Repeater linking
I am testing configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.
AllStarLink
Status: running ASL, Echolink, SIP phones are working. Looking at USB soundcard now.
AllStarLink (https://allstarlink.org) is a fork of Asterisk Henceforth "ASL". Follow the link, I won't copy content here.
For TARRA we will be running ASL at each repeater and linking them over Internet connections via cellular modems. That's the idea anyway. Not even a "plan" at this point. Brian has to learn repeaters and Mick has to learn Asterisk.
Maybe I can set up ASL here at my house with a Pi 4 and a handheld and Echolink? Worth a try as a starting point.
I will try the SD card with a Pi 3 Violet.
I downloaded their complete Pi image v 1.0.1. I could not install it because the IMG file was the wrong size. I downloaded beta 6 of version 2. It installed. It boots. I have it on Ethernet right now. HDMI does not work, so I unplugged the monitor and keyboard. Checking Wenda to see what the IP address it pulled is. Log in as repeater/allstarlink and run asl-menu. ssh repeater@violet -- works -- fancy!
Network settings
Edited /etc/wpa_supplicant.conf file to enabled WiFi, just in case I need it later.
(From asl-menu) I set the machine to be violet.w6gkd.radio, and left it on DHCP (the address is fixed in the DHCP server on Wenda).
I set the timezone.
Echolink
On page 2, I need to set up echolink. According to the Echolink page, you get a node number assigned automatically so I don't know why they have this?
For echolink I had to open firewall ports 5198-5199 on my EdgeRouter and set forwarding to the Pi.
I had to validate the connection at https://echolink.org/validation
AllMon2
AllMon2 is the web site, you have to set up a password to use it.
ssh violet /var/www/html/allmon sudo htpasswd -cB .htpasswd admin
USB sound
Startech sound card from Newegg. I paid $24, now they want $30, pretty sure I already overpaid so I don't think I'd get another one of these.
I have it plugged in already and it shows up in lsusb as
Bus 001 Device 004: ID 0d8c:000c C-Media Electronics, Inc. Audio Adapter
SIP phones
First I need to make sure SIP is enabled in Asterisk.
sudo asterisk -r module show
and... it's not.
module load chan_sip
I can set it to load it at start up by editing /etc/asterisk/modules.conf. I enabled chan_sip. chan_sip is deprecated but this is ASL not a PBX. chan_sip was very easy to set up compared to chan_pjsip.
I don't have any SIP phones right now but I have several Android smartphones. Supposedly the Android phone app can do SIP, but not on my phones. See https://wiki.ezuce.com/display/sipXcom/Android+Integrated+SIP+Calling
I installed the Grandstream app, "GS Wave".
I set up two phones, two extensions in Asterisk, and I can dial from one to the other over Wifi.
Network routing and Wireguard
Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.
I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.
Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.
So Wireguard it is.
Instructions for setting up a Raspberry Pi as a client Wireguard client set up
Install it,
sudo apt-get install wireguard -y
Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/
For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway
Test setup
I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.
Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.
TARRA is the VPS, at VULTR.
/etc/wireguard/wg0.conf is the config at each end
Bring up connection
wg-quick up wg0
Test connection
Shut down connection
wg-quick down wg0
Show me the INPUT rules, verbosely
iptables -L INPUT -v
"ACCEPT" in this case says, "nothing interesting here", don't log.
On violet, you can log traffic to monitor it, or just use tcpdump
iptables -F INPUT iptables -A INPUT -i wg0 -j LOG iptables -F OUTPUT iptables -A OUTPUT -i wg0 -j LOG tail -f /var/log/messages
or
tcpdump -i wg0 -n
On tarra
tcpdump -i wg0 -n
# Make packets coming in from the Internet get written to the right subnet iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2
I think wireguard does this automatically
ip route add 44.127.9.0/28 via 44.127.9.1
Firewall settings
apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git
I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.
"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm.
iptables -A INPUT -p 4 -j ACCEPT iptables -A INPUT -p udp --dport 520 -j ACCEPT iptables -P FORWARD ACCEPT # Drop various services we don't want running over the tunnel, mostly Microsoft stuff iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP # Drops destination unreachable replies to various probe responses saving bandwidth iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP # This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP # This prevents a general loop iptables -I FORWARD -i tun0 -o tun0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You must add accept rules under this line to make exceptions # Drop traffic that does not have one of our 44 addresses on it. iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP
# I don't think this will hurt anything but might no longer matter with current amprd 3.0 iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP
Tarra server
Scripts are in /etc/wireguard/ to bring up connections including wg-all.sh
Restoring connections after rebooting is handled via systemd.
Run "systemctl start wg-all.service" to bring everything up and "systemctl stop wg-all.service" to stop everything. Check /var/log/daemon.log for messages.
To implement this I created two files,
cd /lib/systemd/system cat wg-all.target [Unit] Description=WireGuard Tunnels for Tarra
and
cat wg-all.service [Unit] Description=WireGuard via wg-all for TARRA After=network-online.target nss-lookup.target Wants=network-online.target nss-lookup.target PartOf=wg-all.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/wireguard/wg-all.sh up ExecStop=/etc/wireguard/wg-all.sh down [Install] WantedBy=multi-user.target