Version : 1.0.6
Author : F4EYQ
Date : 25/04/2020
Update : 07/01/2023
This guide explain how to setup the control of your ham radio station remotely with a LINUX RASPBERRY PI.
History
1.0.0 : Historical my remote station (in 2009) running on Windows OS : i've test HRD server/SKYPE and VOX (VOX interface run on FT290 made by Jean F6HCC), i've also check MUMBLE/SKYPE (in 20210) and then migrate to FT897 TRX.
1.0.1 : Remote station is now 100% LINUX (2019), first test with PI1 + FT897 and VOX, using PTT commutation via CAT-SYSTEM protocol.
1.0.2 : Migrate PI1 to PI4 (Agust 2020), add systemd service for CAT system on the PI.
1.0.3 : Testing FLRIG on WINDOWS and OPEN-VPN add also VFO Button, sound part running with SEREN VOIP.
1.0.4 : Automate LINUX client/server setup (09/2020).
1.0.5 : Add UFW firewall ( replace old SHOREWALL firewall ).
1.0.6 : Translate doc to english, add graphical Interface, digital modes setup and replace Seren by Mumble (for VOIP).
Summary
2. Raspberry PI OS setup
2.1 First configuration on RASPBERRY
2.2 Remote configuration via SSH
2.2.1 Network configuration
2.2.2 Sound Card configuration
2.2.3 Create user and remove default user
2.2.4 RAMDISK creation for the log files
3. Firewall setup and configuration
4. Remote screen configuration
5.1 MUMBLE Setup
5.1.1 Client SIDE
5.1.2 Server SIDE
6. TRX control setup
6.1 CRX-COM remote and client setup
6.2 FLRIG remote and client setup
7. HAM radio sofwares setup
8. Configuration your VPN ( optionnal )
8.1 Server side
8.1.1 PKI Setup
8.1.2 OPEN-VPN service configuration
8.2 Client side setup
9. Your remote station security
1. Network matrix
Your remote station will present network ports to be controlled, so I created this table which will help you to implement network flows (on your Internet router / on your local FIREWALL), Note if you have VPN system, you will only have to implement this matrix on the remote station server FIREWALL.
Server ports | Internet visible ports | Name | Description |
22 / TCP | 7232 / TCP | Remote control console | Remote console via protocol SSH |
5900 / TCP | 5900 / TCP | Remote control screen | Remote screen via protocol VNC |
64538 / TCP | 64538 / TCP | Remote sound port (1) | For MUMBLE software only if you run sound server on the remote server, else your remote server will use Internet VOIP instance, note that MUMBLE can force only to TCP. |
64538 / UDP | 64538 / UDP | Remote sound port (2) | MUMBLE software (UDP part). |
8110 / UDP | 8110 / UDP | Remote sound port (3) | SEREN |
5209 / TCP | 5209 / TCP | Remote TRX control port (1) | CRX-COM |
5210 / TCP | 5210 / TCP | Remote TRX control port (2) | FLRIG |
With this matrix, you will have now to open the port on the server firewall for your LAN, WAN REMOTE IP and or VPN clients IP,
You will also have to open Internet visible ports on your Internet router/box.
2. Raspberry PI OS setup
You need : Win32DiskImager and "Raspberry Pi OS with desktop" :
Available here : https://www.raspberrypi.org/software/operating-systems/
Simply download the ZIP file, unzip it, and burn it on the micro SD card of the PI (via the write button).
You can also backup your complete setup via the read button ( very usefull also ).
2.1 First configuration on RASPBERRY
After boot the RASPBERRY, i connect a screen on it and simply :
- Check and write his IP adress.
- Enable the SSH via the console on screen :
raspi-config
=> Select : 3 Interface Options
=> Select : P2 SSH Enable/disable remote command line access using SSH
I reboot the RASPBERRY and control that i can access to it via SSH,
When it's ok i removed the screen and access to it via user "pi" and my favorite SSH client ( for example PUTTY on Windows ).
2.2 Remote configuration via SSH
2.2.1 Network configuration
I edit/create this file :
vim /etc/network/interfaces.d/eth0
You can adapt it with your network configuration, here i've set a second IP adress to my PI for test purpose ( eth0:1) !
auto eth0
iface eth0 inet static
address 192.168.1.167
gateway 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
auto eth0:1
iface eth0:1 inet static
address 192.168.0.167
netmask 255.255.255.0
2.2.2 Sound Card configuration
Here i'm using a small USB sound card CM108 chipset ( less thant 10 euros ), so we disable the PI sound card and configure these USB card.
Bus 001 Device 003: ID 0d8c:013c C-Media Electronics, Inc. CM108 Audio Controller
To see what sound card you have, simply do a : lsusb command.
I create these file to disable PI sound card :
vim /etc/modprobe.d/raspi-blacklist.conf
blacklist snd_bcm2835
After that i configure ALSA sound part with these commands :
aplay -l
**** List of PLAYBACK Hardware Devices ****
card 1: Device [USB PnP Sound Device], device 0: USB Audio [USB Audio]
Subdevices: 1/1
Subdevice #0: subdevice #0
So i put this configuration :
vim /usr/share/alsa/alsa.conf
#edit these lines :
defaults.ctl.card 1
defaults.pcm.card 1
defaults.pcm.device 0
Reboot your PI and now you can launch sound mixer :
alsamixer
And later, you will have to ajust HP and MIC levels.
If you need to play a test sound use these commands for exemple :
speaker-test -t sine -f 1750
aplay /usr/share/sounds/alsa/Front_Center.wav
2.2.3 Create user and remove default user
Now we have remote access on PI, we can secure it and install what we want.
We connect with "pi" user and we go to root user :
sudo su
We start by define a new user here it's "bastien", and a password ( by using https://passwords-generator.org/ )
or this command for exemple to generate a password :
openssl rand -base64 16
Edit : /etc/sudoers.d/010_pi-nopasswd
Change pi by your user here :
bastien ALL=(ALL) NOPASSWD: ALL
I create new user and put the user in groups :
useradd -p [YOUR PASSWORD] -d /home/bastien/ -m bastien
usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi bastien
You can now test it via a new SSH connection ( dont touch at the PI SSH windows for the moment ).
If connection is OK and if you can do a "sudo su" we continue by remove the default "pi" account :
As root :
pkill -u pi
deluser -remove-home pi
I configure also my public SSH key for user "bastien" :
su bastien
mkdir /home/bastien/.ssh/
touch /home/bastien/.ssh/authorized_keys
chown bastien:bastien /home/bastien/.ssh/authorized_keys
chmod 600 /home/bastien/.ssh/authorized_keys
vim /home/bastien/.ssh/authorized_keys
I paste my key inside and that all.
Now we enable auto-login for this new user :
vim /etc/lightdm/lightdm.conf
Change pi by the user you have, here it's bastien :
autologin-user=bastien
2.2.4 RAMDISK creation for the log files
To improve the life of the micro SD storage, we put the log into the RAM via these commands ( as root ) :
sudo su
cd /opt/
git clone https://github.com/azlux/log2ram.git
log2ram/
./install.sh
reboot
3. Firewall setup and configuration
We start by installing UFW :
apt install ufw
We set default policy :
ufw default deny incoming
ufw default allow outgoing
Here is the configuration, simply replace values by your's :
ufw allow in proto tcp from 192.168.0.0/24 to any port 22 comment 'Allow ssh'
We can now enable the FIREWALL :
ufw enable
( ! ) Command may disrupt existing ssh connections. Proceed with operation => Choose Y.
To display the policy :
sudo ufw status verbose
sudo ufw status numbered
To delete a rule ex number 3 :
sudo ufw delete 3
Here is the configuration, simply replace values by your's :
[LAN-RANGE-IP1] exemple : 192.168.0.0/24
[LAN-RANGE-IP2] exemple : 192.168.1.0/24
[NET-RMT-IP1] exemple : 82.99.99.99/32
[NET-RMT-IP2] exemple : 83.99.99.99/32
#ssh access tcp 22 :
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 22 comment 'Allow ssh'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 22 comment 'Allow ssh'
ufw allow in proto tcp from [NET-RMT-IP1] to any port 22 comment 'Allow ssh'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 22 comment 'Allow ssh'
#remote trx 1 tcp 5209 :
ufw allow in proto tcp from [NET-RMT-IP1] to any port 5209 comment 'Allow remote trx 1'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 5209 comment 'Allow remote trx 1'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 5209 comment 'Allow remote trx 1'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 5209 comment 'Allow remote trx 1'
#remote trx 2 tcp 5210 :
ufw allow in proto tcp from [NET-RMT-IP1] to any port 5210 comment 'Allow remote trx 2'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 5210 comment 'Allow remote trx 2'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 5210 comment 'Allow remote trx 2'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 5210 comment 'Allow remote trx 2'
#allow remote VNC :
ufw allow in proto tcp from [NET-RMT-IP1] to any port 5900 comment 'Allow remote vnc'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 5900 comment 'Allow remote vnc'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 5900 comment 'Allow remote vnc'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 5900 comment 'Allow remote vnc'
#allow remote Sound ( 1 ) : ( murmure )
ufw allow in proto tcp from [NET-RMT-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 64538 comment 'Allow remote sound'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [NET-RMT-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [NET-RMT-IP2] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP2] to any port 64538 comment 'Allow remote sound'
#allow remote Sound ( 2 ) : ( seren )
ufw allow in proto udp from [NET-RMT-IP1] to any port 8110 comment 'Allow remote sound'
ufw allow in proto udp from [NET-RMT-IP2] to any port 8110 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP1] to any port 8110 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP2] to any port 8110 comment 'Allow remote sound'
4. Remote screen configuration
Now we have a running PI with FIREWALL, a user and a remote SSH access, we can configure the remote screen.
We use VNC server here, so let 's go configure it :
- Enable it via the console on screen :
raspi-config
=> Select : 3 Interface Options
=> Select : P3 VNC Enable/disable graphical remote access using RealVNC
Edit the file : /root/.vnc/config.d/vncserver-x11
Put this line :
Authentication=VncAuth
Now generate a password for remote access and run this command to set password :
vncpasswd -service
Edit this file : /root/.vnc/config.d/vncserver-x11
And put this ( replace bastien by your user ) :
Permissions=bastien:f
Edit the file : /boot/config.txt ( we improve the default VNC resolution here )
And edit these lines :
framebuffer_width=1900
framebuffer_height=1024
Comment these lines :
[pi4]
#dtoverlay=vc4-fkms-v3d
#max_framebuffers=2
[all]
#dtoverlay=vc4-fkms-v3d
Now, save and reboot the PI, you can now check your PI "remote screen" via a VNC client, here i'm using TIGHT-VNC client.
5. VOIP setup
Here i'm using SEREN and MUMBLE software, you can choose one and use it.
SEREN is a console VOIP client/server very light, MUMBLE is a GUI client and have also a server version,
MUMBLE present more options for the SOUND.
5.1 MUMBLE Setup
5.1.1 Client SIDE
The setup is very simple, i'm using SNAP command ( you can go here to discover SNAP https://snapcraft.io/ )
sudo apt update
sudo apt install snapd
sudo reboot
sudo snap install core
sudo snap install mumble
Now we confire MUMBLE client to start on LXDE screen "boot" :
mkdir /home/bastien/.config/lxsession
mkdir /home/bastien/.config/lxsession/LXDE-pi
cp /etc/xdg/lxsession/LXDE-pi/autostart /home/bastien/.config/lxsession/LXDE-pi/
vim /home/bastien/.config/lxsession/LXDE-pi/autostart
@lxpanel --profile LXDE-pi
@pcmanfm --desktop --profile LXDE-pi
@xscreensaver -no-splash
@mumble mumble://[CALL-1]:[PASSWORD]@[IP]:[PORT]/[SERVER-NAME]/Y
You can replace :
[CALL-1] by : your radio callsign
[PASSWORD] by : a password you define !
[IP] by : 127.0.0.1
[PORT] by : 64538
[SERVER-NAME] by : 127.0.0.1
On the first launch of MUMBLE-CLIENT you will have to configure your soundcard level,
Note that "transmit" must be set to "continuous", the audio quality is set to "64Kb/s" :
5.1.2 Server SIDE
The MUMBLE server is running here also on the RASPBERRY in order to reduce sound latency.
We install MUMBLE SERVER :
sudo apt-get install mumble-server
We configure it via :
sudo vim /etc/mumble-server.ini
(! ) Client will use TCP+UDP if you want you can force UDP on client side.
Edit now these lines :
port=64738
serverpassword=[YOUR PASSWORD]
Now we can start MUMBLE SERVER :
systemctl enable mumble-server.service
systemctl stop mumble-server.service
systemctl start mumble-server.service
Et voilà !
5.2 SEREN Setup
I've create an install script for this part :
wget --output-document /tmp/setupcrx.bash https://git.crx.cloud/f4eyq/crx-com/raw/master/scripts/setup_server.bash;chmod +x /tmp/setupcrx.bash;/tmp/setupcrx.bash;
Into this folder, you have configuration :
/opt/crx/conf/remote :
-rw-r--r-- 1 root root 47 sept. 30 09:43 station.conf
lrwxrwxrwx 1 root root 36 nov. 21 05:36 voip.conf -> /opt/crx/conf/remote/voip_hight.conf
-rw-r--r-- 1 root root 33 sept. 30 09:49 voip_hight.conf
-rw-r--r-- 1 root root 31 sept. 30 09:49 voip_low.conf
-rw-r--r-- 1 root root 29 sept. 30 09:49 voip_mid.conf
To start automaticly SEREN on start :
Edit /etc/rc.local :
/opt/crx/seren/voip.bash --start
SEREN listen on port 8110 UDP.
We edit the "station.conf" with these values :
REMOTE_MODE="y"
SOUND_CARD="plughw:0,0"
STATION_NAME="f4eyq-1"
For the client setup, simply use this configuration :
REMOTE_MODE="n"
STATION_REMOTE_PORT=8110
STATION_REMOTE_HOST=[MY REMOTE STATION IP ADDRESS]
SOUND_CARD="plughw:0,0"
STATION_NAME="f4eyq-remote"
More info here : https://git.crx.cloud/f4eyq/crx-com/-/blob/master/scripts/README.md
6. TRX control setup
In this part, i purpose to use CRX-COM and FLRIG softwares.
FLRIG software can run with WSJTX and FLDIGI.
CRX-COM software can be used with Cloud instance of CRX ( https://ham.crx.cloud/ ).
I've create an installer script for this part : ( same as VOIP/SEREN part ), it contain CRX-COM / FLRIG scripts :
wget --output-document /tmp/setupcrx.bash https://git.crx.cloud/f4eyq/crx-com/raw/master/scripts/setup_server.bash;chmod +x /tmp/setupcrx.bash;/tmp/setupcrx.bash;
6.1 CRX-COM remote and client setup
To enable CRX-COM run these commands :
sudo systemctl stop crx_com_tcp.service
ln -s /opt/crx/crx-com/scripts/tcp_serial_catsystem.service /etc/systemd/system/tcp_serial_catsystem.service
sudo systemctl daemon-reload
sudo systemctl enable tcp_serial_catsystem.service
sudo systemctl start tcp_serial_catsystem.service
To modify the listening port you can edit these file : ( here i'm using : LISTEN_PORT=5209 )
vim /opt/crx/crx-com/config.ini
For FLRIG configuration, i've create a SYSTEMD service for remote operation,
to start edit this file :
vim /opt/crx/crx-com/scripts/tcp_serial_catsystem.service
You can change with your TRX values, here i've configure for my FT897 TRX.
Now you can declare service and start it :
sudo systemctl stop crx_com_tcp.service
ln -s /opt/crx/crx-com/scripts/tcp_serial_catsystem.service /etc/systemd/system/tcp_serial_catsystem.service
sudo systemctl daemon-reload
sudo systemctl enable tcp_serial_catsystem.service
sudo systemctl start tcp_serial_catsystem.service
If you modify configure after this doc, don't forget to do a : systemctl daemon-reload + systemctl restart tcp_serial_catsystem.service.
On client side :
All configuration is done into your WEB-BROWSER ( that is the main difference with other softwares ),
=> Go to https://dxham.crx.cloud/ and enter your configuration via the CAT Button (IP/PORT, select TRX and port speed).
=> Run "Run-https" button to enable WEBSOCKET connection with the server PI ( needed for SSL part ).
=> Simply clic on "Save, apply config connect" button when you have finish.
If you need more info/help : https://project.crx.cloud/crx-com
6.2 FLRIG remote and client setup
Client side :
On linux install it via :
apt-get install flrig
If you need a Windows version already exist :)
Configuration part is the same logic as CRX-COM :
=> Go to menu : « Config »/ »Setup »/ »TCP-IP » :
=> Set your IP / PORT of your remote PI.
=> Go to menu : « Config »/ »Setup »/ »Transceiver » :
=> Choose your TRX and configure it.
Server "PI" side :
We configure it, here this is my configuration, you can adapt it with your's,
Simply edit this line "ExecStart" : ( here it's for my FT897 TRX with simple YAESU USB interface ), note that my interface is on /dev/ttyUSV0 it can change on your side :
vim /opt/crx/crx-com/scripts/tcp_serial_catsystem.service
ExecStart=/opt/crx/cat2tcp/tcp_serial_redirect.py -P 5210 --develop --bytesize=8 --parity=N --stopbits=2 /dev/ttyUSB0 4800
Now enter these commands to enable the TCP to serial remote service :
ln -s /opt/crx/crx-com/scripts/tcp_serial_catsystem.service /etc/systemd/system/tcp_serial_catsystem.service
sudo systemctl daemon-reload
sudo systemctl enable tcp_serial_catsystem.service
sudo systemctl start tcp_serial_catsystem.service
If you edit again this conf later, dont forget to do a : ( SYSTEMD will not work if dont do a daemon-reload ) :
sudo systemctl daemon-reload
sudo systemctl restart tcp_serial_catsystem.service
If you need scripts GIT repository is here :
https://git.crx.cloud/f4eyq/crx-com/-/tree/master/scripts
7. HAM radio sofwares setup
Here i've select few LINUX softwares for you :
FL Suite :
apt-get install fldigi
Logbook CQRLOG :
apt-get install cqrlog
Wsjt-x :
Here i'm not using the DEBIAN reposity, i'm using official WSJT repo in order to have last version.
First of all go to https://www.physics.princeton.edu/pulsar/k1jt/wsjtx.html
and retreive the lastest version ( here it's 2.4.0 )
Now we can install it :
wget https://www.physics.princeton.edu/pulsar/k1jt/wsjtx_2.4.0_armhf.deb
sudo dpkg -i wsjtx_2.4.0_armhf.deb
sudo apt --fix-broken install
Of course, you can install lot of other HAM softwares, a good guide to complete your setup can be found here :
https://dl1gkk.com/setup-raspberry-pi-for-ham-radio/
sudo systemctl stop crx_com_tcp.service
Or FLRIG remote service :
sudo systemctl stop tcp_serial_catsystem.service
Note before launch WSJTX you must set "USB" mode on your remote station ( via CRX or FLRIG app ) :
8. Configuration your VPN ( optionnal )
8.1 Server side
8.1.1 PKI Setup
I start by install EASY-RSA ( set of scripts to manage a PKI ) :
cd /opt/
git clone https://github.com/OpenVPN/easy-rsa.git
cd /opt/easyrsa/easyrsa3/
cp vars.example vars
Into the vars file i modify these entries :
export KEY_COUNTRY="FR"
export KEY_PROVINCE="IDF"
export KEY_CITY="VilleDeMonServeur"
export KEY_ORG="monVpn"
export KEY_EMAIL="admin@mondomaine.fr"
export KEY_OU="myOu"
Next i set certificats expiration :
set_var EASYRSA_CA_EXPIRE 1825
set_var EASYRSA_CERT_EXPIRE 365
Now i can initialisate my PKI :
# ./easyrsa init-pki
And the AC :
# ./easyrsa build-ca nopass
Now i request and generate certificate for the server :
# ./easyrsa gen-req monserveurvpn nopass
# ./easyrsa sign-req server monserveurvpn
Script create these files :
=> /opt/easyrsa/easyrsa3/pki/issued/monserveurvpn.crt
=> /opt/easyrsa/easyrsa3/pki/private/monserveurvpn.key
I generate now the DH. and secret key :
# ./easyrsa gen-dh
# openvpn --genkey --secret ta.key
It create two files :
=> /opt/easyrsa/easyrsa3/ta.key
=> /opt/easyrsa/easyrsa3/pki/dh.pem
8.1.2 OPEN-VPN service configuration
I deploy now these files to the OPENVPN server folder :
cp /opt/easyrsa/easyrsa3/ta.key /etc/openvpn/server/ta.key
cp /opt/easyrsa/easyrsa3/pki/ca.crt /etc/openvpn/server/ca.crt
cp /opt/easyrsa/easyrsa3/pki/issued/monserveurvpn.crt /etc/openvpn/server/server.crt
cp /opt/easyrsa/easyrsa3/pki/private/monserveurvpn.key /etc/openvpn/server/server.key
cp /opt/easyrsa/easyrsa3/pki/dh.pem /etc/openvpn/server/dh2048.pem
Here is my server configuration :
port 8443
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.77.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
ccd-exclusive
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
auth SHA256
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 5
Here I am using one file per client in the "ccd" subfolder:
But this is optional if you define your client IP pool.
Example :
# cat /etc/openvpn/ccd/f4eyq-raspberrypi
ifconfig-push 10.77.0.25 255.255.255.0
if you need documentation is provided online on the OPEN-VPN site.
8.2 Client side setup
The OPENVPN configuration and almost similar to WINDOWS and LINUX.
On Windows file must have the extention « .ovpn », simply load it into "OpenVPN connect" application,
Here is my configuration :
client
dev tun
proto udp
remote monserveurvpn 8443
resolv-retry infiniteµ
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert f4eyq-laptop1.crt
key-direction 1
key f4eyq-laptop1.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
#comp-lzo
verb 0
These files come from my "PKY" ( on my server ) :
ca.crt
f4eyq-laptop1.crt
f4eyq-laptop1.key
ta.key
Here is the configuration on the RASPBERRY side :
client
dev tun
proto udp
remote monserveurvpn 8443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert f4eyq-raspberrypi.crt
key-direction 1
key f4eyq-raspberrypi.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 0
9. Your remote station security
Hardware side :
- Inverter / surge arrester. ( if possible ).
- Be able to connect / disconnect the station remotely (via a relay / GPIO output of the RASPBERRY).
- Some even thought of that for the antennas: https://vimeo.com/133917999
- Schedule a timeout on the program (in the event of a network cut), see the "anti bavard" system on your TRX.
Software side :
To do here at least:
- ALWAYS use a FIREWALL on your server, see part 3 of this document.
- Put your passwords in a secure container (https://keepass.info/) or in an encrypted EXCEL/OOO for example.
- Create a user on the RASPBERRY, disable pi user ( explain in this document, part 2.2.3 ).
- Try as much as possible not to do everything in root.
- Backup your micro SD card ( see part 2 of the doc ).
- If you need you can use VPN system (it will add latency to your system, but you will be able to remove some open network ports on your Internet box).