etc/wpa_supplicant.conf file to enabled WiFi, just in case I need it later.
 
(From asl-menu) I set the machine to be violet.w6gkd.radio, and left it on DHCP (the address is fixed in the DHCP server on [[Wenda]]).
 
I set the timezone.
 
=== Echolink ===
 
On page 2, I need to set up echolink. According to the Echolink page,
you get a node number assigned automatically so I don't know why they have this?
 
For echolink I had to open firewall ports 5198-5199 on my EdgeRouter and set forwarding  to the Pi.
 
I had to validate the connection at https://echolink.org/validation
 
=== AllMon2 ===
 
AllMon2 is the web site, you have to set up a password to use it.
 
ssh violet
/var/www/html/allmon
sudo htpasswd -cB .htpasswd admin
 
=== USB sound ===
 
[https://www.newegg.com/startech-com-icusbaudio7/p/N82E16829128007?Item=9SIA2F89142628 Startech sound card] from Newegg. I paid $24, now they want $30, pretty sure I
already overpaid so I don't think I'd get another one of these.
 
I have it plugged in already and it shows up in lsusb as
 
Bus 001 Device 004: ID 0d8c:000c C-Media Electronics, Inc. Audio Adapter
 
==== Set card as default ====
 
Make sure your sound card shows up as "1" when you do
 
cat /proc/asound/cards
 
Turn off the internal sound system by editing /boot/config.txt. Look for dtparam=audio=on
 
Edit /usr/share/alsa/alsa.conf to change 0 to 1 in these lines.
 
defaults.ctl.card 1
defaults.pcm.card 1
 
After reboot, if you use alsamixer you should be able to see the USB card and adjust it.
 
Once I had changed the defaults, Asterisk grabbed my sound card as soon as I set it as default! I had to stop it so I could test the sound card. I guess this answers the question of whether I can use ASL to generate sounds?
 
sudo systemctl stop asterisk.service
 
You should be able to play a sound file, for example, these commands work.
 
play /usr/share/sounds/alsa/Front_Center.wav
speaker-test -c2 -t wav
 
==== Speech synthesis ====
 
I used to use Festival because it was the only option, now there is also espeak-ng.
I installed it, "sudo apt install espeak-ng", and then I can just send text to the sound board,
 
espeak-ng "Alexa,,,,, please tell me a joke."
 
There are better voices including female ones but the mbrola package is non-free so it is missing from Raspbian? I guess. Make one and install it then press on,
 
wget http://steinerdatenbank.de/software/mbrola3.0.1h_armhf.deb
sudo dpkg -i mbrola3.0.1h_armhf.deb
sudo apt install mbrola-us1 mbrola-us2 mbrola-us3
 
espeak-ng -v mb-us1 "Hello. This is a test of the MBROLA voice." -p 60
 
The mbrola-us1 (female) voice is probably the most intelligible.
 
Espeak is only integrated with Asterisk 1.16+ and ASL is based on 1.14, so it won't
work directly. This means I can either go back to using Festival or I can hack around
it? Can I send text to an external service and get a WAV file back? Do I even care?
Do I just like hearing robots talk? Testing with festival, so I can compare,
 
sudo apt install festival festvox-us1
 
Test it
 
  festival
  (SayText "Hello, Brian!")
  (voice_us1_mbrola)
  (SayText "Hello, Brian!")
 
I want it to run as a service, for now I am just going to issue the command.
 
  festival --server &
 
Edit /usr/share/festival/festival.scm and add this at the end, above the last line.
 
(define (tts_textasterisk string mode)
(let ((wholeutt (utt.synth (eval (list 'Utterance 'Text string)))))
(utt.wave.resample wholeutt 8000)
(utt.wave.rescale wholeutt 5)
(utt.send.wave.client wholeutt)))
 
Then I can tell Asterisk that Festival is available. I create a festival.conf file
and load the module in modules.conf. For me I just needed all the defaults in festival.conf, something like this works,
 
[general]
host=localhost
port=1314
 
I can tell Asterisk to say something by creating an extension in custom/extensions.conf.
This actually does not use the festival or server module at all.
 
exten => 110,1,Answer()
exten => 110,n,System(echo "We are now doing Festival Test" | /usr/bin/text2wave -scale 1.5 -F 8000 -o /tmp/test.wav)
exten => 110,n,Playback(/tmp/test)
exten => 110,n,System(rm -f /tmp/test.wav)
exten => 110,n,Hangup()
 
Then I can restart Asterisk and try it.
 
  sudo systemctl start asterisk.service
 
Or I can use espeak and a shell command, since I can use a System command,
 
<pre>
exten => 111,1,Answer()
exten => 111,n,System(echo "We are now doing Festival Test with espeak." | /usr/bin/espeak-ng -v mb-us1 -p 60 -w /tmp/test.wav)
exten => 111,n,Playback(/tmp/test)
exten => 111,n,System(rm -f /tmp/test.wav)
exten => 111,n,Hangup()
 
exten => 112,1,Answer()
exten => 112,n,System(echo "We are now doing Festival Test with espeak." | /usr/bin/espeak-ng -v mb-us3 -p 60 -w /tmp/test.wav)
exten => 112,n,Playback(/tmp/test)
exten => 112,n,System(rm -f /tmp/test.wav)
exten => 112,n,Hangup()
</pre>
 
There is also Flite and Asterisk-Flite but I am done testing all this for now,
I think Festival is good enough for now.
 
=== SIP phones ===
 
First I need to make sure SIP is enabled in Asterisk.
 
sudo asterisk -r
module show
 
and... it's not.
 
module load chan_sip
 
I can set it to load it at start up by editing
/etc/asterisk/modules.conf. I enabled chan_sip. chan_sip is deprecated
but this is ASL not a PBX. chan_sip was very easy to set up
compared to chan_pjsip.
 
I don't have any SIP phones right now but I have several Android smartphones.
Supposedly the Android phone app can do SIP, but not on ''my'' phones. See https://wiki.ezuce.com/display/sipXcom/Android+Integrated+SIP+Calling
 
I installed the Grandstream app, "GS Wave".
 
I set up two phones, two extensions in Asterisk, and I can dial from one to the other over Wifi.


== Network routing and Wireguard ==
== Network routing and Wireguard ==
Line 372: Line 195:


== Monitoring Wireguard ==
== Monitoring Wireguard ==
I tried building prometheus-wireguard-exporter for arm64 and gave up, then I found there is a pre-built version on the Docker Hub.


Build the prometheus-exporter, on Pi I had to clone the source.
docker pull mindflavor/prometheus-wireguard-exporter:latest
 
git clone https://github.com/MindFlavor/prometheus_wireguard_exporter.git
 
and then I edited the Dockerfile to change the amd64 reference to arm64 and then I used this build command,


docker build -t mindflavor/prometheus_wireguard_exporter --platform=arm64 .
This works to start it up, and to test it,


The build process would have taken a few hours on the Pi 3 so I set up the Pi 4 [Tenrec] with its SSD.
docker run -d --net=host --cap-add=NET_ADMIN --name wgexporter mindflavor/prometheus-wireguard-exporter -a true
curl -s http://localhost:9586/metrics


[[Category: Radio]]
[[Category: Radio]]
[[Category: Network]]
[[Category: Network]]
[[Category: System Administration]]
[[Category: System Administration]]

Latest revision as of 03:57, 11 July 2024

I am testing configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.

IRLP and Pi Repeater stuff from W7BU

Mike has this stuff right now. 2022-11-18

  • IRLP kit
  • Raspberry Pi 3B in a transparent case + Elecrow 5" touch screen plugs in directly to a Pi 3.
  • A bunch of 5V wall warts with USB micro connectors
  • Mini USB Keyboard
  • 3x USB Mouse
  • a pre-programmed 32GB SD card from Canakit
  • 7" Composite LCD
  • 2 or so random 12V wall warts with coax connectors
  • 10BT patch cable

Brian has this (on loan)

  • Pi Repeater 2X from ICS controllers which uses SVXLink
  • 1 12V/2.1A wall wart with coax connector
  • Pi Zero W in transparent Vilros case, with several lids including one for a camera
  • A weird bracket thing that might hold a LCD screen

The PI-REPEATER-2X is in the factory sheet metal box containing a PI-REPEATER-2X controller and a RPI 3B with the cabling done to bring out DB connectors. It has a 12->5V DC regulator too. 2022-11 At some point the cheesy little voltage regulator failed and now I have an external 5V/5A Meanwell supply on it.

The puny failed supply was tiny. Not sure what to do to about that, since the replacement is not.

I also have a Meanwell PSD-30A-5 which needs JST connectors, pins are JST SVH 21T-P1.1 and the housings are VHR-3N and VHR-4N

Two radios

I have two Kenwood TM-271A radios and I am looking at what I can do with them.

NiceRF radios

SHARI -- Kits based on a VHF|UHF radio, set up for ASL, basically a hotspot. Based on the NiceRF SA818S.

The Pi 3 version ($65) connects via 2 USB connectors, so it's entirely driven off a serial port via USB. There is also Pi 4 compatible version of this product.

The separate Pi Hat 4 ($80) version plugs into the GPIO connectors I think. It also requires soldering wires to the Pi 4. Ick.

Another SA818S - based thingie https://wb6amt.com/sa-818-carrier-board/ more generic than the SHARI but cheaper

Maker: https://kitsforhams.com/

Review, including a Youtube!! https://qrznow.com/shari-pi-hat-allstar-sa818-radio-module-for-raspberry-pi/


AllStarLink

We evaluated this and decided it's far too complex for this project. Still and all there is a page now All Star Link

Network routing and Wireguard

Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.

I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.

Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.

So Wireguard it is.

Instructions for setting up a Raspberry Pi as a client Wireguard client set up

Install it, 

sudo apt-get install wireguard -y

Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/

For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway

Test setup

I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.

Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.

TARRA is the VPS, at VULTR.

/etc/wireguard/wg0.conf is the config at each end

Bring up connection 

wg-quick up wg0

Test connection

Shut down connection 

wg-quick down wg0

Subnets https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=28&cip=44.127.9.0&ctype=ipv4&printit=0&x=66&y=16

Show me the INPUT rules, verbosely 

iptables -L INPUT -v

"ACCEPT" in this case says, "nothing interesting here", don't log.

On violet, you can log traffic to monitor it, or just use tcpdump 

iptables -F INPUT
iptables -A INPUT -i wg0 -j LOG
iptables -F OUTPUT
iptables -A OUTPUT -i wg0 -j LOG
tail -f /var/log/messages

or 

tcpdump -i wg0 -n


On tarra 

tcpdump -i wg0 -n

# Make packets coming in from the Internet get written to the right subnet
iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2

I think wireguard does this automatically 

ip route add 44.127.9.0/28 via 44.127.9.1

Firewall settings

apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git

I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.

"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm. 

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
iptables -P FORWARD ACCEPT

# Drop various services we don't want running over the tunnel, mostly Microsoft stuff
iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP 
# Drops destination unreachable replies to various probe responses saving bandwidth
iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP

# This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm
iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP
# This prevents a general loop
iptables -I FORWARD -i tun0 -o tun0 -j DROP
# Drops outbound unassigned IPs from looping though tunl0 via ipencap
# You must add accept rules under this line to make exceptions
# Drop traffic that does not have one of our 44 addresses on it.
iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP

# I don't think this will hurt anything but might no longer matter with current amprd 3.0
iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP

Tarra server

Scripts are in /etc/wireguard/ to bring up connections including wg-all.sh

Each remote node has its own set of keys in /etc/wireguard/KEYS and its own script, for example, 

cd /etc/wireguard
./wg-rendezvous.sh down
./wg-rendezvous.sh up

Restoring connections after rebooting is handled via systemd.

Run "systemctl start wg-all.service" to bring everything up and "systemctl stop wg-all.service" to stop everything. Check /var/log/daemon.log for messages.

To implement this I created two files, 

cd /lib/systemd/system
cat wg-all.target
[Unit]
Description=WireGuard Tunnels for Tarra

and 

cat wg-all.service 
[Unit]
Description=WireGuard via wg-all for TARRA
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-all.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/wireguard/wg-all.sh up
ExecStop=/etc/wireguard/wg-all.sh down

[Install]
WantedBy=multi-user.target

Monitoring Wireguard

I tried building prometheus-wireguard-exporter for arm64 and gave up, then I found there is a pre-built version on the Docker Hub. 

docker pull mindflavor/prometheus-wireguard-exporter:latest

This works to start it up, and to test it, 

docker run -d --net=host --cap-add=NET_ADMIN --name wgexporter mindflavor/prometheus-wireguard-exporter -a true
curl -s http://localhost:9586/metrics
Retrieved from "https://wiki.wildsong.biz//index.php?title=Repeater_linking&oldid=14316"