OH7LZB AMPRNet OpenVPN Server

OH7LZB has setup a OpenVPN server in a highly connected and reliable Finnish data center that makes use of the 44net public IP address space.  It provides a publicly routed 44net IP via OpenVPN to licensed amateurs.  

Server authentication for licensed radio amateurs uses an automatic process by making use of ARRL Log of the World digital certificates.  If you are looking to learn how to setup your own server in a similar fashion, I have documented the process.

This service may be useful to hams who need another public (static) IP or do not have access to the port forwarding to one they are behind.  It's pretty common for mobile internet providers (cellular/3G/4G) to not provide a public IP or a method to forward ports. This could be useful for IRLP, EchoLink, AllStar, and other ham radio server operators. 

To get started, follow the client information here: http://wiki.ampr.org/index.php/AMPRNet_VPN

[root at kb9mwr openvpn]# openvpn client.conf
Fri Oct 16 12:18:07 2015 OpenVPN 2.2.2 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr  5 2012
Fri Oct 16 12:18:07 2015 WARNING: No server certificate verification
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 16 12:18:07 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct 16 12:18:07 2015 WARNING: file 'client.key' is group or others accessible
Fri Oct 16 12:18:07 2015 LZO compression initialized
Fri Oct 16 12:18:07 2015 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct 16 12:18:07 2015 Socket Buffers: R=[110592->131072] S=[110592->131072]
Fri Oct 16 12:18:07 2015 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 16 12:18:07 2015 Local Options hash (VER=V4): '41690919'
Fri Oct 16 12:18:07 2015 Expected Remote Options hash (VER=V4): '530fdded'
Fri Oct 16 12:18:07 2015 UDPv4 link local (bound): [undef]:1194
Fri Oct 16 12:18:07 2015 UDPv4 link remote: 85.188.1.118:1773
Fri Oct 16 12:18:07 2015 TLS: Initial packet from 85.188.1.118:1773, sid=af8cd2e6 8b7e00df
Fri Oct 16 12:18:08 2015 VERIFY OK: depth=1, /O=AMPRnet/CN=OH7LZB_VPN_service_CA
Fri Oct 16 12:18:08 2015 VERIFY OK: depth=0, /CN=ampr-gw.he.fi
Fri Oct 16 12:18:10 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Oct 16 12:18:10 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 12:18:10 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Oct 16 12:18:10 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 12:18:10 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Oct 16 12:18:10 2015 [ampr-gw.he.fi] Peer Connection Initiated with 85.188.1.118:1773
Fri Oct 16 12:18:12 2015 SENT CONTROL [ampr-gw.he.fi]: 'PUSH_REQUEST' (status=1)
Fri Oct 16 12:18:12 2015 PUSH: Received control message: 'PUSH_REPLY,route 44.0.0.0 255.0.0.0,route 44.139.11.0 255.255.255.192,topology net30,ping 24,ping-restart 120,ifconfig 44.139.11.58 44.139.11.57'
Fri Oct 16 12:18:12 2015 OPTIONS IMPORT: timers and/or timeouts modified
Fri Oct 16 12:18:12 2015 OPTIONS IMPORT: --ifconfig/up options modified
Fri Oct 16 12:18:12 2015 OPTIONS IMPORT: route options modified
Fri Oct 16 12:18:12 2015 ROUTE default_gateway=192.168.1.1
Fri Oct 16 12:18:12 2015 TUN/TAP device tun0 opened
Fri Oct 16 12:18:12 2015 TUN/TAP TX queue length set to 100
Fri Oct 16 12:18:12 2015 /sbin/ip link set dev tun0 up mtu 1500
Fri Oct 16 12:18:12 2015 /sbin/ip addr add dev tun0 local 44.139.11.58 peer 44.139.11.57
Fri Oct 16 12:18:12 2015 /sbin/ip route add 44.0.0.0/8 via 44.139.11.57
Fri Oct 16 12:18:12 2015 /sbin/ip route add 44.139.11.0/26 via 44.139.11.57
Fri Oct 16 12:18:12 2015 Initialization Sequence Completed

[root at kb9mwr openvpn]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:44.139.11.58  P-t-P:44.139.11.57  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:48 (48.0 b)  TX bytes:0 (0.0 b)

You will note his OpenVPN server pushes a split tunnel configuration, as it is primarily for access to the 44net/amprnet.  This may be problematic in some usage cases.  You may be able override this with:

/sbin/ip route add 85.188.1.118/32 via 192.168.1.1
/sbin/ip route add 0.0.0.0/1 via 44.139.11.57

Back to the WAPR TCP/IP page