OH7LZB VPN

From 44Net Wiki
Jump to navigation Jump to search

AMPRNet VPN is an experimental method to access the AMPRNet using a VPN from anywhere on the Internet. The VPN is openly available to any amateur radio operators who have successfully applied for an X.509 certificate from one of the following Certificate Authorities:

  • ARRL Logbook of the World (LoTW)

The CA validates using a relatively strong method that the operator is actually licensed, and gives the operator a certificate to prove that. Other services, such as the AMPRNet VPN can then check that the operator possesses a valid amateur radio operator certificate (and the accompanying private key), without any manual work being performed by the operators of those services.

If and when other organisations start to give out X.509 certificates, after sufficient amateur radio license validation, the AMPRNet VPN can be configured to accept those in addition to the LoTW. If you're not willing to obtain a LoTW certificate, please set up a CA for your local club or association, document the method of license validation you're using, and I'll be happy to trust your certificates.

The VPN operator does not have time to run a CA and validate licenses manually, so please don't ask for a certificate from anywhere else than the CAs listed above. Thanks!

The AMPRNet VPN is only used to access the AMPRNet. While you're connected to the AMPRNet VPN, the VPN client will only transmit packets from you to the AMPRNet via the VPN. Packets from you to the rest of the Internet will not go via the VPN - they'll flow out from your local network connection as before. This is called a split tunnel VPN configuration.

The setup is still a bit complicated - it can be made easier and more automatic with a little additional software in a later phase.

Extracting the certificate from LoTW

LoTW uses a custom file format (.TQ*) to exchange certificates, but after the LoTW certificate process is done and the TrustedQSL software has your certificates, they can be easily copied from TrustedQSL's directories. You'll need three files: your user certificate, an intermediate certificate that was used to sign it, and your private key. The only secret piece of information is the private key - you should not reveal it to anyone at any point, as they could then use services on your behalf, using your callsign.

Windows

  • C:\Documents and Settings\hessu\Application Data\TrustedQSL contains two directories, certs and keys.
  • certs/user contains the user certificate
  • certs/authorities contains an intermediate certificate
  • keys/YOURCALL contains, within some XML, your private key

Make copies of those files in another directory, and work on those copies in order to avoid breaking the originals.

The user and intermediate certificates need to be concatenated to a single file named client.crt. The user certificate must be first, followed by the intermediate certificate. That can be done by an ascii editor such as Notepad (Wordpad or Word is likely to mess it up in a big way).

The private key needs to be extracted from the YOURCALL file. The file is a regular ASCII text file, and contains a block which looks something like this (just longer):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0C7B5495F6A91F31

0xmWfliK/v9U88MFyYtUbteRoAkfVMK6BllcdID3pZzmdykHaPLZUjXOCUh3vFUX
1bjnYwXpLX/CxgZ6NIxQIk7jMjL3iaP5SkWzCswqi9mCO+zHxuS6PWq7YwbWNFgo
7smNcko1yTp7f/VbS4CZ5kgIF9kCgNaiqdxq+v0IcphQHRR4xjfLpBQ4ckYOi4nC
jqFR1BitwBL4K2JeE9PGUkkUBwvU4oOi9PGChuoxMXs8PwKi/dZTmSWM7kOfMiBw
-----END RSA PRIVATE KEY-----

Copy-paste that block to a separate file named client.key.

Linux and Mac

  • ~/.tqsl/certs/user contains the user certificate
  • ~/.tqsl/certs/authorities contains an intermediate certificate
  • ~/.tqsl/keys/YOURCALL contains, within some XML, your private key

The user and intermediate certificates need to be concatenated to a single file named client.crt. The user certificate must be first, followed by the intermediate certificate. That can be done by a single command:

cat ~/.tqsl/certs/user ~/.tqsl/certs/authorities > client.crt

The private key needs to be extracted from the YOURCALL file. The file is a regular ASCII text file, and contains a block which looks something like this (just longer):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0C7B5495F6A91F31

0xmWfliK/v9U88MFyYtUbteRoAkfVMK6BllcdID3pZzmdykHaPLZUjXOCUh3vFUX
1bjnYwXpLX/CxgZ6NIxQIk7jMjL3iaP5SkWzCswqi9mCO+zHxuS6PWq7YwbWNFgo
7smNcko1yTp7f/VbS4CZ5kgIF9kCgNaiqdxq+v0IcphQHRR4xjfLpBQ4ckYOi4nC
jqFR1BitwBL4K2JeE9PGUkkUBwvU4oOi9PGChuoxMXs8PwKi/dZTmSWM7kOfMiBw
-----END RSA PRIVATE KEY-----

Copy-paste that block to a separate file named client.key. If you're going to open up the original private key file in a text editor, it's a good idea to make a backup copy of that file first in case of an accidental corruption of its contents.

Configuring AMPRNet VPN

Windows: OpenVPN

  1. Download the Windows Installer, it's free and open source.

Linux: OpenVPN

Mac OS X: Tunnelblick

  1. Download Tunnelblick, it's free and open source, and works like a charm. It's based on OpenVPN.
  2. Download the AMPRNet VPN configuration for Tunnelblick, it's a zip file containing a directory with a couple files
  3. Double-click the downloaded zip file to extract it, you'll get a directory named amprnet-vpn.tblk
  4. Move the private key (in a file which was named client.key in the previous step) to that directory
  5. Move the certificates (in a file which was named client.crt in the previous step) to that directory
  6. Double-click the amprnet-vpn.tblk directory - this will launch Tunnelblick and install the VPN configuration

You should now see a "tunnel" icon in the top right corner of the screen. Click it to see a few menu items allowing you to connect and disconnect the VPN.

If you chose to encrypt your private key with a password (or passphrase) when initially applying for a LoTW certificate and generating the Certificate Request, Tunnelblick will ask you for that passphrase when connecting.

To rephrase: When Tunnelblick says "A passphrase is required to connect to amprnet-vpn", the passphrase being asked is the one you picked when you first applied for a LoTW certificate. It's not something the VPN operator knows (or should know). Only you have ever been aware of that passphrase (hopefully).