Remote Access to Anan

[gi4fue]

This is a feature that I would love to see in Thetis for Anan. In MI0BOT's Hermes lite version, I can successfully remote into my home station using my no-ip address and a specific port. I believe the issue with the Anan is due to it being Protocol 2 and its handling of ports. Would it not be possible to put the Anan's IP into a DMZ so that it could decide if it wants to open a specific port for traffic? My Networking skills are rudimentary, but I believe that this is what Reid has done with the HL2 fork. Also, instead of having spinner boxes for the 4 IP addresses could it be a single line to either type in a local IP or a remote IP address. This would open up the Anan to remote access, and make a fantastic piece of software untouchable. It would also mean that I could share my Anan on the net with others. I for one would certainly help in beta testing any such step forward

73, Charlie GI4FUE

[w-u-2-o]

No changes to Thetis are needed for remote operation. However, some increase in your networking knowledge base might be

All that is necessary is to set up an appropriate VPN server on your network and matching VPN client software on your remote PC running Thetis. There are uncountable Youtube instructional videos on how to set up a proper VPN. Correctly configured, your PC will think it is on your home network and will be able to access everything in your home, albeit at some speed deficit.

Be careful to not be confused about the type of VPN connection. While the VPN connection itself generally uses either TCP or UDP, the encrypted channel it creates (aka "tunnel") will carry all the TCP and UDP traffic on all ports between your remote PC running Thetis and the ANAN hardware and everything else on your home network. A properly configured VPN is seamless in this respect.

You can also obtain routers with built-in VPN server functionality. This will perform much better than putting a Pi or extra PC on your network to run the VPN portal and is a conceptually cleaner solution. For example, the ASUS RT-AX1800S includes VPN support and is not at all expensive.

However...VPN not withstanding, remember that you need a very good internet connection to run Thetis on a remote PC over a VPN. If you don't have at least a 10 MBit/s connection with low latency and low packet loss your results may be poor. If you are successfully using HL2 version this is probably not a problem for you.

[gi4fue]

Hi Scott

Many thanks for your comments, and yes, I will need to increase my networking knowledge base. My current router is provided by my ISP, and does not have VPN capability, I will look at the Asus router you mentioned. As far as network speed is concerned, I have a 1gb fibre connection, the biggest issue I have is that my ISP will not give me a fixed IP although I do have a NO-IP account. I will seek some help on setting up the VPN - I understand the basics of it but will probably need help in setting it up properly. I presume that if I use the Asus router, I will not need any additional software like Tailscale or similar, or a commercial product like NordVPN

Many thanks for your input
73, Charlie GI4FUE

[Michael]

Is there information which ports need to be opened on the router in order to access ANAN G2 Ultra via WLAN?

I can access the RaspPi by it's IP address through a VPN but when starting ANAN through Thetis a network error pops up.

Best regards,

Michael

[w-u-2-o]

Can't recommend simply opening ports. Set up a VPN portal, either on your router, on another machine on the LAN side, or possibly even on the G2 Pi itself. It's a lot easier and a lot more secure.

If your intention is to run Thetis on a remote machine please note that this requires a very, very good WLAN connection. Did you read my earlier post in this topic?

[ea3aqr]

Is there information which ports need to be opened on the router in order to access ANAN G2 Ultra via WLAN?

I can access the RaspPi by it's IP address through a VPN but when starting ANAN through Thetis a network error pops up.

Best regards,

Michael

Are you using OpenVPN?

[Michael]

no - I am using WireGuard with a defined ddns and security key . It works with all other apps.

73, Michael

[w-u-2-o]

no - I am using WireGuard with a defined ddns and security key . It works with all other apps.

73, Michael

So you are already using a VPN? If so, then opening ports in the router will not fix any problems you are having.

Where is the Wireguard server running? If it's on a PC or Pi, etc., then it's possible that there is a firewall issue on that machine that is preventing Wireguard from passing the necessary TCP and UDP traffic to the ANAN.

Tomorrow I'm going to move this topic to the networking sub-forum. You should still see it in "Active Topics" regardless.

[ea3aqr]

no - I am using WireGuard with a defined ddns and security key . It works with all other apps.

73, Michael

Michael, I don't know anything about Wireguard, but Thetis needs to send a "special" (broadcast?) packet to start up the radio.

To check if this is you problem with your WireGuard config, install sdrConsole (https://www.sdr-radio.com/download#Release). If you can connect/use your radio thru the VPN, you are experiencing the same issue I had with latest versions of TAP-Windows adapter in my OpenVPN setup.

I don't know why, but TAP versions newer than tap-windows-9.23.3-I601-Win10 are unable to send this special packet to the radio and it never starts up. The latest working driver for me is quite old, dated on 2019, april 23.

[Michael]

Thanks for the replies - I will check with sdr-radio and report back.

Regards,

Michael

[Michael]

I tried now also with SDR-Console - same issue. I also played with some FireWall settings and also temporally witched it off but without any success. Thus, it likely is related to what you indicated. Have you found a solution to this?

73, Michael, DF2RQ

[ea3aqr]

Yes, my solution is to use the latest working diver for Windows TAP (dated in 2019). My VPN setup works fantastic for remoting my radio.

If SDRConsole also failed, it is not the same problem as with my VPN and the initialization packet.

I have assumed that your vpn is configured in bridged mode, isn't it?, otherwise it will never work with the radio.

[w-u-2-o]

AFAIK Wireguard does not support Layer 2 bridging, which is what is required to support discovery packets for both Apache and Flex hardware. OpenVPN does.

[Michael]

ah - this explains it all. I will look for an alternativ VPN supporting bridging protocol 2.

Thanks for the support,

Michael

[ea3aqr]

ah - this explains it all. I will look for an alternativ VPN supporting bridging protocol 2.

Thanks for the support,

Michael

OpenVPN works for me...

[Michael]

I am back home now and I did some further investigation / checking my home network setting.

The router is a Speedport Smart 3 which supports the Wireguard VPN. It allows a range of settings from port forwarding to even dynamic ports which could be opened on demand, triggered by a to be defined port. I may be wrong but it appears that the Wireguard VPN is capable of providing a suitable VPN environment for Thetis (maybe I am wrong).

The other solution would be to establish an OpenVPN VPN but this would require an additional server. I doubt it can be established on the RaspPi of the G2 as the Pi is not accessible when p2app runs. I can ping it (within and outside the home network via the Wireguard VPN) but I cannot login via ssh (neither inside nor outside the home network) as long as p2app runs. I can start the G2 using Thetis as long as I am within the home network but not from outside using VPN. Thus, I wonder which kind of service is provided by OpenVPN which allows this and which is not available by Wireguard?

Maybe it is just an issue with the name server which appears not to be resolved when using a VPN connection? Has anybody experienced a similar issue?

73, Michael

[w-u-2-o]

I am back home now and I did some further investigation / checking my home network setting.

The router is a Speedport Smart 3 which supports the Wireguard VPN. It allows a range of settings from port forwarding to even dynamic ports which could be opened on demand, triggered by a to be defined port. I may be wrong but it appears that the Wireguard VPN is capable of providing a suitable VPN environment for Thetis (maybe I am wrong).

We already posted above that this is wrong.

Again, the Thetis discovery packet is a raw, Layer 2 packet, not a UDP or TCP packet. IMHO this is not a good design, but it is the way it is. And because it is that way then any VPN that is to support Thetis/ANAN discovery must therefore be a Layer 2 bridging VPN.

Layer 2 vs Layer 3 VPN is explained here: https://www.thenetworkdna.com/2024/02/u ... l3vpn.html

The other solution would be to establish an OpenVPN VPN but this would require an additional server.

Not at all. It would be better to obtain a better, more capable router.

Further research shows that WireGuard can be made to work as a Level 2 bridge, however it is not trivial and probably cannot be done on a "consumer level" router like the one you have.

Example here: https://systemadminspro.com/migrating-f ... to-one-l2/

WireGuard has better performance than OpenVPN, but OpenVPN often makes things much simpler at both the consumer and professional levels.

I doubt it can be established on the RaspPi of the G2 as the Pi is not accessible when p2app runs. I can ping it (within and outside the home network via the Wireguard VPN) but I cannot login via ssh (neither inside nor outside the home network) as long as p2app runs.

Something is wrong with the configuration of the Pi in the G2. You should be able to do all these things while p2app runs. Not owning a G2 I can't tell you what the mis-configuration is but perhaps someone else can.

I can start the G2 using Thetis as long as I am within the home network but not from outside using VPN. Thus, I wonder which kind of service is provided by OpenVPN which allows this and which is not available by Wireguard?

Answered above. It's the use of a raw, Layer 2 discovery packet instead of a UDP or TCP broadcast packet. And, as already discussed, it's not necessarily unsupported by WireGuard, but it certainly is not supported in the web interface configuration options of many (all?) consumer level routers.

Maybe it is just an issue with the name server which appears not to be resolved when using a VPN connection? Has anybody experienced a similar issue?

No.

[Michael]

Thanks again for the detailed response, Scott. As always very much appreciated.

I am not sure why I cannot access the Pi over the network. I have not changed anything besides installing the Virtual Here server. I will further check and also look for a router supporting OpenCPN.
Any advice for a particular model?

73, Michael

[ea3aqr]

Michael, my first OpenVPN server ran for years on a dedicated RPi4.

Later I moved to a low power (8-10w) Windows Mini PC (Intel N100 and 16 gigs of ram) and it was night and day.
Now my VPN connections are more reliable and faster.

I don't know if the home routers are powerful enough, but the mini PC certainly is.

[w-u-2-o]

Any advice for a particular model?

Yes, but it's probably bad advice

I say that because I'm only familiar with the higher end routers, where "higher end" means "way more complicated"!

However, FWIW, I'm a big fan of Ubiquiti products, specifically their lesser known UISP line of products (not to be confused with their premier line called "Unifi"). Their EdgeRouter X is very competitively priced at around $100.

I also like MikroTik but it is not as well supported as Ubiquiti.

If you really want to go all in, buy a small form factor (SFF) PC with two GigE ports (there are a million of them) and install pfSense on it. pfSense can literally do almost anything and has a very active support community. If you go this way you will become very knowledgeable about networking

Any of these approaches have more than enough juice to support VPN speeds well in excess of anything you might need.

[Michael]

I had some time to further follow-up my 'Remote Operation Project' today.

I installed OpenVPN in Bridge Mode on the G2 RPi. There is some good instructions on the internet how to do this (see e.g. https://technologydragonslayer.com/2022 ... ing-pivpn/). The server runs without an issue.
As the latest windows OpenVPN client does not support bridge mode any longer, I installed an older version (2.4.6) but still have the same problem that Thetis cannot find the radio when connected via the VPN (openvpn connects to the RPi without an error and assigns a local ip to the remote computer). It looks like all settings are OK.

I also tried an older windows tap driver as advised but the problem remains.

Any idea what could be wrong or settings I missed?

Regards,
Michael

[w-u-2-o]

Try setting it up as a site-to-site VPN, rather than client and server.

[ea3aqr]

You can use any new client version, but you must delete the TAP interface and install an old one.

Go to https://build.openvpn.net/downloads/releases/

And download this version:
tap-windows-9.23.3-I601-Win10.exe

This is the latest TAP version that worked fine for me.

[Michael]

Good Morning! ...and thanks for the responses.

Concerning the windows driver, I am currently using 9.23.2.9/23 but also have tried older versions without any success.

Scott,
I am not sure what you mean by a 'site-by-site' setup but here some excerpts from the server.conf file on the RPi.

topology subnet
server-bridge 192.168.2.173 255.255.255.0 192.168.2.50 192.168.2.52

The first IP is the RPi and last two, the range of IPs assigned to computers logged in via the VPN.

push "dhcp-option DNS 192.168.2.1"


This is the IP of my router within my network. It looks like that through the VPN the routing to the name server is not resolved. As said, it works fien as long as I am within my network but can't find the ANAN when logged in via the VPN from external.

push "route 0.0.0.0 255.255.255.255 net_gateway"
Is this the culprit? Maybe this is wrong? The author of the VPN setup instructions mentioned:
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"

client-to-client
# client-config-dir /etc/openvpn/ccd

Not sure but I guess this is what you are referring to as a site-by-site setup? If yes, then it is in place.


It looks like it is related to the routing . I will try to use it with push "redirect-gateway def1".

Tried it - same issue.....

Cheers,

Michael

[ea3aqr]

This is my server profile.
Take a look and compare with yours...

EDIT:
Config file deleted...

[Michael]

Thanks, Jordi - I was trying to make some sense out of your server profile but I am really not sure. I use udp instead of tcp and of course a different port number but this all should not make a difference (I tried tcp but some problem). I assume the problem is rather related to the routing and finding the gateway and name server when logging in via the VPN.

Maybe something within the following statement needs to be changed

topology subnet
push "route 0.0.0.0 255.255.255.255 net_gateway"
push "dhcp-option DNS 192.168.2.1" (this is the ip of my router)

I am logging in from remote and get an IP assigned 192.168.2.100 but although the VPN connection is being established I cannot ping the ANAN (192.168.2.173).

Any ideas?

[ea3aqr]

Thanks, Jordi - I was trying to make some sense out of your server profile but I am really not sure. I use udp instead of tcp and of course a different port number but this all should not make a difference (I tried tcp but some problem). I assume the problem is rather related to the routing and finding the gateway and name server when logging in via the VPN.

Maybe something within the following statement needs to be changed

topology subnet
push "route 0.0.0.0 255.255.255.255 net_gateway"
push "dhcp-option DNS 192.168.2.1" (this is the ip of my router)

I am logging in from remote and get an IP assigned 192.168.2.100 but although the VPN connection is being established I cannot ping the ANAN (192.168.2.173).

Any ideas?

Are you using "dev tap"?


You must use TCP instead of UDP.
I don't use Push at all, look at the ";" at the beginning of my push commands, the ";" disables it.

Did you checked your server logs for a clue?

Please, post your complete server profile so I can compare to mine

[Michael]

Good News!

Today morning I decided to install all from scratch starting with the G2 image. Openvpn server was set up with tap and tcp protcol. Guess what - now it works.....

I have no clue what happened but I assume that it was related to a corrupted p2app. Apparently booting the RPi using a ssh window remotely within the same network will not boot the Saturn board and likely corrupted the p2app. Just an idea....

Thanks again for all your support!

Cheers,


Michael

[w-u-2-o]

I have no clue what happened but I assume that it was related to a corrupted p2app. Apparently booting the RPi using a ssh window remotely within the same network will not boot the Saturn board and likely corrupted the p2app.

It's very possible something in the file system was corrupt. However that would have nothing to do with the completely normal action of rebooting the system via SSH, something people do with Linux systems millions of times a day.

[Michael]

Sure, Scott but likely it would be better to stop the p2app software first. Anyway - it works now. In the meantime also my audio interface (Behringer UMC202HD) arrived but although cmASIO is lighting green, I do not get any audio. I think others have experienced simliar problems and will go through the threads.

Cheers,

Michael