Repeater linking
I am testing configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.
AllStarLink
AllStarLink (https://allstarlink.org) is a fork of Asterisk Henceforth "ASL". Follow the link, I won't copy content here.
For TARRA we will be running ASL at each repeater and linking them over Internet connections via cellular modems. That's the idea anyway. Not even a "plan" at this point. Brian has to learn repeaters and Mick has to learn Asterisk.
Maybe I can set up ASL here at my house with a Pi 4 and a handheld and Echolink? Worth a try as a starting point.
I will try the SD card with a Pi 3 Violet.
I downloaded their complete Pi image v 1.0.1. I could not install it because the IMG file was the wrong size. I downloaded beta 6 of version 2. It installed. It boots. I have it on Ethernet right now. HDMI does not work, so I unplugged the monitor and keyboard. I wonder what DHCP address it found? Checking Wenda; got it. Log in as repeater/allstarlink and run asl-menu. ssh repeater@violet -- works -- fancy! I set up a wpa_supplicant.conf file to enabled WiFi.
I am in asl-menu now. I set the machine to be violet.w6gkd.radio, and left it on DHCP. I set the timezone. On page 2, I need echolink settings. According to the Echolink page, you get a node number assigned automatically so I don't know why they have this?
For echolink I had to open ports 5198-5199 on my EdgeRouter and forward traffic to the Pi. To get Echolink going, go to https://echolink.org/validation
AllMon2
AllMon2 is the web site, you have to set up a password to use it.
ssh violet /var/www/html/allmon sudo htpasswd -cB .htpasswd admin
SIP phones
I don't own any SIP phones right now and I just want to start testing ASL.
First I need to make sure it's enabled in asterisk.
sudo asterisk -r module show
and... it's not. :-(
module load chan_sip
works, that's hopeful. I should be able to load it at start by editing /etc/asterisk/modules.conf. I enabled chan_sip. chan_sip is deprecated but so what this is ASL not a PBX. chan_sip was very easy to set up compared to chan_pjsip. I wonder if I have a sample file stashed? Na. Not a real sample, just the 1000 line ones that come with the source code. I think I need ATFOT ("Asterisk, The Future of Telephony") or that fun hacker book that O'Reilly did?
I have several Android smartphones though, and the standard phone app on those is capable of doing SIP. See https://wiki.ezuce.com/display/sipXcom/Android+Integrated+SIP+Calling
Network routing and Wireguard
Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.
I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.
Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.
So Wireguard it is.
Instructions for setting up a Raspberry Pi as a client Wireguard client set up
Install it,
sudo apt-get install wireguard -y
Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/
For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway
Test setup
I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.
Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.
TARRA is the VPS, at VULTR.
/etc/wireguard/wg0.conf is the config at each end
Bring up connection
wg-quick up wg0
Test connection
Shut down connection
wg-quick down wg0
Show me the INPUT rules, verbosely
iptables -L INPUT -v
"ACCEPT" in this case says, "nothing interesting here", don't log.
On violet, you can log traffic to monitor it, or just use tcpdump
iptables -F INPUT iptables -A INPUT -i wg0 -j LOG iptables -F OUTPUT iptables -A OUTPUT -i wg0 -j LOG tail -f /var/log/messages
or
tcpdump -i wg0 -n
On tarra
tcpdump -i wg0 -n
# Make packets coming in from the Internet get written to the right subnet iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2
I think wireguard does this automatically
ip route add 44.127.9.0/28 via 44.127.9.1
Firewall settings
apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git
I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.
"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm.
iptables -A INPUT -p 4 -j ACCEPT iptables -A INPUT -p udp --dport 520 -j ACCEPT iptables -P FORWARD ACCEPT # Drop various services we don't want running over the tunnel, mostly Microsoft stuff iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP # Drops destination unreachable replies to various probe responses saving bandwidth iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP # This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP # This prevents a general loop iptables -I FORWARD -i tun0 -o tun0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You must add accept rules under this line to make exceptions # Drop traffic that does not have one of our 44 addresses on it. iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP
# I don't think this will hurt anything but might no longer matter with current amprd 3.0 iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP
Tarra server
Scripts are in /etc/wireguard/ to bring up connections including wg-all.sh
Restoring connections after rebooting is handled via systemd.
Run "systemctl start wg-all.service" to bring everything up and "systemctl stop wg-all.service" to stop everything. Check /var/log/daemon.log for messages.
To implement this I created two files,
cd /lib/systemd/system cat wg-all.target [Unit] Description=WireGuard Tunnels for Tarra
and
cat wg-all.service [Unit] Description=WireGuard via wg-all for TARRA After=network-online.target nss-lookup.target Wants=network-online.target nss-lookup.target PartOf=wg-all.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/wireguard/wg-all.sh up ExecStop=/etc/wireguard/wg-all.sh down [Install] WantedBy=multi-user.target