I wanted the ability to access the Amateur Radio Emergency Data Network Mesh (AREDNMesh) from any of my devices but not necessarily every device on my local network (i.e. kids) and quickly gave up on the idea of doing VLANs for the entire network for various reasons. I have used OpenVPN for years to get into my network from the internet, so I figured why can’t I use it to tunnel into the Mesh as well.
So I setup a RaspberryPi on the Mesh to allow me to accomplish this task, and today I will walk you through the setup so you can do the same. As an added bonus, with a slight tweak to the configuration you can access the AREDNMesh from the internet as well.
Things you will need:
- A working AREDNMesh node, with internet or at a minimum Home LAN access. I had some much appreciated help from the local club to get mine going, I suggest you do the same.
- Some kind of network switch for the node, separate from your regular switch or router. I found an EdgeRouter X for a good deal and set it up in Switch mode.
- A RaspberryPi of some flavor, and SD card for it, and a power supply. I used a 3B+ I had because I wanted the hard wired network connection.
- A temporary monitor, keyboard and mouse for the setup
- Pen and Paper to write down a few key settings.
A couple definitions as used in this write-up
- Mesh Node or localnode- The device that is connecting you to AREDNMesh, i.e. NanoStation
- the Mesh – This is the “internet” side of the Mesh and what you are trying to access
- Mesh LAN – This is the network of devices that are connected directly to your Mesh Node
- Mesh WAN – Although WAN is typically referred to as an internet connection, this will connect to your Home LAN to establish internet access and allow your clients to connect into the Mesh.
- Home LAN – This is your home network and what you were using before exploring this crazy thing called AREDNMesh.
- Client – Any device that will be accessing the Mesh, i.e. your computer or mobile phone, a VoIP phone, other “servers” that will be hosting things on the mesh.
Setting up the RaspberryPi
I started off with a fresh install, but I see no reason why it wouldn’t work with an existing RaspberryPi, for example running MeshChat (although untested at time of writing). There are plenty of guides on the internet for setting up a RaspberryPi if you have never done it before, but I used NOOBS and install regular Raspbian. The desktop environment is not required, and ultimately I turn it off but I found it useful for accessing the Mesh node page, as you will see later.
Once you have landed on the desktop in Raspbian follow through the prompts to run updates and change your password.
Configuring your localnode
Now that your RaspberryPi is running and connected to the Mesh node, we need to tweak some settings in the node. This can be done by accessing http://localnode.local.mesh from the Chromium browser on the RaspberryPi
We will start with setting a Static DHCP address by accessing the localnodePort Forwarding, DHCP and Services tab on your node then look for Current DHCP Leases. Here you should see an entry that says “raspberrypi 10.x.x.x b8:27:eb:xx:xx:xx” or something similar. Click on the Add button next to it, this should add the entry under DHCP Address Reservations. Under the Hostname option here, best practice is to prepend your call sign. I named mine KD8PNV-rpi. This name will be seen by all on the Mesh and must be unique. If 5 people all try to use raspberrypi.local.mesh it’s going to cause some problems. Make sure to click Save Changes.
Now we need to forward outside connections to our RaspberryPi for OpenVPN. This is forwarding from the WAN port of the Mesh Node to the RaspberryPi on the Mesh LAN. This is what allows us to connect to Mesh LAN devices from your Home LAN. Here you will make your first choice, the standard port is 1194 and what I use, but you can change this to anything that is not used elsewhere, but should be between 1025 and 65534. Make sure to write this down as OpenVPN Port
Under the Port Forwarding section select WAN as the Interface, UDP as the Type, 1194 (or your choice) as the Outside Port, Name of your RaspberryPI (KD8PNV-rpi) as LAN IP and the same port as before for LAN Port. Make sure to Click Add next to the line, and Save Changes at the top
We have one more decision to make in regards to number of clients on your Mesh LAN. Each client will have it’s own IP address on the Mesh so you should plan for a little bit of expandability and what you intend on using the mesh for. Think about how many devices you will have, a managed switch in my case (EdgerouterX) is one, your RaspberryPi is a second, if you decide to do a VoIP phone is a third.
On the localnode Basic Setup tab in the center of the screen is a box that says LAN. Here you will select your LAN mode, if you have a working mesh setup already you probably have done this before. Setting to 5 host Direct allows 5 devices on the Mesh, 13 allows 13, etc.. The key part of this screen is the IP Address listed under the selection box and how many hosts you will have. Write the IP down as Gateway/DNS and the Number of Hosts. Don’t forget to Save Changes and Reboot if you changed anything.
Setting up PiVPN
Start with opening up terminal on the Raspbian desktop and running these commands:
cd ~ wget -O pivpn.sh https://install.pivpn.io sed -i -e 's/10.8.0.0/172.27.32.0/g' pivpn.sh chmod +x pivpn.sh ./pivpn.sh
A quick guide to each command for those unfamiliar with Linux, cd ~ moves you to your home directory, wget is for downloading the install file, and the -O (capital letter O) specifies where to save it, sed is used as a search and replace to change the default IP of OpenVPN, more on this in a second, chmod sets the file as executable and finally ./pivpn.sh runs the installer.
The reason we change the IP range for OpenVPN is because AREDNMesh uses 10.0.0.0/8 as their IP range, while OpenVPN defaults to 10.8.0.0/24 thereby causing a conflict. When I didn’t change this, I couldn’t access any of the Mesh nodes at all. I chose 172.27.32.0/24 because it is in the private IP range and I believe should not interfere with any Mesh functions. The possible exception to this is when using NAT mode for the local network, which for me defaulted to a range of 172.27.0.0/24, which would not interfere but I’m noting it just as a warning.
So once the installer is running, you will get a blue screen similar to this
After hitting Enter, you will receive a notice for Static IP Needed, this is a critical step to having a functioning VPN connection and as much as I hate to admit, took me several hours to figure out where this went wrong for me.
After hitting Enter it will show you your current IP address, that if the RaspberryPi is connected to the localnode, and if the localnode is set in Host Direct mode, will be a 10.x.x.x address. This should be the reserved IP address that you set and wrote down earlier from your localnode Port Forwarding, DHCP and Services screen. The gateway should match what you wrote down earlier from the localnode Basic Setup tab. If neither of these are as described here, there is something not configured properly. If you get an address not in the 10.x.x.x or 172.27.0.x range, you are probably connected to your home network which is not what the goal is here. I would verify the RaspberryPi can actually connect to the Mesh if you are having this problem before proceeding.
On this screen you want to press the right arrow key and highlight NO and hit Enter. On the next screen it will pre-fill your desired IP address to which we need to add a subnet. What you type here depends on how you have your node configured, you will append the subnet mask to the existing IP. For Example 10.10.200.3/29
1 Host Direct – /30
RaspberryPi is the only thing connected to the Mesh node, only useful if you are going to connect EVERYTHING through the VPN
5 Host Direct – /29
This is the mode I used, it allowed me to have my switch as a client and it be accessible and was the mode recommended to me to use. It also, along with the rest of the modes, allows a wifi access point to be plugged into the node for direct access without the VPN.
13 Host Direct – /28
Allows up to 13 clients connected to the mesh. Use only if you are running out of IP’s.
29 Host Direct – /27
Allows up to 29 clients connected directly to the mesh. It is my thoughts, this would only be used in a large scale local deployment, with lots of clients connected to the mesh. I.e. a radio club, EOC, disaster shelter, and even in those cases I think NAT mode would be preferred.
NAT – /24
Both a Pro and Con of NAT mode is your clients are not connected directly to the mesh, and are inaccessible from outside your LAN, but they can get out to the mesh, similar to your home router and the internet. It would take some additional tweaking to host any services behind a NAT that are outside the scope of this write-up.
After setting the IP and subnet, Next it will ask about your gateway, this is the LAN IP for your Mesh node, and should match what you wrote down earlier as Gateway/DNS, if so just hit Enter. Then you will be asked to confirm your settings.
Next you will be asked to choose a user to store your configuration files, if this is a fresh install, you will only have the choice of pi, which is the recommended option in this case.
Then you will receive a prompt for Unattended Upgrades, It is highly recommended you select Yes here.
Next is a prompt for Protocol, as the installer says, unless you know why to select TCP, leave it set to UDP. On the next screen it will ask you for the port number. Enter the port you decided earlier when setting up the Mesh node.
If you have any old OpenVPN clients that do not support OpenVPN 2.4 you will need to select No on the next screen, I recommend selecting Yes and updating any clients software. Any relatively modern Desktop or Mobile applications will support 2.4. Again, that is something a little outside the scope of this write-up
Next up is your encryption strength. This is completely up to you, the encryption does not travel over the mesh and only over your local LAN or Internet if setup to do so. I choose the recommended level.
On the Public IP or DNS screen is where you set how to find your RaspberryPi/Mesh node. The IP option is going to show your Public internet IP. This is the IP from your Internet Provider, I do not recommend using this option regardless of setup. So press the down arrow, then the space bar, so the * moves to the DNS entry block, then press Enter.
This is going to ask you for your public DNS name. If you are doing internet accessible, I recommend a dynamic DNS service, and entering that address here. If you are going to do LAN accessible only, type in the IP address of your Mesh node, as it appears on your Home LAN.
I recommend your Mesh Node have a static IP on your Home LAN so it doesn’t move on you unexpectedly. This can be done either in the localnode Basic Setup under WAN, or by doing a DHCP Reservation in your router.
Next up is going to be DNS provider, this is a critical setting to be able to access Mesh nodes. You should scroll all the way to the bottom of the list, and press space on Custom to move the * then hit Enter. Here you will be asked for a DNS address, and you will enter your Gateway address you wrote down earlier.
You will get a prompt if this is correct, showing two lines, the second should be blank. Select Yes.
Now the installation is almost complete, and you will get a prompt for how to add users, but first we have one more step. After this prompt is a prompt to reboot, right arrow to No and hit Enter, we will reboot in a minute.
Before we are fully functional we need to modify one more file from the default then reboot by running
sudo sed -i -e 's/10.8.0.0/172.27.32.0/g' /etc/openvpn/server.conf sudo reboot
Once your RaspberryPi boots back up, and you can get back to a terminal you will create your users. You can see the options available by typing “pivpn” to get these results.
pi@raspberrypi:~ $ pivpn ::: Control all PiVPN specific functions! ::: ::: Usage: pivpn <command> [option] ::: ::: Commands: ::: -a, add [nopass] Create a client ovpn profile, optional nopass ::: -c, clients List any connected clients to the server ::: -d, debug Start a debugging session if having trouble ::: -l, list List all valid and revoked certificates ::: -r, revoke Revoke a client ovpn profile ::: -h, help Show this help dialog ::: -u, uninstall Uninstall PiVPN from your system! pi@raspberrypi:~ $
So to add a user will type “pivpn -a” which will give you some prompts to fill out, select a unique name for each client, Desktop, Mobile, etc… then a password and confirm it. This will tell you your CLIENTNAME.ovpn file has been saved to /home/pi/ovpns. At this point you need to get that file off of your RaspberryPi. There are several ways to accomplish this, the easiest probably would be to plug a flash drive into the RaspberryPi and copy the file there, but make sure the file is not publicly accessible anywhere if you use another method.
You can check if any clients are connected to the VPN by doing “pivpn -c”, and can even revoke a certificate by doing “pivpn -r” in case it gets compromised.
A word of warning about “pivpn -d”, if you run this it will break your setup because it checks for the 10.8.0.0 address in the config files. I recommend you do not run this command, unless you want to figure out how to fix it.
From here it’s a matter of installing the OpenVPN client and importing your ovpn file.
Once you are connected to the VPN you should have AREDNMesh access as well as internet access, and any devices connected via VPN are not accessible(fire-walled) from the rest of the Mesh.
Accessing from the Internet
A few notes on accessing from the Internet. Firstly if you use a dynamic dns domain from internally, your internet router should support Hairpin NAT or something similar. Second, you will need to forward the same port 1194 in my case, to the Mesh Node WAN address. If both of these circumstances are true, then you should be able to use the same ovpn file to access from both internal and external to your Home LAN. If your router does not support Hairpin NAT then it will be accessible from the outside using the dynamic dns name and the Mesh Node WAN IP from internally. You can edit the ovpn file in notepad to make the changes if you need to go that route.
I welcome any comments or questions via QRZ