You are here

Internet Gateway

18 posts / 0 new
Last post
n5mdt
Internet Gateway

I know that if you tick the box for a node to act as an internet gateway then anyone that connects to any node on the mesh will then be given internet access through that node, or a best calculated route to the best gateway when more than one node is a gateway.

But... what I want to do is slightly different.

I want to set up a portable node at a remote site (irrelevant) with a laptop connected. Then, through some protocol, that one and only laptop gets internet access somehow.



Possibility? I have a node at home with the proper switch connected to the internet. A wireless router on the switch so that anyone that connects to that wireless router gets internet access over the vlan through the node, to the internet.

On one computer connected to the wireless router I have an inbound vpn connection.

Can I connect the laptop on the remote node, over the mesh, to the vpn and gain internet access?

I have not tested this yet but I see no reason why I would not be able to make the vpn connection as I have the proper port forwarding to the computer with the connection. The next question is what would be required on the vpn server computer to allow the internet access? Wpi;d ot be as simple as bridging the two connections, the usual internet connection to the inbound vpn connection?


This might take some time. Has anyone attempted this configuration yet?


Mark
 

K5DLQ
K5DLQ's picture
Hi Mark,

Hi Mark,
Regarding a VPN over the mesh, you would be passing encrypted traffic, and thus, would be in violation of Part97.
The "Mesh Gateway" is a "global" advertisement and not restricted to a device.

Depending on what you mean by "internet access"... if browser/web access is needed, then, you might be able to setup a web proxy off of a server that has direct internet access, and configure your remote PC's browser to use that as it's proxy.

Just thinking aloud...
 

K7DXS
We're already illegally using
We're already illegally using SSH over mesh. I fail to see how this is different.
AE6XE
AE6XE's picture
N5MDT,  

N5MDT,  

1) put the VPN server on the LAN of the (non-advertised) mesh gateway node
2) make a (non-encrypted over part97) vpn connection to this 10.x.x.x mesh vpn server from the laptop in the middle of the mesh, also a 10.x.x.x address.
3) over-ride the default routing on the laptop and send over the vpn link.
4) the vpn server on the LAN of the mesh gateway node has by default direct access to send traffic to the internet (through the mesh node and out it's WAN interface).   The vpn server would need to 'SNAT' this traffic going to the internet---the reply traffic has to come back to the vpn server's 10.x.x.x LAN address from the internet, then back through the vpn tunnel to the laptop.

This should all work without changing any default behavior of the AREDN mesh nodes, the complexity is on the vpn server and vpn client device to make this happen.  10.x.x.x on mesh, say 172.16.x.x on the vpn tunnel, 192.168.x.x on your home network.

Other's may want to shot holes in this if I've overlooked anything...

Joe AE6XE

K7DXS
SSH
Use an SSH Tunnel. If you're on Linux, just run ssh -D1080 [host] where host is the remote node or server. 
On Windows, follow this tutorial.
If you use a Mac, follow the same instructions as Linux.

Easier to set up than a VPN, and we already use SSH even though it's encrypted. 
KG6JEI
Depends where you are at.
Depends where you are at.

I prohibit encryption across my nodes and do not use SSH.

From group standpoint we do NOT recommend using any encrypted protocol across the mesh, if you choose to do so its at your own risk and with the block encryption package one has no guarantee common encrypted ports will make it through the mesh.
K7DXS
So you've NEVER accessed a
So you've NEVER accessed a nodes's command line? 
K6AH
K6AH's picture
Conrad has stated our policy...
If you want to use it for encrypted traffic, that's your choice.  It's not a topic any of us are qualified to talk about.  You can get advice from your attorney if you want. 

Andre
KG6JEI
All nodes have a telenet

All nodes have a telenet server running on port 23 on the MESH and LAN ports (it's blocked on the WAN port) that can be used for remote access without encryption. This is where I recomend users connect when they need to connect over the MESH. 

Yes I also use SSH but only for local (I'm directly attached to the node in question) and from the wan port which is attached to my home network LAN.

K7DXS
I didn't realize that. The
I didn't realize that. The only access I knew of was the SSH server. You may want to update the documentation, which only mentions the existence of an SSH server not a telnet server. Also the documentation seems to condone the use of SSH over mesh. You may want to update the documentation to reflect a. the existence of a Telnet server and b. your policy.
KG6H
SSH does not equal encryption

Let me restate that again: SSH does not equal encryption.  SSH does have encryption as an option, but doesn't have to require it.  You could implement SSH with a pre-shared private/public key (as AREDN does) or one-time-password-pad or time-based passwords, set the cipher to "none", and still have crypto algorithms used to sign the traffic, keeping out a MiTM attack.

The same is true for HTTPS or VPN.  You could have either implemented with plaintext encryption, but still use certificates to authenticate all traffic and signing algorithms to validate all traffic was not tampered with.

https://rietta.com/blog/2009/08/17/authentication-without-encryption-for/

K7DXS
Alright, I see. So then an
Alright, I see. So then an SSH tunnel shouldn't be a problem?
KG6H
SSH tunnel

Alright, I see. So then an SSH tunnel shouldn't be a problem?


Correct, an SSH tunnel with cipher set to "none" would be valid for any otherwise Part 97-allowed use.

K7DXS
Actually, looking into it,
Actually, looking into it, OpenSSH does not support the none cipher. If I'm correct, OpenSSH is what's installed on the nodes. So the only way to do unencrypted command line stuff is Telnet.
AE6XE
AE6XE's picture
We're actually using
We're actually using "dropbear" ssh implementation.    Just checking the build environment, looks like we can compile this to have the default NOT encrypt the message:

/* You can compile with no encryption if you want. In some circumstances
 * this could be safe security-wise, though make sure you know what
 * you're doing. Anyone can see everything that goes over the wire, so
 * the only safe auth method is public key. */
/* #define DROPBEAR_NONE_CIPHER */

 
w6bi
w6bi's picture
SSH over RF and the FCC
I had the opportunity to chat with Marty Noll, N6VI, the ARRL Southwestern Division Vice Director tonight at the local ham club meeting.   He reiterated what he had told me several months ago when I gave a mesh presentation at the ARES group he represents: the League has had informal discussions about this topic with the FCC and the FCC has told them informally that encrypted ssh for secure command and control of amateur radio equipment is not an issue.
Marty said at some time in the future they'd probably hold formal discussions on the topic, but for now it sounds like we're in the clear.
I for one am not going to worry about it.

Orv
W6BI
KG6H
Another ham project with SSH cipher "none" enabled

The problem is that many distributions don't compile SSH with the "none" cipher being allowed.  However, it can be compiled this way, and my suggestion is that AREDN do so until the FCC clearly change Part 97 to state that encryption is allowed for control of amateur radio equipment (such as how amateur radio has for remote controlled aircraft).  Just because "none" is enabled, doesn't mean it has to be used.  The dropbear process that is compiled with "none" cipher support can still allow encrypted connections (say from a non-RF connection on the LAN) - it will be up to the client to specify which - or it'll depend on the preferred order list when compiled.

If nothing else, for tasks that are not control of amateur radio equipment, be aware that SSH/HTTPS/VPN can be done with a "none" or "null" encryption cipher, and you can perfectly Part 97 compliant.

Hamwan project with SSH cipher "none" enabled:
Source: http://www.hamwan.org/t/SSH+Without+Encryption

Hamwan has a wiki page explaining the pros and cons of these options: http://www.hamwan.org/t/Authentication?structure=HamWAN

Hamwan also has a great wiki page explaining how to use SSL without encryption for authentication, and even walks you through how to use your LotW certificate to do so: http://www.hamwan.org/t/SSL+without+Encryption?structure=HamWAN

AE6XE
AE6XE's picture
Ticket added to track

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer