Remote ham radio station - setup guide

Version : 1.0.6
Author : F4EYQ
Date : 25/04/2020
Update : 21/07/2021

This guide explain how to setup the control of your ham radio station remotely with a LINUX RASPBERRY PI. 

History

1.0.0
 : Historical my remote station (in 2009) running on Windows OS : i've test HRD server/SKYPE and VOX (VOX interface run on FT290 made by Jean F6HCC), i've also check MUMBLE/SKYPE (in 20210) and then migrate to FT897 TRX.

1.0.1 : Remote station is now 100% LINUX (2019), first test with PI1 + FT897 and VOX, using PTT commutation via CAT-SYSTEM protocol.

1.0.2 : Migrate PI1 to PI4 (Agust 2020), add systemd service for CAT system on the PI. 

1.0.3 : Testing FLRIG on WINDOWS and OPEN-VPN add also VFO Button, sound part running with SEREN VOIP. 

1.0.4 : Automate LINUX client/server setup (09/2020).

1.0.5 : Add UFW firewall ( replace old SHOREWALL firewall ). 

1.0.6 : Translate doc to english, add graphical Interface, digital modes setup and replace Seren by Mumble (for VOIP). 

r4 r3
r2 r1

Summary

1. Network matrix

2. Raspberry PI OS setup
 2.1 First configuration on RASPBERRY

2.2 Remote configuration via SSH 
 2.2.1 Network configuration 
 2.2.2 Sound Card configuration 
 2.2.3 Create user and remove default user 
 2.2.4 RAMDISK creation for the log files 

3. Firewall setup and configuration 

4. Remote screen configuration

5. VOIP setup 

5.1 MUMBLE Setup 
 5.1.1 Client SIDE
 5.1.2 Server SIDE

5.2 SEREN Setup 

6. TRX control setup
 6.1 CRX-COM remote and client setup
 6.2 FLRIG remote and client setup 

7. HAM radio sofwares setup
 
8. Configuration your VPN ( optionnal )
 8.1 Server side  
  8.1.1 PKI Setup
  8.1.2 OPEN-VPN service configuration 
8.2 Client side setup

   9. Your remote station security 

 

1. Network matrix

 


Your remote station will present network ports to be controlled, so I created this table which will help you to implement network flows (on your Internet router / on your local FIREWALL), Note if you have VPN system, you will only have to implement this matrix on the remote station server FIREWALL. 

Server ports Internet visible ports Name  Description 
22 / TCP 7232 / TCP  Remote control console Remote console via protocol SSH
5900 / TCP 5900 / TCP  Remote control screen Remote screen via protocol VNC
64538 / TCP  64538 / TCP  Remote sound port (1) For MUMBLE software only if you run sound server on the remote server, else your remote server will use Internet VOIP instance, note that MUMBLE can force only to TCP.
64538 / UDP 64538 / UDP Remote sound port (2) MUMBLE software (UDP part).
8110 / UDP  8110 / UDP  Remote sound port (3) SEREN
5209 / TCP  5209 / TCP  Remote TRX control port (1) CRX-COM
5210 / TCP  5210 / TCP  Remote TRX control port (2)  FLRIG

With this matrix, you will have now to open the port on the server firewall for your LAN, WAN REMOTE IP and or VPN clients IP,
You will also have to open Internet visible ports on your Internet router/box. 
 

 

2. Raspberry PI OS setup

You need  : Win32DiskImager   and  "Raspberry Pi OS with desktop" :
Available here :   https://www.raspberrypi.org/software/operating-systems/

Simply download the ZIP file, unzip it, and burn it on the micro SD card of the PI (via the write button). 
You can also backup your complete setup via the read button ( very usefull also ). 

win32diskimager_burn_image

 

2.1 First configuration on RASPBERRY


After boot the RASPBERRY, i connect a screen on it and simply : 
- Check and write his IP adress.

- Enable the SSH via the console on screen :     

raspi-config


=>  Select :  3 Interface Options 
=>  Select :  P2 SSH         Enable/disable remote command line access using SSH

I reboot the RASPBERRY and control that i can access to it via SSH,
When it's ok i removed the screen and access to it via user "pi" and my favorite SSH client ( for example PUTTY on Windows ). 

 

2.2 Remote configuration via SSH 

 

2.2.1 Network configuration 

I edit/create this file : 

vim /etc/network/interfaces.d/eth0

You can adapt it with your network configuration, here i've set a second IP adress to my PI for test purpose  ( eth0:1) !

auto eth0
iface eth0 inet static
 address 192.168.1.167
 gateway 192.168.1.1
 netmask 255.255.255.0
 broadcast 192.168.1.255

auto eth0:1
iface eth0:1 inet static
        address 192.168.0.167
        netmask 255.255.255.0
 

2.2.2 Sound Card configuration 

Here i'm using a small USB sound card  CM108 chipset ( less thant 10 euros ), so we disable the PI sound card and configure these USB card. 

Bus 001 Device 003: ID 0d8c:013c C-Media Electronics, Inc. CM108 Audio Controller

To see what sound card you have, simply do a :   lsusb command. 
I create these file to disable PI sound card :

vim /etc/modprobe.d/raspi-blacklist.conf
blacklist snd_bcm2835

After that i configure ALSA sound part with these commands : 

 aplay -l
**** List of PLAYBACK Hardware Devices ****
card 1: Device [USB PnP Sound Device], device 0: USB Audio [USB Audio]
  Subdevices: 1/1
  Subdevice #0: subdevice #0

So i put this configuration : 

vim /usr/share/alsa/alsa.conf

#edit these lines : 
defaults.ctl.card 1
defaults.pcm.card 1
defaults.pcm.device 0

Reboot your PI and now you can launch sound mixer : 

alsamixer

And later, you will have to ajust HP and MIC levels. 

If you need to play a test sound use these commands for exemple : 

speaker-test -t sine -f 1750
aplay /usr/share/sounds/alsa/Front_Center.wav
 

2.2.3 Create user and remove default user 

Now we have remote access on PI, we can secure it and install what we want. 
We connect with "pi" user and we go to root user : 

sudo su 

We start by define a new user here it's "bastien", and a password ( by using https://passwordsgenerator.net/ )
or this command for exemple to generate a password : 

openssl rand -base64 16

Edit : /etc/sudoers.d/010_pi-nopasswd

Change pi by your user here : 

bastien ALL=(ALL) NOPASSWD: ALL


I create new user and put the user in groups : 

useradd -p [YOUR PASSWORD] -d /home/bastien/ -m bastien
usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi bastien

You can now test it via a new SSH connection ( dont touch at the PI SSH windows for the moment ). 
If connection is OK and if you can do a "sudo su" we continue by remove the default "pi" account : 

As root : 

pkill -u pi
deluser -remove-home pi

I configure also my public SSH key for user "bastien" : 

su bastien
mkdir /home/bastien/.ssh/
touch /home/bastien/.ssh/authorized_keys
chown bastien:bastien /home/bastien/.ssh/authorized_keys
chmod 600 /home/bastien/.ssh/authorized_keys
vim /home/bastien/.ssh/authorized_keys

I paste my key inside and that all. 

Now we enable auto-login for this new user : 

vim /etc/lightdm/lightdm.conf

Change pi by the user you have, here it's bastien :

autologin-user=bastien

 

 

2.2.4 RAMDISK creation for the log files 

To improve the life of the micro SD storage, we put the log into the RAM via these commands ( as root ) : 

sudo su 
cd /opt/
git clone https://github.com/azlux/log2ram.git
log2ram/
./install.sh
reboot
 

3. Firewall setup and configuration

We start by installing UFW : 

apt install ufw

We set default policy : 

ufw default deny incoming
ufw default allow outgoing

Here is the configuration, simply replace values by your's : 

ufw allow in proto tcp from 192.168.0.0/24 to any port 22 comment 'Allow ssh'

We can now enable the FIREWALL : 

ufw enable

( ! ) Command may disrupt existing ssh connections. Proceed with operation => Choose Y.

To display the policy : 

sudo ufw status verbose
sudo ufw status numbered

To delete a rule ex number 3 : 

sudo ufw delete 3


Here is the configuration, simply replace values by your's : 

[LAN-RANGE-IP1]   exemple : 192.168.0.0/24
[LAN-RANGE-IP2]   exemple : 192.168.1.0/24

[NET-RMT-IP1]  exemple : 82.99.99.99/32
[NET-RMT-IP2]  exemple : 83.99.99.99/32 

#ssh access     tcp 22 : 
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 22 comment 'Allow ssh'     
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 22 comment 'Allow ssh'
ufw allow in proto tcp from [NET-RMT-IP1] to any port 22 comment 'Allow ssh'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 22 comment 'Allow ssh'

#remote trx 1    tcp 5209 : 
ufw allow in proto tcp from [NET-RMT-IP1] to any port 5209 comment 'Allow remote trx 1'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 5209 comment 'Allow remote trx 1'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 5209 comment 'Allow remote trx 1'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 5209 comment 'Allow remote trx 1'
 
#remote trx 2    tcp 5210 : 
ufw allow in proto tcp from [NET-RMT-IP1] to any port 5210 comment 'Allow remote trx 2'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 5210 comment 'Allow remote trx 2'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 5210 comment 'Allow remote trx 2'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 5210 comment 'Allow remote trx 2'

#allow remote VNC : 
ufw allow in proto tcp from [NET-RMT-IP1] to any port 5900 comment 'Allow remote vnc'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 5900 comment 'Allow remote vnc'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 5900 comment 'Allow remote vnc'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 5900 comment 'Allow remote vnc'

#allow remote Sound ( 1 ) :  ( murmure ) 
ufw allow in proto tcp from [NET-RMT-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto tcp from [NET-RMT-IP2] to any port 64538 comment 'Allow remote sound'
ufw allow in proto tcp from [LAN-RANGE-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto tcp from [LAN-RANGE-IP2] to any port 64538 comment 'Allow remote sound'

ufw allow in proto udp from [NET-RMT-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [NET-RMT-IP2] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP1] to any port 64538 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP2] to any port 64538 comment 'Allow remote sound'

#allow remote Sound ( 2 ) :   ( seren ) 
ufw allow in proto udp from [NET-RMT-IP1] to any port 8110 comment 'Allow remote sound'
ufw allow in proto udp from [NET-RMT-IP2] to any port 8110 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP1] to any port 8110 comment 'Allow remote sound'
ufw allow in proto udp from [LAN-RANGE-IP2] to any port 8110 comment 'Allow remote sound'
 

4. Remote screen configuration


vnc

Now we have a running PI with FIREWALL, a user and a remote SSH access, we can configure the remote screen. 
We use VNC server here, so let 's go configure it : 

- Enable it via the console on screen :     

raspi-config

=>  Select :  3 Interface Options 
=>  Select :  P3 VNC         Enable/disable graphical remote access using RealVNC

Edit the file : /root/.vnc/config.d/vncserver-x11
Put this line : 

Authentication=VncAuth


Now generate a password for remote access and run this command to set password : 

vncpasswd -service


Edit this file : /root/.vnc/config.d/vncserver-x11
And put this ( replace bastien by your user ) : 

Permissions=bastien:f

Edit the file : /boot/config.txt     ( we improve the default VNC resolution here )
And edit these lines :

framebuffer_width=1900
framebuffer_height=1024

Comment these lines : 

[pi4]
#dtoverlay=vc4-fkms-v3d
#max_framebuffers=2

[all]
#dtoverlay=vc4-fkms-v3d


Now, save and reboot the PI, you can now check your PI "remote screen" via a VNC client, here i'm using TIGHT-VNC client.   

 

5. VOIP setup 

Here i'm using SEREN and MUMBLE software, you can choose one and use it. 
SEREN is a console VOIP client/server very light, MUMBLE is a GUI client and have also a server version,
MUMBLE present more options for the SOUND. 
 

 

5.1 MUMBLE Setup 

 

5.1.1 Client SIDE

The setup is very simple, i'm using SNAP command  ( you can go here to discover SNAP https://snapcraft.io/

sudo apt update
sudo apt install snapd
sudo reboot
sudo snap install core
sudo snap install mumble

Now we confire MUMBLE client to start on LXDE screen "boot"  : 

mkdir /home/bastien/.config/lxsession
mkdir /home/bastien/.config/lxsession/LXDE-pi
cp /etc/xdg/lxsession/LXDE-pi/autostart /home/bastien/.config/lxsession/LXDE-pi/
vim /home/bastien/.config/lxsession/LXDE-pi/autostart

@lxpanel --profile LXDE-pi
@pcmanfm --desktop --profile LXDE-pi
@xscreensaver -no-splash
@mumble mumble://[CALL-1]:[PASSWORD]@[IP]:[PORT]/[SERVER-NAME]/Y

You can replace : 
[CALL-1] by : your radio callsign
[PASSWORD] by : a password you define !
[IP] by : 127.0.0.1 
[PORT] by : 64538
[SERVER-NAME] by : 127.0.0.1 

On the first launch of MUMBLE-CLIENT you will have to configure your soundcard level, 
Note that "transmit" must be set to "continuous", the audio quality is set to "64Kb/s" : 

mumble_mic_setup

mumble_phone_setup

You can now configure the server part, before connect the client instance. 
 

5.1.2 Server SIDE

The MUMBLE server is running here also on the RASPBERRY in order to reduce sound latency. 

We install MUMBLE SERVER : 

sudo apt-get install mumble-server

We configure it via : 

sudo vim /etc/mumble-server.ini

(! ) Client will use TCP+UDP if you want you can force UDP on client side. 

Edit now these lines : 
port=64738
serverpassword=[YOUR PASSWORD] 

Now we can start MUMBLE SERVER : 

systemctl enable mumble-server.service
systemctl stop mumble-server.service
systemctl start mumble-server.service

Et voilà ! 

5.2 SEREN Setup 

I've create an install script for this part :

wget --output-document /tmp/setupcrx.bash https://git.crx.cloud/f4eyq/crx-com/raw/master/scripts/setup_server.bash;chmod +x /tmp/setupcrx.bash;/tmp/setupcrx.bash;

Into this folder, you have configuration : 

/opt/crx/conf/remote : 

-rw-r--r-- 1 root root 47 sept. 30 09:43 station.conf
lrwxrwxrwx 1 root root 36 nov.  21 05:36 voip.conf -> /opt/crx/conf/remote/voip_hight.conf
-rw-r--r-- 1 root root 33 sept. 30 09:49 voip_hight.conf
-rw-r--r-- 1 root root 31 sept. 30 09:49 voip_low.conf
-rw-r--r-- 1 root root 29 sept. 30 09:49 voip_mid.conf

To start automaticly SEREN on start : 

Edit /etc/rc.local : 

/opt/crx/seren/voip.bash --start

SEREN  listen on port 8110 UDP.

We edit the "station.conf" with these values : 

REMOTE_MODE="y"
SOUND_CARD="plughw:0,0"
STATION_NAME="f4eyq-1"

For the client setup, simply use this configuration : 

REMOTE_MODE="n"
STATION_REMOTE_PORT=8110
STATION_REMOTE_HOST=[MY REMOTE STATION IP ADDRESS]
SOUND_CARD="plughw:0,0"
STATION_NAME="f4eyq-remote"

More info here : https://git.crx.cloud/f4eyq/crx-com/-/blob/master/scripts/README.md
 

 

6. TRX control setup

In this part, i purpose to use CRX-COM and FLRIG softwares. 
FLRIG software can run with WSJTX and FLDIGI. 
CRX-COM software can be used with Cloud instance of CRX ( https://ham.crx.cloud/ ). 

I've create an installer script for this part :   ( same as VOIP/SEREN part ), it contain CRX-COM / FLRIG scripts : 

wget --output-document /tmp/setupcrx.bash https://git.crx.cloud/f4eyq/crx-com/raw/master/scripts/setup_server.bash;chmod +x /tmp/setupcrx.bash;/tmp/setupcrx.bash;

 

 

6.1 CRX-COM remote and client setup

To enable CRX-COM run these commands : 

sudo systemctl stop crx_com_tcp.service
ln -s /opt/crx/crx-com/scripts/tcp_serial_catsystem.service /etc/systemd/system/tcp_serial_catsystem.service
sudo systemctl daemon-reload
sudo systemctl enable tcp_serial_catsystem.service
sudo systemctl start tcp_serial_catsystem.service

To modify the listening port you can edit these file : ( here i'm using : LISTEN_PORT=5209 ) 

vim /opt/crx/crx-com/config.ini


For FLRIG configuration, i've create a SYSTEMD service for remote operation, 
to start edit this file : 

vim /opt/crx/crx-com/scripts/tcp_serial_catsystem.service

You can change with your TRX values, here i've configure for my FT897 TRX.

Now you can declare service and start it : 

sudo systemctl stop crx_com_tcp.service
ln -s /opt/crx/crx-com/scripts/tcp_serial_catsystem.service /etc/systemd/system/tcp_serial_catsystem.service
sudo systemctl daemon-reload
sudo systemctl enable tcp_serial_catsystem.service
sudo systemctl start tcp_serial_catsystem.service

If you modify configure after this doc, don't forget to do a : systemctl daemon-reload + systemctl restart tcp_serial_catsystem.service.


On client side : 
All configuration is done into your WEB-BROWSER ( that is the main difference with other softwares ), 
=> Go to https://ham.crx.cloud/ and enter your configuration via the CAT Button (IP/PORT, select TRX and port speed). 
=> Run "Run-https" button to enable WEBSOCKET connection with the server PI ( needed for SSL part ). 
=> Simply clic on "Save, apply config connect" button when you have finish. 

cat-crx-com-client-conf

If you need more info/help :  https://project.crx.cloud/crx-com

 

6.2 FLRIG remote and client setup 

Client side : 

On linux install it via : 

apt-get install flrig

If you need a Windows version already exist :)

Configuration part is the same logic as CRX-COM : 
=> Go to menu :  « Config »/ »Setup »/ »TCP-IP » :
=> Set your IP / PORT of your remote PI. 

=> Go to menu : « Config »/ »Setup »/ »Transceiver » : 
=> Choose your TRX and configure it. 

Server "PI" side : 

We configure it, here this is my configuration, you can adapt it with your's,
Simply edit this line "ExecStart" :   ( here it's for my FT897 TRX with simple YAESU USB interface ), note that my interface is on /dev/ttyUSV0 it can change on your side : 

vim /opt/crx/crx-com/scripts/tcp_serial_catsystem.service
ExecStart=/opt/crx/cat2tcp/tcp_serial_redirect.py -P 5210 --develop --bytesize=8 --parity=N --stopbits=2 /dev/ttyUSB0 4800

Now enter these commands to enable the TCP to serial remote service : 

ln -s /opt/crx/crx-com/scripts/tcp_serial_catsystem.service /etc/systemd/system/tcp_serial_catsystem.service
sudo systemctl daemon-reload
sudo systemctl enable tcp_serial_catsystem.service
sudo systemctl start tcp_serial_catsystem.service

If you edit again this conf later, dont forget to do a : ( SYSTEMD will not work if dont do a daemon-reload ) : 

sudo systemctl daemon-reload
sudo systemctl restart tcp_serial_catsystem.service

If you need scripts GIT repository is here : 
https://git.crx.cloud/f4eyq/crx-com/-/tree/master/scripts

 

7. HAM radio sofwares setup

Here i've select few LINUX softwares for you : 

FL Suite : 

apt-get install fldigi

Logbook  CQRLOG : 

apt-get install cqrlog

Wsjt-x :

Here i'm not using the DEBIAN reposity, i'm using official WSJT repo in order to have last version.
First of all go to https://www.physics.princeton.edu/pulsar/k1jt/wsjtx.html
and retreive the lastest version ( here it's 2.4.0 )

Now we can install it : 

wget https://www.physics.princeton.edu/pulsar/k1jt/wsjtx_2.4.0_armhf.deb
sudo dpkg -i wsjtx_2.4.0_armhf.deb
sudo apt --fix-broken install

Of course, you can install lot of other HAM softwares, a good guide to complete your setup can be found here : 
https://dl1gkk.com/setup-raspberry-pi-for-ham-radio/

When you are using WSJTX you must stop MUMBLE CLIENT and also stop CRX service  (for transceiver CAT system operation) : 
sudo systemctl stop crx_com_tcp.service
Or FLRIG remote service : 
sudo systemctl stop tcp_serial_catsystem.service
Note before launch WSJTX you must set "USB" mode on your remote station ( via CRX or FLRIG app ) : 
rpiwsjtxf4eyq

 

8. Configuration your VPN ( optionnal )

 

8.1 Server side  

 

8.1.1 PKI Setup 

I start by install EASY-RSA ( set of scripts to manage a PKI ) : 

cd /opt/
git clone https://github.com/OpenVPN/easy-rsa.git
cd /opt/easyrsa/easyrsa3/
cp vars.example vars

Into the vars file i modify these entries : 

export KEY_COUNTRY="FR"
export KEY_PROVINCE="IDF"
export KEY_CITY="VilleDeMonServeur"
export KEY_ORG="monVpn"
export KEY_EMAIL="admin@mondomaine.fr"
export KEY_OU="myOu"

Next i set certificats expiration : 

set_var EASYRSA_CA_EXPIRE 1825
set_var EASYRSA_CERT_EXPIRE 365

Now i can initialisate my PKI : 

# ./easyrsa init-pki

And the AC : 

# ./easyrsa build-ca nopass

Now i request and generate certificate for the server : 

# ./easyrsa gen-req monserveurvpn nopass
# ./easyrsa sign-req server monserveurvpn

Script create these files : 

=> /opt/easyrsa/easyrsa3/pki/issued/monserveurvpn.crt
=> /opt/easyrsa/easyrsa3/pki/private/monserveurvpn.key

I generate now the DH. and secret key : 

# ./easyrsa gen-dh
# openvpn --genkey --secret ta.key

It create two files : 

=> /opt/easyrsa/easyrsa3/ta.key
=> /opt/easyrsa/easyrsa3/pki/dh.pem

 

 

8.1.2 OPEN-VPN service configuration 

I deploy now these files to the OPENVPN server folder : 

cp /opt/easyrsa/easyrsa3/ta.key /etc/openvpn/server/ta.key
cp /opt/easyrsa/easyrsa3/pki/ca.crt /etc/openvpn/server/ca.crt
cp /opt/easyrsa/easyrsa3/pki/issued/monserveurvpn.crt /etc/openvpn/server/server.crt
cp /opt/easyrsa/easyrsa3/pki/private/monserveurvpn.key /etc/openvpn/server/server.key
cp /opt/easyrsa/easyrsa3/pki/dh.pem /etc/openvpn/server/dh2048.pem

Here is my server configuration : 

port 8443
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.77.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
ccd-exclusive
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
auth SHA256
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 5

Here I am using one file per client in the "ccd" subfolder:
But this is optional if you define your client IP pool.

Example : 

# cat /etc/openvpn/ccd/f4eyq-raspberrypi
ifconfig-push 10.77.0.25 255.255.255.0

And finally its target configuration, I will not go into technical details here,
if you need documentation is provided online on the OPEN-VPN site.

 

8.2 Client side setup

The OPENVPN configuration and almost similar to WINDOWS and LINUX.

On Windows file must have the extention « .ovpn », simply load it into "OpenVPN connect" application,
Here is my configuration : 

client
dev tun
proto udp
remote monserveurvpn 8443
resolv-retry infiniteµ
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert f4eyq-laptop1.crt
key-direction 1
key f4eyq-laptop1.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
#comp-lzo
verb 0

These files come from my "PKY" ( on my server ) : 

ca.crt
f4eyq-laptop1.crt
f4eyq-laptop1.key
ta.key

Here is the configuration on the RASPBERRY side : 

client
dev tun
proto udp
remote monserveurvpn 8443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert f4eyq-raspberrypi.crt
key-direction 1
key f4eyq-raspberrypi.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 0
 

9. Your remote station security 


Hardware side :

- Inverter / surge arrester. ( if possible ).
- Be able to connect / disconnect the station remotely (via a relay / GPIO output of the RASPBERRY).
- Some even thought of that for the antennas: https://vimeo.com/133917999
- Schedule a timeout on the program (in the event of a network cut), see the "anti bavard" system on your TRX.

Software side :

To do here at least:
- ALWAYS use a FIREWALL on your server, see part 3 of this document. 
- Put your passwords in a secure container (https://keepass.info/) or in an encrypted EXCEL/OOO for example.
- Create a user on the RASPBERRY, disable pi user ( explain in this document, part 2.2.3 ). 
- Try as much as possible not to do everything in root.
- Backup your micro SD card ( see part 2 of the doc ). 
- If you need you can use VPN system (it will add latency to your system, but you will be able to remove some open network ports on your Internet box).