Repeater linking: Difference between revisions

From Wildsong
Jump to navigationJump to search
← Older editNewer edit →
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Line 23: Line 23:
For echolink I had to open ports 5198-5199 on my EdgeRouter and forward traffic to the Pi.
For echolink I had to open ports 5198-5199 on my EdgeRouter and forward traffic to the Pi.
To get Echolink going, go to https://echolink.org/validation
To get Echolink going, go to https://echolink.org/validation
=== AllMon2 ===
AllMon2 is the web site, you have to set up a password to use it.
ssh violet
/var/www/html/allmon
sudo htpasswd -cB .htpasswd admin


=== SIP phones ===
=== SIP phones ===

Revision as of 16:55, 29 May 2022

I am testing configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.

AllStarLink

AllStarLink (https://allstarlink.org) is a fork of Asterisk Henceforth "ASL". Follow the link, I won't copy content here.

For TARRA we will be running ASL at each repeater and linking them over Internet connections via cellular modems. That's the idea anyway. Not even a "plan" at this point. Brian has to learn repeaters and Mick has to learn Asterisk.

Maybe I can set up ASL here at my house with a Pi 4 and a handheld and Echolink? Worth a try as a starting point.

I will try the SD card with a Pi 3 Violet.

I downloaded their complete Pi image v 1.0.1. I could not install it because the IMG file was the wrong size. I downloaded beta 6 of version 2. It installed. It boots. I have it on Ethernet right now. HDMI does not work, so I unplugged the monitor and keyboard. I wonder what DHCP address it found? Checking Wenda; got it. Log in as repeater/allstarlink and run asl-menu. ssh repeater@violet -- works -- fancy! I set up a wpa_supplicant.conf file to enabled WiFi.

I am in asl-menu now. I set the machine to be violet.w6gkd.radio, and left it on DHCP. I set the timezone. On page 2, I need echolink settings. According to the Echolink page, you get a node number assigned automatically so I don't know why they have this?

For echolink I had to open ports 5198-5199 on my EdgeRouter and forward traffic to the Pi. To get Echolink going, go to https://echolink.org/validation

AllMon2

AllMon2 is the web site, you have to set up a password to use it. 

ssh violet
/var/www/html/allmon
sudo htpasswd -cB .htpasswd admin

SIP phones

I don't own any SIP phones right now and I just want to start testing ASL.

First I need to make sure it's enabled in asterisk. 

sudo asterisk -r
module show

and... it's not. :-( 

module load chan_sip

works, that's hopeful. I should be able to load it at start by editing /etc/asterisk/modules.conf. I enabled chan_sip. chan_sip is deprecated but so what this is ASL not a PBX. chan_sip was very easy to set up compared to chan_pjsip. I wonder if I have a sample file stashed? Na. Not a real sample, just the 1000 line ones that come with the source code. I think I need ATFOT ("Asterisk, The Future of Telephony") or that fun hacker book that O'Reilly did?

I have several Android smartphones though, and the standard phone app on those is capable of doing SIP. See https://wiki.ezuce.com/display/sipXcom/Android+Integrated+SIP+Calling

Network routing and Wireguard

Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.

I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.

Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.

So Wireguard it is.

Instructions for setting up a Raspberry Pi as a client Wireguard client set up

Install it, 

sudo apt-get install wireguard -y

Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/

For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway

Test setup

I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.

Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.

TARRA is the VPS, at VULTR.

/etc/wireguard/wg0.conf is the config at each end

Bring up connection 

wg-quick up wg0

Test connection

Shut down connection 

wg-quick down wg0

Subnets https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=28&cip=44.127.9.0&ctype=ipv4&printit=0&x=66&y=16

Show me the INPUT rules, verbosely 

iptables -L INPUT -v

"ACCEPT" in this case says, "nothing interesting here", don't log.

On violet, you can log traffic to monitor it, or just use tcpdump 

iptables -F INPUT
iptables -A INPUT -i wg0 -j LOG
iptables -F OUTPUT
iptables -A OUTPUT -i wg0 -j LOG
tail -f /var/log/messages

or 

tcpdump -i wg0 -n


On tarra 

tcpdump -i wg0 -n

# Make packets coming in from the Internet get written to the right subnet
iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2

I think wireguard does this automatically 

ip route add 44.127.9.0/28 via 44.127.9.1

Firewall settings

apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git

I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.

"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm. 

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
iptables -P FORWARD ACCEPT

# Drop various services we don't want running over the tunnel, mostly Microsoft stuff
iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP 
# Drops destination unreachable replies to various probe responses saving bandwidth
iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP

# This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm
iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP
# This prevents a general loop
iptables -I FORWARD -i tun0 -o tun0 -j DROP
# Drops outbound unassigned IPs from looping though tunl0 via ipencap
# You must add accept rules under this line to make exceptions
# Drop traffic that does not have one of our 44 addresses on it.
iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP

# I don't think this will hurt anything but might no longer matter with current amprd 3.0
iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP

Tarra server

Scripts are in /etc/wireguard/ to bring up connections including wg-all.sh

Restoring connections after rebooting is handled via systemd.

Run "systemctl start wg-all.service" to bring everything up and "systemctl stop wg-all.service" to stop everything. Check /var/log/daemon.log for messages.

To implement this I created two files, 

cd /lib/systemd/system
cat wg-all.target
[Unit]
Description=WireGuard Tunnels for Tarra

and 

cat wg-all.service 
[Unit]
Description=WireGuard via wg-all for TARRA
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-all.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/wireguard/wg-all.sh up
ExecStop=/etc/wireguard/wg-all.sh down

[Install]
WantedBy=multi-user.target
Retrieved from "https://wiki.wildsong.biz//index.php?title=Repeater_linking&oldid=13343"