Remote Operation of a Portable Station - Part 2: The Fixed Location

Configuring the Fixed Location


N.B. The current status of the project is that wfview does not provide a reliable link, because it is intolerant of delayed or out-of-sequence UDP packets. Although the remainder of the project is described using wfview, this may not be the ideal solution.

Part 2 follows on from Part 1, and describes the configuration of the Fixed Station, i.e. the "middle man" in the overall design:



Hardware

The hardware configuration couldn't be simpler:


Any configuration of Pi can be used. I am using the most basic model: a Pi Zero (not even a "W"). It is connected (actually via a USB ethernet dongle) to an ethernet port on my home router, which in turn is connected to the public internet.

Router Configuration

My home LAN operates in the 192.168.0.0/24 private address space. Yours may vary, of course! The router's address is 192.168.0.1.

I have assigned the Pi a fixed address of 192.168.0.2. This assignment is configured in the router. I won't describe how to do this in any detail, because all routers are different.

In order to establish an incoming connection from the internet, I have subscribed to a Dynamic DNS service. The one I use is here: https://www.noip.com/, and the basic service is free. This means I have a public domain name which I will refer to as mydomain.no-ip.biz - not my actual domain name!

My router has a Dynamic DNS client, which is configured to keep mydomain.no-ip.biz refreshed.

So the domain and IP addressing looks like this:


Port forwarding will be covered later.

Wireguard Configuration

I followed the very detailed instructions here, which I won't bother duplicating: https://sigmdel.ca/michel/ha/wireguard/wireguard_02_en.html

Here are some additional notes that I made along the way.
  • iptables was missing on my Pi, so it needs to be added: sudo apt install iptables
  • Of course, I adapted the IP addresses to my network: 192.168.0.x
  • For the VPN IP addresses, I used the same range as in the instructions: 192.168.99.x
  • The "_SERVER_LISTEN" address is, of course, mydomain.no-ip.biz
  • I noticed that the client.conf and client.all.conf files are identical. Perhaps I made a mistake somewhere. Anyway, it doesn't matter because either will work for our purposes.
  • At first my VPN clients were not finding a DNS, until I added the following line to the [Interface] section of client.conf:
    DNS = 8.8.8.8, 8.8.4.4
    (In retrospect, it would make sense to add this to the template: client.conf.tpl)
Following successful configuration of Wireguard, I now had a running VPN server, and a client.conf file that can be transferred to the portable station. I renamed this "G0XXX.conf" (not the actual callsign).

When Wireguard is started, it automatically adds the following to iptables (the command to create these entries can be found in /etc/wireguard/wg0.conf):

iptables -A FORWARD -i wg0 -j ACCEPT

iptables -A FORWARD -o wg0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


iptables Configuration

The VPN link from the Portable Station arrives at the Pi at the Fixed location on 192.168.99.3. The Remote Station's incoming connection arrives at the Pi on 192.168.0.2. 




The challenge now is to connect together these two loose ends, so that UDP traffic on ports 50001, 50002 and 50003 can pass between them. This "glue" is provided by iptables entries, as follows:

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 50001 -j DNAT --to-destination 192.168.99.3:50001
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 50002 -j DNAT --to-destination 192.168.99.3:50002
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 50003 -j DNAT --to-destination 192.168.99.3:50003
iptables -A FORWARD -p udp -d 192.168.99.3 --dport 50001 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.99.3 --dport 50002 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -p udp -d 192.168.99.3 --dport 50003 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

These commands need to be run as root, so either start with "sudo su -", or put "sudo" in front of every command.

Note that the last entry is identical to one already created by Wireguard, so it can be omitted.

iptables should now look like this:

pi@raspberrypi:~ $ sudo iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  wg0    any     anywhere             anywhere            

    0     0 ACCEPT     all  --  any    wg0     anywhere             anywhere            

    0     0 ACCEPT     udp  --  any    any     anywhere             192.168.99.3         udp dpt:50001 state NEW,RELATED,ESTABLISHED

    0     0 ACCEPT     udp  --  any    any     anywhere             192.168.99.3         udp dpt:50002 state NEW,RELATED,ESTABLISHED

    0     0 ACCEPT     udp  --  any    any     anywhere             192.168.99.3         udp dpt:50003 state NEW,RELATED,ESTABLISHED


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination  



Finally, these rules need to be made "persistent", so that they survive a reboot. There are several ways to do this, but I used the iptables-persistent package:

pi@raspberrypi:~ $ sudo apt-get install iptables-persistent


The installation script for this package offers to save the current iptables entries. So assuming you have Wireguard running and the other iptables entries in place, say "Yes" to the prompt when it asks whether you which to save the current IPV4 entries (and I answered "No" IPV6).

Reboot, and run "sudo iptables -L -v" again to confirm that the entries are still as shown above. Also run "sudo wg" to confirm that the VPN is running.

Router Configuration

The detailed instructions will depend on your router, but the following port forwarding entries are needed:
  • UDP port 51820 to 192.168.0.2 (needed for Wireguard. Can be changed if you chose a different port number)
  • UDP ports 50001-50003 to 192.168.0.2 (needed for wfview. If your router does not accept a range, create these as three separate entries)

In Part 3 we will look at the configuration of the Remote Operator's station, and complete the project.

Comments

Popular posts from this blog

Building a basic codeplug for DMR (DMR Part 2)

Adding Brandmeister to the Hotspot (DMR Part 4)

D-STAR, Pi-Star and IC-705