https://wiki.ampr.org/w/api.php?action=feedcontributions&user=OH1KK&feedformat=atom44Net Wiki - User contributions [en]2024-03-29T01:05:50ZUser contributionsMediaWiki 1.41.0https://wiki.ampr.org/w/index.php?title=Services&diff=924Services2021-03-22T20:49:36Z<p>OH1KK: removed sdr.vy.fi</p>
<hr />
<div>{| class="wikitable sortable"<br />
|-<br />
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information<br />
|-<br />
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE<br />
|-<br />
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE<br />
|-<br />
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE<br />
|-<br />
| AMPR ||[[44Net mailing list]] || https://mailman.ampr.org/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE<br />
|-<br />
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.34.84 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).<br />
|-<br />
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway<br />
|-<br />
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]<br />
|-<br />
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||<br />
(These hosts maintain a copy of AMPR.ORG and the 44.IN-ADDR.ARPA DNS Zones:)<br />
<br />ampr.org<br /><br />
ns2.threshinc.com<br /><br />
munnari.OZ.AU<br /><br />
a.coreservers.uk<br /><br />
ampr-dns.in-berlin.de<br /><br />
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:)<br /><br />
gw.ct.ampr.org (44.88.0.1)<br /><br />
dns-mdc.ampr.org (44.60.44.3)<br /><br />
n1uro.ampr.org (44.88.0.9)<br />
|| DNS || name resolution services|| zone files can be downloaded from ftp://gw.ampr.org/pub/<br />
|-<br />
| Various Operators||Network Tools||<br />
http://whatismyip.ampr.org<br /><br />
http://yo2tm.ampr.org/nettools.php<br /><br />
http://kb3vwg-010.ampr.org/tools<br /><br />
http://speedtest.ampr.org<br /><br />
http://n1uro.ampr.org/do.shtml<br /><br />
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE<br />
|-<br />
| Various Operators ||Network Time Protocol Server || gw.ampr.org (Stratum 1, US)<br />ntp.vk2hff.ampr.org (Stratum 1, AU)<br />ntp.g1fef.ampr.org (Stratum 1, UK)<br />kb3vwg-001.ampr.org (Stratum 2, US)<br />gw-44-137.pi9noz.ampr.org (Stratum 2)<br />server.yo2loj.ampr.org (Stratum 2)<br />f4gve.ampr.org (Stratum 3)<br />ntp1.on3rvh.ampr.org<br /> || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| AMPRNet hosts have OPEN ACCESS to these time servers <br />
|-<br />
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/wiki/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.<br />
|-<br />
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.<br />
|-<br />
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]<br />
|-}</div>OH1KKhttps://wiki.ampr.org/w/index.php?title=Services&diff=680Services2017-02-22T23:10:54Z<p>OH1KK: Added KiwiSDR</p>
<hr />
<div>{| class="wikitable sortable"<br />
|-<br />
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information<br />
|-<br />
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || manage [[Gateway]], [[Encap.txt]] preferences and ampr.org domain entries (domain entry functionality still under development)|| NONE<br />
|-<br />
| AMPR ||Website || http://www.ampr.org || HTTP || AMPRNet Main Page|| NONE<br />
|-<br />
| AMPR ||Wiki || http://wiki.ampr.org || HTTP || This Wiki|| NONE<br />
|-<br />
| AMPR ||[[44Net mailing list]] || http://hamradio.ucsd.edu/mailman/listinfo/44net || HTTP || mailing list discussion|| NONE<br />
|-<br />
| AMPR ||AMPRNet [[Gateway]] (AMPRGW) || 169.228.66.251 || IP and IPENCAP [[Tunnel]]|| main AMPRNet Router|| Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]]).<br />
|-<br />
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway<br />
|-<br />
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]<br />
|-<br />
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||<br />
(These hosts maintain a copy of AMPR.ORG and/or the 44.in-addr.arpa DNS Zones:)<br />
ns0.comgw.net<br /><br />
ns1.defaultroute.net<br /><br />
ns2.threshinc.com<br /><br />
ampr.org<br /><br />
munnari.oz.au<br /><br />
ampr-dns.in-berlin.de<br /><br />
hamradio.ucsd.edu<br /><br />
(These hosts maintain a copy of AMPR.ORG and the 44.in-addr.arpa DNS Zones. 44/8 hosts may use as recursive/Client DNS servers:)<br /><br />
gw.ct.ampr.org<br /><br />
dns-mdc.ampr.org<br /><br />
n1uro.ampr.org<br />
|| DNS || name resolution services|| zone files can be downloaded from ftp://hamradio.ucsd.edu/pub/<br />
|-<br />
| Various Operators||Network Tools||<br />
http://whatismyip.ampr.org<br /><br />
http://yo2tm.ampr.org/nettools.php<br /><br />
http://kb3vwg-010.ampr.org/tools<br /><br />
http://speedtest.ampr.org<br /><br />
http://n1uro.ampr.org/do.shtml<br /><br />
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| NONE<br />
|-<br />
| Various Operators ||Network Time Protocol Server || kb3vwg-001.ampr.org (Stratum 2)<br />gw-44-137.pi9noz.ampr.org (Stratum 2)<br />f4gve.ampr.org (Stratum 3)<br /> || NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican Stratum 1 Servers|| AMPRNet hosts have OPEN ACCESS to these time servers <br />
|-<br />
| OH7LZB ||[[AMPRNet_VPN]] || http://wiki.ampr.org/index.php/AMPRNet_VPN || VPN|| [http://en.wikipedia.org/wiki/OpenVPN OpenVPN]-based || You must have a X.509 certificate issued by [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]. ARRL membership is not required.<br />
|-<br />
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.<br />
|-<br />
| OH1KK || KiwiSDR Kaustinen || http://44.139.48.2 || SDR-receiver || KiwiSDR receiver located at Kaustinen, Finland · 0-30 MHz · Antenna switch extension · Northern Europe || Experimental. Also available on non-amprnet at address http://sdr.vy.fi<br />
|-<br />
|-}</div>OH1KKhttps://wiki.ampr.org/w/index.php?title=OH7LZB_VPN&diff=421OH7LZB VPN2015-08-10T13:33:27Z<p>OH1KK: /* Linux: OpenVPN */</p>
<hr />
<div>AMPRNet VPN is an experimental method to access the AMPRNet using a VPN from anywhere on the Internet. The VPN is openly available to any amateur radio operators who have successfully applied for an X.509 certificate from one of the following Certificate Authorities:<br />
<br />
* [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]<br />
<br />
The Certificate Authority (CA) validates using a relatively strong method that the operator is actually licensed, and gives the operator a cryptographic certificate to prove that. Other services, such as the AMPRNet VPN can then check that the operator possesses a valid amateur radio operator certificate (and the accompanying private key), without any manual work being performed by the operators of those services. The operator can use his private key to sign LoTW log files, or any other information he wishes to communicate, and other parties trusting the CA can use the certificate to check that they have been transmitted by someone who has a private key and a certificate for a callsign from the CA.<br />
<br />
If and when other organisations start to give out X.509 certificates, after sufficient amateur radio license validation, the AMPRNet VPN will be configured to accept those in addition to the LoTW. If you're not willing to obtain a LoTW certificate, please set up a CA for your local club or association, document the method of license validation you're using, and I'll be happy to trust your certificates.<br />
<br />
The VPN operator (Hessu, OH7LZB) does not have time to run a CA and validate licenses manually, so please don't ask for a certificate from anywhere else than the CAs listed above. Thanks!<br />
<br />
The AMPRNet VPN is only used to access the AMPRNet. While you're connected to the AMPRNet VPN, the VPN client will only transmit packets from you to the AMPRNet via the VPN. Packets from you to the rest of the Internet will not go via the VPN - they'll flow out from your local network connection as before. This is called a [http://en.wikipedia.org/wiki/Split_tunneling split tunnel VPN configuration].<br />
<br />
The setup is still a bit complicated - it can be made easier and more automatic with a little additional software in a later phase.<br />
<br />
The AMPRNet VPN is an experimental service. It might be shut down for technical or political reasons - we'll see if it's a feasible idea or not.<br />
<br />
= Getting a certificate from LoTW =<br />
<br />
Go through [http://www.arrl.org/instructions these simple steps]. After step 4 you're ready to continue with the AMPRNet VPN.<br />
<br />
It's going to take some time to validate, and you'll have to do some manual work (especially if you're outside the USA), but that is intentional. It significantly reduces abuse of the system, and increases its security.<br />
<br />
= Extracting the certificate from LoTW =<br />
<br />
LoTW uses a custom file format (.TQ*) to exchange certificates, but after the LoTW certificate process is done and the TrustedQSL software has your certificates, they can be easily copied from TrustedQSL's directories. You'll need three files: your '''user certificate''', an '''intermediate certificate''' that was used to sign it, and your '''private key'''. The only secret piece of information is the private key - you should not reveal it to anyone at any point, as they could then use services on your behalf, using your callsign.<br />
<br />
== Windows ==<br />
<br />
* C:\Documents and Settings\your-username\Application Data\TrustedQSL contains two directories, '''certs''' and '''keys'''.<br />
* certs\user contains the '''user certificate'''<br />
* certs\authorities contains an '''intermediate certificate'''<br />
* keys\YOURCALL contains, within some XML, your '''private key'''<br />
<br />
Make copies of those files in another directory, and work on those copies in order to avoid breaking the originals.<br />
<br />
The user and intermediate certificates need to be concatenated to a single file named '''client.crt'''. The user certificate must be first, followed by the intermediate certificate. That can be done by an ascii editor such as Notepad (Wordpad or Word is likely to mess it up in a big way).<br />
<br />
The private key needs to be extracted from the YOURCALL file. The file is a regular ASCII text file, and contains a block which looks something like this (just longer):<br />
<br />
-----BEGIN RSA PRIVATE KEY-----<br />
Proc-Type: 4,ENCRYPTED<br />
DEK-Info: DES-EDE3-CBC,0C7B5495F6A91F31<br />
<br />
0xmWfliK/v9U88MFyYtUbteRoAkfVMK6BllcdID3pZzmdykHaPLZUjXOCUh3vFUX<br />
1bjnYwXpLX/CxgZ6NIxQIk7jMjL3iaP5SkWzCswqi9mCO+zHxuS6PWq7YwbWNFgo<br />
7smNcko1yTp7f/VbS4CZ5kgIF9kCgNaiqdxq+v0IcphQHRR4xjfLpBQ4ckYOi4nC<br />
jqFR1BitwBL4K2JeE9PGUkkUBwvU4oOi9PGChuoxMXs8PwKi/dZTmSWM7kOfMiBw<br />
-----END RSA PRIVATE KEY-----<br />
<br />
Copy-paste that block to a separate file named '''client.key'''.<br />
<br />
== Linux and Mac ==<br />
<br />
* ~/.tqsl/certs/user contains the '''user certificate'''<br />
* ~/.tqsl/certs/authorities contains an '''intermediate certificate'''<br />
* ~/.tqsl/keys/YOURCALL contains, within some XML, your '''private key'''<br />
<br />
The user and intermediate certificates need to be concatenated to a single file named '''client.crt'''. The user certificate must be first, followed by the intermediate certificate. That can be done by a single command:<br />
<br />
cat ~/.tqsl/certs/user ~/.tqsl/certs/authorities > client.crt<br />
<br />
The private key needs to be extracted from the YOURCALL file. The file is a regular ASCII text file, and contains a block which looks something like this (just longer):<br />
<br />
-----BEGIN RSA PRIVATE KEY-----<br />
Proc-Type: 4,ENCRYPTED<br />
DEK-Info: DES-EDE3-CBC,0C7B5495F6A91F31<br />
<br />
0xmWfliK/v9U88MFyYtUbteRoAkfVMK6BllcdID3pZzmdykHaPLZUjXOCUh3vFUX<br />
1bjnYwXpLX/CxgZ6NIxQIk7jMjL3iaP5SkWzCswqi9mCO+zHxuS6PWq7YwbWNFgo<br />
7smNcko1yTp7f/VbS4CZ5kgIF9kCgNaiqdxq+v0IcphQHRR4xjfLpBQ4ckYOi4nC<br />
jqFR1BitwBL4K2JeE9PGUkkUBwvU4oOi9PGChuoxMXs8PwKi/dZTmSWM7kOfMiBw<br />
-----END RSA PRIVATE KEY-----<br />
<br />
Copy-paste that block to a separate file named '''client.key'''. If you're going to open up the original private key file in a text editor, it's a good idea to make a backup copy of that file first in case of an accidental corruption of its contents.<br />
<br />
= Configuring AMPRNet VPN =<br />
<br />
== Windows: OpenVPN ==<br />
<br />
# [http://openvpn.net/index.php/download/community-downloads.html Download the Windows Installer], it's free and open source.<br />
# Run the installer to install it.<br />
# [http://he.fi/amprnet-vpn/amprnet-vpn-win.zip Download the AMPRNet VPN configuration files for Windows]<br />
# Open up the zip file, it contains two files: amprnet-vpn.ovpn and amprnet-vpn-ca.crt.<br />
# In Start menu, under OpenVPN => Shortcuts you'll find an entry named '''OpenVPN configuration file directory'''. Open it, and move the two files from the zip to the configuration file directory. <br />
# Place client.crt and client.key, which were created previously, in the configuration file directory.<br />
# Run the '''OpenVPN GUI''' from the desktop icon or start menu. A new icon will appear in the lower right corner (two computers with red screens + a globe on the side).<br />
# Right-click the OpenVPN toolbar icon and select '''Connect'''.<br />
<br />
If you chose to encrypt your private key with a password (or passphrase) when initially applying for a LoTW certificate and generating the Certificate Request, OpenVPN will ask you for that password when connecting.<br />
<br />
To rephrase: When OpenVPN says "Enter Password", the password being asked is the one you picked when you first applied for a LoTW certificate. It's not something the VPN operator knows (or should know). It's not the one you got on a postcard. Only you have ever been aware of that password (hopefully).<br />
<br />
== Linux: OpenVPN ==<br />
<br />
=== Ubuntu 15.10 ===<br />
<br />
Here is steps to install AMPRNet VPN to Ubuntu 15.10 destop. Install OpenVPN plugin to network manager.<br />
Open terminal and type<br />
<br />
sudo apt-get install network-manager-open vpn-gnome<br />
<br />
Then add VPN-connection information to NetworkManager<br />
<br />
# Click network manager icon on taskbar<br />
# Edit connections<br />
# Add<br />
# OpenVPN<br />
# Create<br />
#* Connection name: AMPRNet<br />
#* Gateway: amprnet-vpn1.aprs.fi<br />
#* Select proper files to User Certificate, CA certificate and Private key<br />
#* Optionally enter private key password if you are set one<br />
# Click Advanced<br />
#* [x] Use custom gateway port: 1773<br />
#* [x] Use LZO data compression<br />
# Click OK<br />
# Click Save<br />
# Click Close<br />
<br />
Now you can connect to VPN <br />
<br />
# Click network manager icon on taskbar<br />
# VPN connections -> AMPRNet<br />
# Connection should be established<br />
<br />
== Linux (Raspberry PI): OpenVPN ==<br />
<br />
Log in to Raspberry Pi console. Install openvpn software.<br />
<br />
sudo apt-get install openvpn<br />
<br />
Create openvpn client configuration file with your favourite editor to /etc/openvpn/client.conf<br />
<br />
<pre><br />
client<br />
dev tun<br />
proto udp<br />
remote amprnet-vpn1.aprs.fi 1773<br />
resolv-retry infinite<br />
persist-key<br />
persist-tun<br />
ca amprnet-vpn-ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
</pre><br />
<br />
Extract your client certificate and key as explained above section Extracting the certificate from LoTW. Copy your certificate files client.crt and client.key to /etc/openvpn/ . You also need amprnet-vpn-ca.crt which can be found inside this archive<br />
http://he.fi/amprnet-vpn/amprnet-vpn-win.zip . Extract it and copy to /etc/openvpn/<br />
<br />
Restart openvpn<br />
<br />
service openvpn restart<br />
<br />
All done.<br />
<br />
== Mac OS X: Tunnelblick ==<br />
<br />
# [http://code.google.com/p/tunnelblick/ Download Tunnelblick], it's free and open source, and works like a charm. It's based on OpenVPN.<br />
# [http://he.fi/amprnet-vpn/amprnet-vpn-tblk.zip Download the AMPRNet VPN configuration for Tunnelblick], it's a zip file containing a directory with a couple files<br />
# Double-click the downloaded zip file to extract it, you'll get a directory named '''amprnet-vpn.tblk'''<br />
# Move the '''private key''' (in a file which was named '''client.key''' in the previous step) to that directory<br />
# Move the certificates (in a file which was named '''client.crt''' in the previous step) to that directory<br />
# Double-click the '''amprnet-vpn.tblk''' directory - this will launch Tunnelblick and install the VPN configuration<br />
<br />
You should now see a "tunnel" icon in the top right corner of the screen. Click it to see a few menu items allowing you to connect and disconnect the VPN.<br />
<br />
If you chose to encrypt your private key with a password (or passphrase) when initially applying for a LoTW certificate and generating the Certificate Request, Tunnelblick will ask you for that passphrase when connecting.<br />
<br />
To rephrase: When Tunnelblick says "A passphrase is required to connect to amprnet-vpn", the passphrase being asked is the one you picked when you first applied for a LoTW certificate. It's not something the VPN operator knows (or should know). Only you have ever been aware of that passphrase (hopefully).</div>OH1KKhttps://wiki.ampr.org/w/index.php?title=OH7LZB_VPN&diff=65OH7LZB VPN2013-12-26T12:47:51Z<p>OH1KK: /* Linux: OpenVPN */</p>
<hr />
<div>AMPRNet VPN is an experimental method to access the AMPRNet using a VPN from anywhere on the Internet. The VPN is openly available to any amateur radio operators who have successfully applied for an X.509 certificate from one of the following Certificate Authorities:<br />
<br />
* [http://www.arrl.org/logbook-of-the-world ARRL Logbook of the World (LoTW)]<br />
<br />
The Certificate Authority (CA) validates using a relatively strong method that the operator is actually licensed, and gives the operator a cryptographic certificate to prove that. Other services, such as the AMPRNet VPN can then check that the operator possesses a valid amateur radio operator certificate (and the accompanying private key), without any manual work being performed by the operators of those services. The operator can use his private key to sign LoTW log files, or any other information he wishes to communicate, and other parties trusting the CA can use the certificate to check that they have been transmitted by someone who has a private key and a certificate for a callsign from the CA.<br />
<br />
If and when other organisations start to give out X.509 certificates, after sufficient amateur radio license validation, the AMPRNet VPN will be configured to accept those in addition to the LoTW. If you're not willing to obtain a LoTW certificate, please set up a CA for your local club or association, document the method of license validation you're using, and I'll be happy to trust your certificates.<br />
<br />
The VPN operator (Hessu, OH7LZB) does not have time to run a CA and validate licenses manually, so please don't ask for a certificate from anywhere else than the CAs listed above. Thanks!<br />
<br />
The AMPRNet VPN is only used to access the AMPRNet. While you're connected to the AMPRNet VPN, the VPN client will only transmit packets from you to the AMPRNet via the VPN. Packets from you to the rest of the Internet will not go via the VPN - they'll flow out from your local network connection as before. This is called a [http://en.wikipedia.org/wiki/Split_tunneling split tunnel VPN configuration].<br />
<br />
The setup is still a bit complicated - it can be made easier and more automatic with a little additional software in a later phase.<br />
<br />
The AMPRNet VPN is an experimental service. It might be shut down for technical or political reasons - we'll see if it's a feasible idea or not.<br />
<br />
= Getting a certificate from LoTW =<br />
<br />
Go through [http://www.arrl.org/instructions these simple steps]. After step 4 you're ready to continue with the AMPRNet VPN.<br />
<br />
It's going to take some time to validate, and you'll have to do some manual work (especially if you're outside the USA), but that is intentional. It significantly reduces abuse of the system, and increases its security.<br />
<br />
= Extracting the certificate from LoTW =<br />
<br />
LoTW uses a custom file format (.TQ*) to exchange certificates, but after the LoTW certificate process is done and the TrustedQSL software has your certificates, they can be easily copied from TrustedQSL's directories. You'll need three files: your '''user certificate''', an '''intermediate certificate''' that was used to sign it, and your '''private key'''. The only secret piece of information is the private key - you should not reveal it to anyone at any point, as they could then use services on your behalf, using your callsign.<br />
<br />
== Windows ==<br />
<br />
* C:\Documents and Settings\your-username\Application Data\TrustedQSL contains two directories, '''certs''' and '''keys'''.<br />
* certs\user contains the '''user certificate'''<br />
* certs\authorities contains an '''intermediate certificate'''<br />
* keys\YOURCALL contains, within some XML, your '''private key'''<br />
<br />
Make copies of those files in another directory, and work on those copies in order to avoid breaking the originals.<br />
<br />
The user and intermediate certificates need to be concatenated to a single file named '''client.crt'''. The user certificate must be first, followed by the intermediate certificate. That can be done by an ascii editor such as Notepad (Wordpad or Word is likely to mess it up in a big way).<br />
<br />
The private key needs to be extracted from the YOURCALL file. The file is a regular ASCII text file, and contains a block which looks something like this (just longer):<br />
<br />
-----BEGIN RSA PRIVATE KEY-----<br />
Proc-Type: 4,ENCRYPTED<br />
DEK-Info: DES-EDE3-CBC,0C7B5495F6A91F31<br />
<br />
0xmWfliK/v9U88MFyYtUbteRoAkfVMK6BllcdID3pZzmdykHaPLZUjXOCUh3vFUX<br />
1bjnYwXpLX/CxgZ6NIxQIk7jMjL3iaP5SkWzCswqi9mCO+zHxuS6PWq7YwbWNFgo<br />
7smNcko1yTp7f/VbS4CZ5kgIF9kCgNaiqdxq+v0IcphQHRR4xjfLpBQ4ckYOi4nC<br />
jqFR1BitwBL4K2JeE9PGUkkUBwvU4oOi9PGChuoxMXs8PwKi/dZTmSWM7kOfMiBw<br />
-----END RSA PRIVATE KEY-----<br />
<br />
Copy-paste that block to a separate file named '''client.key'''.<br />
<br />
== Linux and Mac ==<br />
<br />
* ~/.tqsl/certs/user contains the '''user certificate'''<br />
* ~/.tqsl/certs/authorities contains an '''intermediate certificate'''<br />
* ~/.tqsl/keys/YOURCALL contains, within some XML, your '''private key'''<br />
<br />
The user and intermediate certificates need to be concatenated to a single file named '''client.crt'''. The user certificate must be first, followed by the intermediate certificate. That can be done by a single command:<br />
<br />
cat ~/.tqsl/certs/user ~/.tqsl/certs/authorities > client.crt<br />
<br />
The private key needs to be extracted from the YOURCALL file. The file is a regular ASCII text file, and contains a block which looks something like this (just longer):<br />
<br />
-----BEGIN RSA PRIVATE KEY-----<br />
Proc-Type: 4,ENCRYPTED<br />
DEK-Info: DES-EDE3-CBC,0C7B5495F6A91F31<br />
<br />
0xmWfliK/v9U88MFyYtUbteRoAkfVMK6BllcdID3pZzmdykHaPLZUjXOCUh3vFUX<br />
1bjnYwXpLX/CxgZ6NIxQIk7jMjL3iaP5SkWzCswqi9mCO+zHxuS6PWq7YwbWNFgo<br />
7smNcko1yTp7f/VbS4CZ5kgIF9kCgNaiqdxq+v0IcphQHRR4xjfLpBQ4ckYOi4nC<br />
jqFR1BitwBL4K2JeE9PGUkkUBwvU4oOi9PGChuoxMXs8PwKi/dZTmSWM7kOfMiBw<br />
-----END RSA PRIVATE KEY-----<br />
<br />
Copy-paste that block to a separate file named '''client.key'''. If you're going to open up the original private key file in a text editor, it's a good idea to make a backup copy of that file first in case of an accidental corruption of its contents.<br />
<br />
= Configuring AMPRNet VPN =<br />
<br />
== Windows: OpenVPN ==<br />
<br />
# [http://openvpn.net/index.php/download/community-downloads.html Download the Windows Installer], it's free and open source.<br />
# Run the installer to install it.<br />
# [http://he.fi/amprnet-vpn/amprnet-vpn-win.zip Download the AMPRNet VPN configuration files for Windows]<br />
# Open up the zip file, it contains two files: amprnet-vpn.ovpn and amprnet-vpn-ca.crt.<br />
# In Start menu, under OpenVPN => Shortcuts you'll find an entry named '''OpenVPN configuration file directory'''. Open it, and move the two files from the zip to the configuration file directory. <br />
# Place client.crt and client.key, which were created previously, in the configuration file directory.<br />
# Run the '''OpenVPN GUI''' from the desktop icon or start menu. A new icon will appear in the lower right corner (two computers with red screens + a globe on the side).<br />
# Right-click the OpenVPN toolbar icon and select '''Connect'''.<br />
<br />
If you chose to encrypt your private key with a password (or passphrase) when initially applying for a LoTW certificate and generating the Certificate Request, OpenVPN will ask you for that password when connecting.<br />
<br />
To rephrase: When OpenVPN says "Enter Password", the password being asked is the one you picked when you first applied for a LoTW certificate. It's not something the VPN operator knows (or should know). It's not the one you got on a postcard. Only you have ever been aware of that password (hopefully).<br />
<br />
== Linux: OpenVPN ==<br />
<br />
... To be written ...<br />
<br />
== Linux (Raspberry PI): OpenVPN ==<br />
<br />
Log in to Raspberry Pi console. Install openvpn software.<br />
<br />
sudo apt-get install openvpn<br />
<br />
Create openvpn client configuration file with your favourite editor to /etc/openvpn/client.conf<br />
<br />
<pre><br />
client<br />
dev tun<br />
proto udp<br />
remote amprnet-vpn1.aprs.fi 1773<br />
resolv-retry infinite<br />
persist-key<br />
persist-tun<br />
ca amprnet-vpn-ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
</pre><br />
<br />
Extract your client certificate and key as explained above section Extracting the certificate from LoTW. Copy your certificate files client.crt and client.key to /etc/openvpn/ . You also need amprnet-vpn-ca.crt which can be found inside this archive<br />
http://he.fi/amprnet-vpn/amprnet-vpn-win.zip . Extract it and copy to /etc/openvpn/<br />
<br />
Restart openvpn<br />
<br />
service openvpn restart<br />
<br />
All done.<br />
<br />
== Mac OS X: Tunnelblick ==<br />
<br />
# [http://code.google.com/p/tunnelblick/ Download Tunnelblick], it's free and open source, and works like a charm. It's based on OpenVPN.<br />
# [http://he.fi/amprnet-vpn/amprnet-vpn-tblk.zip Download the AMPRNet VPN configuration for Tunnelblick], it's a zip file containing a directory with a couple files<br />
# Double-click the downloaded zip file to extract it, you'll get a directory named '''amprnet-vpn.tblk'''<br />
# Move the '''private key''' (in a file which was named '''client.key''' in the previous step) to that directory<br />
# Move the certificates (in a file which was named '''client.crt''' in the previous step) to that directory<br />
# Double-click the '''amprnet-vpn.tblk''' directory - this will launch Tunnelblick and install the VPN configuration<br />
<br />
You should now see a "tunnel" icon in the top right corner of the screen. Click it to see a few menu items allowing you to connect and disconnect the VPN.<br />
<br />
If you chose to encrypt your private key with a password (or passphrase) when initially applying for a LoTW certificate and generating the Certificate Request, Tunnelblick will ask you for that passphrase when connecting.<br />
<br />
To rephrase: When Tunnelblick says "A passphrase is required to connect to amprnet-vpn", the passphrase being asked is the one you picked when you first applied for a LoTW certificate. It's not something the VPN operator knows (or should know). Only you have ever been aware of that passphrase (hopefully).</div>OH1KK