Repeater linking: Difference between revisions

From Wildsong
Jump to navigationJump to search
← Older editNewer edit →
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Line 78: Line 78:


  apt install festival
  apt install festival
apt install festlex-cmu


== Network routing and Wireguard ==
== Network routing and Wireguard ==

Revision as of 03:06, 30 May 2022

I am testing configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.

AllStarLink

Status: running ASL, Echolink, SIP phones are working. Looking at USB soundcard now.

AllStarLink (https://allstarlink.org) is a fork of Asterisk Henceforth "ASL". Follow the link, I won't copy content here.

For TARRA we will be running ASL at each repeater and linking them over Internet connections via cellular modems. That's the idea anyway. Not even a "plan" at this point. Brian has to learn repeaters and Mick has to learn Asterisk.

Maybe I can set up ASL here at my house with a Pi 4 and a handheld and Echolink? Worth a try as a starting point.

I will try the SD card with a Pi 3 Violet.

I downloaded their complete Pi image v 1.0.1. I could not install it because the IMG file was the wrong size. I downloaded beta 6 of version 2. It installed. It boots. I have it on Ethernet right now. HDMI does not work, so I unplugged the monitor and keyboard. Checking Wenda to see what the IP address it pulled is. Log in as repeater/allstarlink and run asl-menu. ssh repeater@violet -- works -- fancy!

Network settings

Edited /etc/wpa_supplicant.conf file to enabled WiFi, just in case I need it later.

(From asl-menu) I set the machine to be violet.w6gkd.radio, and left it on DHCP (the address is fixed in the DHCP server on Wenda).

I set the timezone.

Echolink

On page 2, I need to set up echolink. According to the Echolink page, you get a node number assigned automatically so I don't know why they have this?

For echolink I had to open firewall ports 5198-5199 on my EdgeRouter and set forwarding to the Pi.

I had to validate the connection at https://echolink.org/validation

AllMon2

AllMon2 is the web site, you have to set up a password to use it. 

ssh violet
/var/www/html/allmon
sudo htpasswd -cB .htpasswd admin

USB sound

Startech sound card from Newegg. I paid $24, now they want $30, pretty sure I already overpaid so I don't think I'd get another one of these.

I have it plugged in already and it shows up in lsusb as 

Bus 001 Device 004: ID 0d8c:000c C-Media Electronics, Inc. Audio Adapter

SIP phones

First I need to make sure SIP is enabled in Asterisk. 

sudo asterisk -r
module show

and... it's not. 

module load chan_sip

I can set it to load it at start up by editing /etc/asterisk/modules.conf. I enabled chan_sip. chan_sip is deprecated but this is ASL not a PBX. chan_sip was very easy to set up compared to chan_pjsip.

I don't have any SIP phones right now but I have several Android smartphones. Supposedly the Android phone app can do SIP, but not on my phones. See https://wiki.ezuce.com/display/sipXcom/Android+Integrated+SIP+Calling

I installed the Grandstream app, "GS Wave".

I set up two phones, two extensions in Asterisk, and I can dial from one to the other over Wifi.

Festival TTS

apt install festival
apt install festlex-cmu

Network routing and Wireguard

Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.

I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.

Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.

So Wireguard it is.

Instructions for setting up a Raspberry Pi as a client Wireguard client set up

Install it, 

sudo apt-get install wireguard -y

Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/

For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway

Test setup

I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.

Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.

TARRA is the VPS, at VULTR.

/etc/wireguard/wg0.conf is the config at each end

Bring up connection 

wg-quick up wg0

Test connection

Shut down connection 

wg-quick down wg0

Subnets https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=28&cip=44.127.9.0&ctype=ipv4&printit=0&x=66&y=16

Show me the INPUT rules, verbosely 

iptables -L INPUT -v

"ACCEPT" in this case says, "nothing interesting here", don't log.

On violet, you can log traffic to monitor it, or just use tcpdump 

iptables -F INPUT
iptables -A INPUT -i wg0 -j LOG
iptables -F OUTPUT
iptables -A OUTPUT -i wg0 -j LOG
tail -f /var/log/messages

or 

tcpdump -i wg0 -n


On tarra 

tcpdump -i wg0 -n

# Make packets coming in from the Internet get written to the right subnet
iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2

I think wireguard does this automatically 

ip route add 44.127.9.0/28 via 44.127.9.1

Firewall settings

apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git

I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.

"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm. 

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
iptables -P FORWARD ACCEPT

# Drop various services we don't want running over the tunnel, mostly Microsoft stuff
iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP 
# Drops destination unreachable replies to various probe responses saving bandwidth
iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP

# This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm
iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP
# This prevents a general loop
iptables -I FORWARD -i tun0 -o tun0 -j DROP
# Drops outbound unassigned IPs from looping though tunl0 via ipencap
# You must add accept rules under this line to make exceptions
# Drop traffic that does not have one of our 44 addresses on it.
iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP

# I don't think this will hurt anything but might no longer matter with current amprd 3.0
iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP

Tarra server

Scripts are in /etc/wireguard/ to bring up connections including wg-all.sh

Restoring connections after rebooting is handled via systemd.

Run "systemctl start wg-all.service" to bring everything up and "systemctl stop wg-all.service" to stop everything. Check /var/log/daemon.log for messages.

To implement this I created two files, 

cd /lib/systemd/system
cat wg-all.target
[Unit]
Description=WireGuard Tunnels for Tarra

and 

cat wg-all.service 
[Unit]
Description=WireGuard via wg-all for TARRA
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-all.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/wireguard/wg-all.sh up
ExecStop=/etc/wireguard/wg-all.sh down

[Install]
WantedBy=multi-user.target
Retrieved from "https://wiki.wildsong.biz//index.php?title=Repeater_linking&oldid=13349"