Accessing AREDNMesh with OpenVPN

I wanted the ability to access the Amateur Radio Emergency Data Network Mesh (AREDNMesh) from any of my devices but not necessarily every device on my local network (i.e. kids) and quickly gave up on the idea of doing VLANs for the entire network for various reasons. I have used OpenVPN for years to get into my network from the internet, so I figured why can’t I use it to tunnel into the Mesh as well.

So I setup a RaspberryPi on the Mesh to allow me to accomplish this task, and today I will walk you through the setup so you can do the same. As an added bonus, with a slight tweak to the configuration you can access the AREDNMesh from the internet as well.

Things you will need:

  • A working AREDNMesh node, with internet or at a minimum Home LAN access. I had some much appreciated help from the local club to get mine going, I suggest you do the same.
  • Some kind of network switch for the node, separate from your regular switch or router. I found an EdgeRouter X for a good deal and set it up in Switch mode.
  • A RaspberryPi of some flavor, and SD card for it, and a power supply. I used a 3B+ I had because I wanted the hard wired network connection.
  • A temporary monitor, keyboard and mouse for the setup
  • Pen and Paper to write down a few key settings.

A couple definitions as used in this write-up

  • Mesh Node or localnode- The device that is connecting you to AREDNMesh, i.e. NanoStation
  • the Mesh – This is the “internet” side of the Mesh and what you are trying to access
  • Mesh LAN – This is the network of devices that are connected directly to your Mesh Node
  • Mesh WAN – Although WAN is typically referred to as an internet connection, this will connect to your Home LAN to establish internet access and allow your clients to connect into the Mesh.
  • Home LAN – This is your home network and what you were using before exploring this crazy thing called AREDNMesh.
  • Client – Any device that will be accessing the Mesh, i.e. your computer or mobile phone, a VoIP phone, other “servers” that will be hosting things on the mesh.

Setting up the RaspberryPi

I started off with a fresh install, but I see no reason why it wouldn’t work with an existing RaspberryPi, for example running MeshChat (although untested at time of writing). There are plenty of guides on the internet for setting up a RaspberryPi if you have never done it before, but I used NOOBS and install regular Raspbian. The desktop environment is not required, and ultimately I turn it off but I found it useful for accessing the Mesh node page, as you will see later.

Once you have landed on the desktop in Raspbian follow through the prompts to run updates and change your password.

Configuring your localnode

Now that your RaspberryPi is running and connected to the Mesh node, we need to tweak some settings in the node. This can be done by accessing http://localnode.local.mesh from the Chromium browser on the RaspberryPi

We will start with setting a Static DHCP address by accessing the localnodePort Forwarding, DHCP and Services tab on your node then look for Current DHCP Leases. Here you should see an entry that says “raspberrypi 10.x.x.x b8:27:eb:xx:xx:xx” or something similar. Click on the Add button next to it, this should add the entry under DHCP Address Reservations. Under the Hostname option here, best practice is to prepend your call sign. I named mine KD8PNV-rpi. This name will be seen by all on the Mesh and must be unique. If 5 people all try to use raspberrypi.local.mesh it’s going to cause some problems. Make sure to click Save Changes.

Now we need to forward outside connections to our RaspberryPi for OpenVPN. This is forwarding from the WAN port of the Mesh Node to the RaspberryPi on the Mesh LAN. This is what allows us to connect to Mesh LAN devices from your Home LAN. Here you will make your first choice, the standard port is 1194 and what I use, but you can change this to anything that is not used elsewhere, but should be between 1025 and 65534. Make sure to write this down as OpenVPN Port

Under the Port Forwarding section select WAN as the Interface, UDP as the Type, 1194 (or your choice) as the Outside Port, Name of your RaspberryPI (KD8PNV-rpi) as LAN IP and the same port as before for LAN Port. Make sure to Click Add next to the line, and Save Changes at the top

We have one more decision to make in regards to number of clients on your Mesh LAN. Each client will have it’s own IP address on the Mesh so you should plan for a little bit of expandability and what you intend on using the mesh for. Think about how many devices you will have, a managed switch in my case (EdgerouterX) is one, your RaspberryPi is a second, if you decide to do a VoIP phone is a third.

On the localnode Basic Setup tab in the center of the screen is a box that says LAN. Here you will select your LAN mode, if you have a working mesh setup already you probably have done this before. Setting to 5 host Direct allows 5 devices on the Mesh, 13 allows 13, etc.. The key part of this screen is the IP Address listed under the selection box and how many hosts you will have. Write the IP down as Gateway/DNS and the Number of Hosts. Don’t forget to Save Changes and Reboot if you changed anything.

Setting up PiVPN

Start with opening up terminal on the Raspbian desktop and running these commands:

cd ~
wget -O
sed -i -e 's/'
chmod +x

A quick guide to each command for those unfamiliar with Linux, cd ~ moves you to your home directory, wget is for downloading the install file, and the -O (capital letter O) specifies where to save it, sed is used as a search and replace to change the default IP of OpenVPN, more on this in a second, chmod sets the file as executable and finally ./ runs the installer.

The reason we change the IP range for OpenVPN is because AREDNMesh uses as their IP range, while OpenVPN defaults to thereby causing a conflict. When I didn’t change this, I couldn’t access any of the Mesh nodes at all. I chose because it is in the private IP range and I believe should not interfere with any Mesh functions. The possible exception to this is when using NAT mode for the local network, which for me defaulted to a range of, which would not interfere but I’m noting it just as a warning.

So once the installer is running, you will get a blue screen similar to this

PiVPN Installer

After hitting Enter, you will receive a notice for Static IP Needed, this is a critical step to having a functioning VPN connection and as much as I hate to admit, took me several hours to figure out where this went wrong for me.

After hitting Enter it will show you your current IP address, that if the RaspberryPi is connected to the localnode, and if the localnode is set in Host Direct mode, will be a 10.x.x.x address. This should be the reserved IP address that you set and wrote down earlier from your localnode Port Forwarding, DHCP and Services screen. The gateway should match what you wrote down earlier from the localnode Basic Setup tab. If neither of these are as described here, there is something not configured properly. If you get an address not in the 10.x.x.x or 172.27.0.x range, you are probably connected to your home network which is not what the goal is here. I would verify the RaspberryPi can actually connect to the Mesh if you are having this problem before proceeding.

On this screen you want to press the right arrow key and highlight NO and hit Enter. On the next screen it will pre-fill your desired IP address to which we need to add a subnet. What you type here depends on how you have your node configured, you will append the subnet mask to the existing IP. For Example

1 Host Direct – /30
RaspberryPi is the only thing connected to the Mesh node, only useful if you are going to connect EVERYTHING through the VPN

5 Host Direct – /29
This is the mode I used, it allowed me to have my switch as a client and it be accessible and was the mode recommended to me to use. It also, along with the rest of the modes, allows a wifi access point to be plugged into the node for direct access without the VPN.

13 Host Direct – /28
Allows up to 13 clients connected to the mesh. Use only if you are running out of IP’s.

29 Host Direct – /27
Allows up to 29 clients connected directly to the mesh. It is my thoughts, this would only be used in a large scale local deployment, with lots of clients connected to the mesh. I.e. a radio club, EOC, disaster shelter, and even in those cases I think NAT mode would be preferred.

NAT – /24
Both a Pro and Con of NAT mode is your clients are not connected directly to the mesh, and are inaccessible from outside your LAN, but they can get out to the mesh, similar to your home router and the internet. It would take some additional tweaking to host any services behind a NAT that are outside the scope of this write-up.

After setting the IP and subnet, Next it will ask about your gateway, this is the LAN IP for your Mesh node, and should match what you wrote down earlier as Gateway/DNS, if so just hit Enter. Then you will be asked to confirm your settings.

Next you will be asked to choose a user to store your configuration files, if this is a fresh install, you will only have the choice of pi, which is the recommended option in this case.

Then you will receive a prompt for Unattended Upgrades, It is highly recommended you select Yes here.

Next is a prompt for Protocol, as the installer says, unless you know why to select TCP, leave it set to UDP. On the next screen it will ask you for the port number. Enter the port you decided earlier when setting up the Mesh node.

If you have any old OpenVPN clients that do not support OpenVPN 2.4 you will need to select No on the next screen, I recommend selecting Yes and updating any clients software. Any relatively modern Desktop or Mobile applications will support 2.4. Again, that is something a little outside the scope of this write-up

Next up is your encryption strength. This is completely up to you, the encryption does not travel over the mesh and only over your local LAN or Internet if setup to do so. I choose the recommended level.

On the Public IP or DNS screen is where you set how to find your RaspberryPi/Mesh node. The IP option is going to show your Public internet IP. This is the IP from your Internet Provider, I do not recommend using this option regardless of setup. So press the down arrow, then the space bar, so the * moves to the DNS entry block, then press Enter.

This is going to ask you for your public DNS name. If you are doing internet accessible, I recommend a dynamic DNS service, and entering that address here. If you are going to do LAN accessible only, type in the IP address of your Mesh node, as it appears on your Home LAN.

I recommend your Mesh Node have a static IP on your Home LAN so it doesn’t move on you unexpectedly. This can be done either in the localnode Basic Setup under WAN, or by doing a DHCP Reservation in your router.

Next up is going to be DNS provider, this is a critical setting to be able to access Mesh nodes. You should scroll all the way to the bottom of the list, and press space on Custom to move the * then hit Enter. Here you will be asked for a DNS address, and you will enter your Gateway address you wrote down earlier.

You will get a prompt if this is correct, showing two lines, the second should be blank. Select Yes.

Now the installation is almost complete, and you will get a prompt for how to add users, but first we have one more step. After this prompt is a prompt to reboot, right arrow to No and hit Enter, we will reboot in a minute.

Before we are fully functional we need to modify one more file from the default then reboot by running

sudo sed -i -e 's/' /etc/openvpn/server.conf
sudo reboot

Once your RaspberryPi boots back up, and you can get back to a terminal you will create your users. You can see the options available by typing “pivpn” to get these results.

pi@raspberrypi:~ $ pivpn
::: Control all PiVPN specific functions!
::: Usage: pivpn <command> [option]
::: Commands:
:::  -a, add [nopass]     Create a client ovpn profile, optional nopass
:::  -c, clients          List any connected clients to the server
:::  -d, debug            Start a debugging session if having trouble
:::  -l, list             List all valid and revoked certificates
:::  -r, revoke           Revoke a client ovpn profile
:::  -h, help             Show this help dialog
:::  -u, uninstall        Uninstall PiVPN from your system!
pi@raspberrypi:~ $ 

So to add a user will type “pivpn -a” which will give you some prompts to fill out, select a unique name for each client, Desktop, Mobile, etc… then a password and confirm it. This will tell you your CLIENTNAME.ovpn file has been saved to /home/pi/ovpns. At this point you need to get that file off of your RaspberryPi. There are several ways to accomplish this, the easiest probably would be to plug a flash drive into the RaspberryPi and copy the file there, but make sure the file is not publicly accessible anywhere if you use another method.

You can check if any clients are connected to the VPN by doing “pivpn -c”, and can even revoke a certificate by doing “pivpn -r” in case it gets compromised.

A word of warning about “pivpn -d”, if you run this it will break your setup because it checks for the address in the config files. I recommend you do not run this command, unless you want to figure out how to fix it.

From here it’s a matter of installing the OpenVPN client and importing your ovpn file.

Once you are connected to the VPN you should have AREDNMesh access as well as internet access, and any devices connected via VPN are not accessible(fire-walled) from the rest of the Mesh.

Accessing from the Internet

A few notes on accessing from the Internet. Firstly if you use a dynamic dns domain from internally, your internet router should support Hairpin NAT or something similar. Second, you will need to forward the same port 1194 in my case, to the Mesh Node WAN address. If both of these circumstances are true, then you should be able to use the same ovpn file to access from both internal and external to your Home LAN. If your router does not support Hairpin NAT then it will be accessible from the outside using the dynamic dns name and the Mesh Node WAN IP from internally. You can edit the ovpn file in notepad to make the changes if you need to go that route.

I welcome any comments or questions via QRZ

Alexa, turn on the fireplace.

Warning: Try this at your own risk.

I had a need to be able to use home automation to turn on the gas fireplace and since Alexa was used quite a bit already in the home I wanted to figure out how, and I succeeded.

I started out by taking a look at how the fireplace was wired up to discover the light switch to turn it on wasn’t actually switching 110v, but was using 18 gauge wire running directly to the fireplace. I figured a relay to close that circuit would be sufficient to turn it on, and I figured correctly in this particular case.

So I went to amazon to find an ESP8266 controlled relay, and was ecstatic to find multiple different ones. The one I went with was the IZOKEE ESP8266 Relay with ESP8266 ESP-01S. I paid a whopping $6.99 for the relay and the ESP01.

The hardest part was getting the code right. The first result for ESP8266 Alexa was to an adafruit post, that was rather dated. Unfortunately following their guide didn’t work well for me because of changes to the libraries.

First problem was an error with the command fauxmo.onMessage(callback); which lead down the rabbit hole of people having issues with FauxMoESP. After messing with that for a bit and getting past that and to the point of searching for it in the Alexa app, it just wasn’t able to be found by Alexa.

Then I saw a reference somewhere to a site called so I decided to check that out and have to say it worked with great success.

So on the ESP01 with the board I bought, Pin 0 is my relay, also the code example I found was setting the pin to HIGH when turned on which didn’t work for me because I wanted it to fail off and used the NO (Normally Open) terminal on the relay for the simple reason, I didn’t want a power failure to turn the fireplace on. So I changed the turnOn command to LOW and turnOff to HIGH.

So gives some example code on their Github for switches, and I used the switch_example.ino with the tweaks for LOW and HIGH I mentioned above.

Once you register in the website, you generate an API key which you past into the sketch, as well as your wifi name and password, and a device id by adding a smart home device.  The name of the device is what Alexa will recognize, so I named mine Fireplace to be able to tell Alexa to turn on the fireplace.

I will post the code at the bottom here, with my changes from the original marked in bold.

#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <ESP8266WiFiMulti.h>
#include <WebSocketsClient.h> //
#include <ArduinoJson.h> //
#include <StreamString.h>

ESP8266WiFiMulti WiFiMulti;
WebSocketsClient webSocket;
WiFiClient client;

#define MyApiKey "" // TODO: Change to your sinric API Key. Your API Key is displayed on dashboard
#define MySSID "" // TODO: Change to your Wifi network SSID
#define MyWifiPassword "" // TODO: Change to your Wifi network password

#define HEARTBEAT_INTERVAL 300000 // 5 Minutes 

const int relayPin1 = 0; // TODO: Change according to your board
const int relayPin2 = 3; // TODO: Change according to your board

uint64_t heartbeatTimestamp = 0;
bool isConnected = false;
#define DEVICE1 "xxxxx"  //TODO: Device ID of first device
#define DEVICE2 "xxxxx"  //TODO: Device ID of second device

void setPowerStateOnServer(String deviceId, String value);

// deviceId is the ID assgined to your smart-home-device in dashboard. Copy it from dashboard and paste it here

void turnOn(String deviceId) {
  if (deviceId == DEVICE1)
    Serial.print("Turn on device id: ");
     digitalWrite(relayPin1, LOW); // turn on relay with voltage HIGH
  else  if (deviceId == DEVICE2)
    Serial.print("Turn on device id: ");
     digitalWrite(relayPin2, LOW); // turn on relay with voltage HIGH
  else {
    Serial.print("Turn on for unknown device id: ");

void turnOff(String deviceId) {
   if (deviceId == DEVICE1)
     Serial.print("Turn off Device ID: ");
     digitalWrite(relayPin1, HIGH);  // turn off relay with voltage LOW
   else if (deviceId == DEVICE2)
     Serial.print("Turn off Device ID: ");
     digitalWrite(relayPin1, HIGH);  // turn off relay with voltage LOW
   else {
     Serial.print("Turn off for unknown device id: ");

void webSocketEvent(WStype_t type, uint8_t * payload, size_t length) {
  switch(type) {
    case WStype_DISCONNECTED:
      isConnected = false;    
      Serial.printf("[WSc] Webservice disconnected from!\n");
    case WStype_CONNECTED: {
      isConnected = true;
      Serial.printf("[WSc] Service connected to at url: %s\n", payload);
      Serial.printf("Waiting for commands from ...\n");        
    case WStype_TEXT: {
        Serial.printf("[WSc] get text: %s\n", payload);
        // Example payloads

        // For Switch or Light device types
        // {"deviceId": xxxx, "action": "setPowerState", value: "ON"} //

        // For Light device type
        // Look at the light example in github
        DynamicJsonBuffer jsonBuffer;
        JsonObject& json = jsonBuffer.parseObject((char*)payload); 
        String deviceId = json ["deviceId"];     
        String action = json ["action"];
        if(action == "setPowerState") { // Switch or Light
            String value = json ["value"];
            if(value == "ON") {
            } else {
        else if (action == "test") {
            Serial.println("[WSc] received test command from");
    case WStype_BIN:
      Serial.printf("[WSc] get binary length: %u\n", length);

void setup() {
  pinMode(relayPin1, OUTPUT);
  pinMode(relayPin2, OUTPUT);
  WiFiMulti.addAP(MySSID, MyWifiPassword);
  Serial.print("Connecting to Wifi: ");

  // Waiting for Wifi connect
  while( != WL_CONNECTED) {
  if( == WL_CONNECTED) {
    Serial.print("WiFi connected. ");
    Serial.print("IP address: ");

  // server address, port and URL
  webSocket.begin("", 80, "/");

  // event handler
  webSocket.setAuthorization("apikey", MyApiKey);
  // try again every 5000ms if connection has failed
  webSocket.setReconnectInterval(5000);   // If you see 'class WebSocketsClient' has no member named 'setReconnectInterval' error update arduinoWebSockets

void loop() {
  if(isConnected) {
      uint64_t now = millis();
      // Send heartbeat in order to avoid disconnections during ISP resetting IPs over night. Thanks @MacSass
      if((now - heartbeatTimestamp) > HEARTBEAT_INTERVAL) {
          heartbeatTimestamp = now;

// If you are going to use a push button to on/off the switch manually, use this function to update the status on the server
// so it will reflect on Alexa app.
// eg: setPowerStateOnServer("deviceid", "ON")

// Call ONLY If status changed. DO NOT CALL THIS IN loop() and overload the server. 
void setPowerStateOnServer(String deviceId, String value) {
  DynamicJsonBuffer jsonBuffer;
  JsonObject& root = jsonBuffer.createObject();
  root["deviceId"] = deviceId;
  root["action"] = "setPowerState";
  root["value"] = value;
  StreamString databuf;

Open Stub J-Pole

I bought a FT-991A last October to use on the HF bands, and while it worked great for that I never really bothered with a VHF/UHF antenna. That is until recently when I decided I wanted to be able to hear the repeaters on something other than an HT while sitting in the shack.

So after hearing about J-Pole antennas I did some research and came across the Open Stub J-Pole and this posting by NT1K. I decided this is what I would build as it would allow me to mount it to a railing on the deck in my back yard.

I had a friend, W8IGI, call with an invitation to Thanksgiving Dinner about 2 weeks before and got to thinking, after dinner while the ladies were gabbing, we could go play in the garage and build some antennas. So I set about to buying the materials needed.

For the rods, I found Grainger had the best price and easiest to get, though I had to wait a few days to pick it up, that was no big deal as we weren’t going to build until Thanksgiving day.

We used some scrap angle that W8IGI had in his garage for the base, and since we get tons of points from a local truck stop, used those to purchase the stud mounts. So all in all, we were out about $12 in required materials. I did purchase some vinyl caps to go over the end from amazon, but they didn’t fit very well.

The build went off fairly uneventful, but I will suggest making sure you have some sharp tap and dies, as it definitely helped when we changed to a different set.

So all in all, the antennas were made, mine is up and works great, though the SWR is just a tad high on 146.52 but I will troubleshoot that at a later date when I get an antenna analyzer.

This is my first foray into antenna building, but hopefully not my last. I had a good time, even though it was just following instructions.

First Post

I am creating this site in the hopes of helping myself document some of my activities from Amateur Radio to my Freenas server to Camping and anything in between.

In the mean time you can find my current radio logs here