"PTTLink Wiki" - User contributions [en]

Building Reliable Systems

2021-01-04T13:13:38Z

Bryan:

While everyone wants to get a cheap Raspberry Pi or old computer and install ASL on it to make a "junk box" linking repeater controller, others want something they can put at a site for years without needing to worry about it. These users are less concerned about price, as their sites may be inaccessible for good parts of the year. Or like myself, simply not have the time to go fix it when it breaks.

Reliability of the controller/install falls into two major segments, hardware and operations. Hardware is the choice of system parts and operations comes down to how you monitor and maintain it.

= Hardware =

ASL can install on intel/amd based servers or on arm (Raspberry PI 3/4), and each has it's use. RPi based servers typically are used for a single node, and work best at sites which are easy to access. RPi is cheap and if it fails, it can be replaced for under 100 USD. Intel based servers tend to be in a 19" rack mount form factor, give the ability to use real SAS or SATA SSD's and have out of band management options. These servers may optionally support the Quad Port pciradio interface card. This card is basically a 4 port simple usb interface, but designed to slot in a PCI bus.

Intel servers are a great choice when you need to support more than one node per server or will be doing lots of linking. The newer RPi4 has blured these lines a bit due to 4 or 8 GiByte ram options, and impressive SMP clock speeds.

== Intel ==

== RPi ==

== storage ==

= Operations =

== monitoring ==

== out of band access ==

Building Reliable Systems

2021-01-04T04:41:04Z

Bryan: Created page with "While everyone wants to get a cheap Raspberry Pi or old computer and install ASL on it to make a "junk box" linking repeater controller, others want something they can put at..."

DNS Servers

2020-12-13T02:50:53Z

Bryan: /* SRV record */

[[Category: Infrastructure]]

ASL utilizes DNS servers based on powerdns with a mysql backend.

These DNS servers support the following:
* AllStarlink.org DNS authoritative
* registration server redundancy
* DNS lookup for nodes information

= Authoritative DNS servers =

The authoritative DNS server runs on caustic-sea.allstarlink.org with the backend in the distributed database.

DNSSEC was enabled on all domains and trust is expanded to all sub servers. This is currently broken.

Secondary DNS is very important and is provided by several DNS servers. This is very important as if the database is hard down in SEA, the primary DNS will be offline. With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.

= regsvcs.allstarlink.org =

This Zone is served by the registration servers, and is pulled directly from the database. There is no secondary on these zones, just the primary DNS servers on the registration servers.

The redundancy of registration is handled by a TTL of 120 seconds on all the records. We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers. If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.

On the DNS server we have modified the default query for a lookup to:

gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?

This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.

If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds. This is a "dead-man switch" function which will enable losing any one node in the cluster.

'''register.allstarlink.org''' is a CNAME to '''register.regscvs.allstarlink.org''' under this. The node list servers are under this as well as '''node[1-4].allstarllink.org''' CNAME '''nodes.regsvcs.allstarlink.org
'''

= DNS node lookup =

nodes.allstarlink.org is delegated to a DNS running on the db servers. The users_Nodes table has a trigger which is run and creates entries/edits them on the records table in the 'allstar' database. This populates a SRV, TXT and A record for every node in the system when it's updated. The trigger has been optimized and has little to no preformance impact on the registration process.

Note that servers not in nodes list can appear in DNS, there is no ageing out of entries in DNS. It's up to the server to know it's registered.

== SRV record ==
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.

where 4569 is the IAX port and then it will do a A lookup on 50000.nodes.allstarlink.org. for the IP.

A remote base will be returned like:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.

== A record ==

<nodenumber>.nodes.allstarlink.org. and <nodenumber>.remotebase.nodes.allstarlink.org. will return the IP address of the IAX server or the proxy IP if defined.

== TXT Record ==

The TXT record is used for debugging purposes with a query below:

TXT <nodenumber>.nodes.allstarlink.org.

This will return:
"NN=50000" "RT=2019-02-28 18:41:29" "RB=0" "IP=44.98.248.144" "PIP=" "PT=4569" "RH=register-fnt"
NN is node number
RT is the last update registration time
RB is 0 for node is not a remote base, RB is 1 if it is a remote base
IP is the IP address of the node
PIP is the proxy IP of the node if set
PT is the port
RH is the registration server the node last registered to.

== Miscellaneous ==

Until very recently some of the ASL powerdns servers were configured (as a joke) to return '''Microsoft DNS 6.1.7600 (1DB04228)''' for their version.

If you are a research organization, registrar, ISP, or other individual or entity looking for servers vulnerable to CVE-2020-1350 --

'''''please stop contacting us about how you think our DNS servers may be vulnerable to this CVE.''''' They are not.

User:Bryan

2020-11-15T21:31:57Z

Bryan:

I'm Bryan Fields, W9CR and have been an active ham since 1995.

I've been somewhat involved with Allstarlink since 2005 when I got some of the first PCI Radio cards from Jim Dixon and Steve Rodgers. Back then it was app_rpt and we started the first mailing list for it on our list server at Illiana.net.

I was involved with the infrastructure/IT needs to keep ASL online and working prior to the board going crazy.

If you want more information on how the Board of directors have fucked everything up, [https://wiki.w9cr.net/index.php/AllStarLink,_Inc. please check out my pages here].

I enjoy developing interface circuits for surplus base station equipment, and have made some extensive works around the Motorola Quantar and Spectra Engineering MX800.

I'm also the only non-callsign user. I really should change this, but this was the first test account I made.

I was sad to hear of Jim Dixon's passing in late 2016, but I do know he would be happy ASL is living on.

VPN

2020-11-15T21:28:11Z

Bryan: /* Other */

<div style="clear:both; position:relative; box-sizing:border-box; width:100%; margin:1.2em 0 6px; min-width:47em; border:2pm solid #ddd; background-color:#ebebeb; color:#000; white-space:nowrap; text-align:center; font-size:18px;">THIS ARTICLE IS A WORK IN PROGRESS AND IS STILL BEING EDITED BY THE AUTHOR</div>

= VPN =
The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular packages.

== IPSEC ==
Information on how to setup IPSEC tunnels.

=== strongSwan to MikroTik ===
Use the following configurations to connect a system running stongSwan<ref>strongSwan Official Site [https://www.strongswan.org/]</ref> to a MikroTik<ref>MikroTik Official Site [https://mikrotik.com/]</ref> device using IPSEC.

==== strongSwan config ====
The following configuration will work on FreeBSD or Linux systems with strongSwan installed.

''Note: You can use this config to connect two non-MikroTik systems as well. Just replicate the config below for each system you wish to connect.''

=====ipsec.conf=====
/etc/ipsec.conf:

conn <name>
authby=secret
auto=route
keyexchange=ike
left=<your local IP>
right=<remote IP of Mikrotik system>
leftikeport=500
rightikeport=500
type=transport
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpddelay=5
dpdtimeout=20
dpdaction=clear

=====ipsec.secrets=====
/etc/ipsec.secrets:

<your local IP> <remote IP of Mikrotik system> : PSK "<Put your preshared key here>"

==== MikroTik Config ====

The following config is best done from the terminal on a MikroTik device.

''Note: You can use the following config to connect two MikroTik system. Just replicate the config below on each system you wish to connect.''

/ip ipsec policy
add src-address=0.0.0.0/0 dst-address=<remote IP of strongswan system> proposal=ike2 ipsec-protocols=esp

/ip ipsec proposal
add name="ike2" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none

/ip ipsec peer
add name="<name of strongswan system>" address=<local IP> profile=ike2 exchange-mode=main send-initial-contact=yes

/ip ipsec identity
add peer=<remote IP of strongswan system> auth-method=pre-shared-key secret="<Put your preshared key here>" generate-policy=no

/ip ipsec profile
add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5

== OpenVPN ==
Information on OpenVPN is available from https://openvpn.net/<ref>OpenVPN Official Site [https://openvpn.net/]</ref>

== TINC ==
Tinc is an open-source, self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks.

Tinc is available for FreeBSD, OpenBSD, NetBSD, Dragonfly BSD, Mac OS X, Linux, Microsoft Windows, Solaris, IOS (jailbroken only), and Android with full support for IPv6.

You can download tinc for *nix and Windows systems from https://www.tinc-vpn.org/<ref>Tinc-vpn Official Site [https://www.tinc-vpn.org/]</ref>

The tinc website includes many examples on common setups. They can be found at https://www.tinc-vpn.org/examples/

=== Standard tinc setup ===
Tinc can be setup in a mesh network with multiple systems.

''Note: You can setup tinc with just two systems using these instructions and adjusting the steps accordingly.''

For this setup we will have three hosts called Server 1, Server 2, and Server 3. The following is a brief synopsis of the network config for each:

[[File:Tinc Mesh Network Diagram 1.png|left|thumb|427x427px|Tinc Mesh Network Example]]

<big>'''VPN NAME: NoMoreSecrets'''</big><br />'''SERVER 1:'''
public ip: 1.1.1.100
vpn ip: 10.0.0.1
connects to: server 2, server 3

'''SERVER 2:'''
public ip: 1.1.2.100
vpn ip: 10.0.0.2
connects to: server 1, server 3

'''SERVER 3:'''
public ip: 1.1.3.100
vpn ip: 10.0.0.3
connects to: server 1, server 2

The following directory tree will be present on all three hosts for this setup:
<pre>
/etc
└── tinc
└── NoMoreSecrets
├── hosts
│   ├── server1
│   ├── server2
│   └── server3
├── rsa_key.priv
├── tinc.conf
├── tinc-down
└── tinc-up
</pre>

====Individual node setup and configuration====
All servers used in this example will be running Ubuntu 18.04.

=====Server1=====
* Install tinc
apt install tinc -y

* Create directories
mkdir -p /etc/tinc/NoMoreSecrets/hosts/

Create the following files:
* /etc/tinc/NoMoreSecrets/hosts/server1:
Address = 1.1.1.100
Subnet = 10.0.0.1

* /etc/tinc/NoMoreSecrets/tinc.conf:
Name = server1
Interface = tun0
AddressFamily = ipv4
ConnectTo = server2
ConnectTo = server3

* /etc/tinc/NoMoreSecrets/tinc-up:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

* /etc/tinc/NoMoreSecrets/tinc-down:
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down

=====Server2=====
* Install tinc
apt install tinc -y

* Create directories
mkdir -p /etc/tinc/NoMoreSecrets/hosts/

Create the following files:
* /etc/tinc/NoMoreSecrets/hosts/server2:
Address = 1.1.2.100
Subnet = 10.0.0.2

* /etc/tinc/NoMoreSecrets/tinc.conf:
Name = server2
Interface = tun0
AddressFamily = ipv4
ConnectTo = server1
ConnectTo = server3

* /etc/tinc/NoMoreSecrets/tinc-up:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.2/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

* /etc/tinc/NoMoreSecrets/tinc-down:
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.2/32 dev $INTERFACE
ip link set $INTERFACE down

=====Server3=====
* Install tinc
apt install tinc -y

* Create directories
mkdir -p /etc/tinc/NoMoreSecrets/hosts/

Create the following files:
* /etc/tinc/NoMoreSecrets/hosts/server3:
Address = 1.1.3.100
Subnet = 10.0.0.3

* /etc/tinc/NoMoreSecrets/tinc.conf:
Name = server3
Interface = tun0
AddressFamily = ipv4
ConnectTo = server1
ConnectTo = server2

* /etc/tinc/NoMoreSecrets/tinc-up:
#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.3/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE

* /etc/tinc/NoMoreSecrets/tinc-down:
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.3/32 dev $INTERFACE
ip link set $INTERFACE down

=====Create keypair=====
* On all servers create public/private keypair with:
tincd -n NoMoreSecrets -K4096

=====Synchronize host files=====
* Synchronize host files with public keys between all three servers with rsync:

* From Server1:
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server2:/etc/tinc/NoMoreSecrets/hosts/
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server3:/etc/tinc/NoMoreSecrets/hosts/

* From Server2:
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server1:/etc/tinc/NoMoreSecrets/hosts/
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server3:/etc/tinc/NoMoreSecrets/hosts/

* From Server3:
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server1:/etc/tinc/NoMoreSecrets/hosts/
rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server2:/etc/tinc/NoMoreSecrets/hosts/

* On all servers set the executable bit on the tinc-up and tinc-down scripts
chmod +x /etc/tinc/NoMoreSecrets/tinc-up
chmod +x /etc/tinc/NoMoreSecrets/tinc-down

=====Start tinc=====
* On all servers enable and start tinc
systemctl enable tinc@NoMoreSecrets
systemctl start tinc@NoMoreSecrets

Once tinc is up and running on all three servers you should be able to communicate over the 10.0.0.0/24 network.

Since this is a mesh network, if direct communication between two nodes drops, tinc will route all traffic through the remaining node until direct communication is restored.

==== Troubleshooting ====
# Check tinc logs to see what the error shown is. Refer to official documentation at https://www.tinc-vpn.org/docs/
# Check firewall on both hosts to make sure port 655 is being accepted.
# Check IP on Address line of hosts to ensure they are correct.
# Check IP on Subnet line of hosts files to ensure they are correct.

=== Simplified tinc 1.1 Windows setup ===
Examples on how to setup tinc 1.1 on Windows as either a server or client.

==== Server side config ====
# Download tinc
# Install tinc
# Open command prompt and type the following:
cd "C:\Program Files\tinc"
tinc -n vpn init master
tinc -n vpn add subnet 10.0.1.1
tinc -n vpn add address=public.domain-or-ip
cd tap-win64
addtap.bat
netsh interface ipv4 show interfaces (Note disconnected interface. May be called Ethernet 2)
netsh interface set interface name = "Ethernet 2" newname = "tinc"
netsh interface ip set address "tinc" static 10.0.1.1 255.255.255.0
netsh interface ipv4 show config (Should create a tinc interface with IP and subnet)
cd ..

To start tinc:
tincd -n vpn

To invite clients:
tinc -n vpn invite client1

==== Client side config ====
# Download tinc
# Install tinc
# Open command prompt and type the following:
cd "C:\Program Files\tinc"
tinc join <invite-url>
tinc -n vpn add subnet 10.0.1.2
cd tap-win64
addtap.bat
netsh interface ipv4 show interfaces (Note disconnected interface. May be called Ethernet 2)
netsh interface set interface name = "Ethernet 2" newname = "tinc"
netsh interface ip set address "tinc" static 10.0.1.2 255.255.255.0
cd ..

To test connection:
tincd -n vpn -D -d3

To run tinc as service:
tincd -n vpn

==== Notes ====

Tinc will automatically register itself as a service when started without -D or --no-detach option.

Calling tinc with -k or --kill option will cause it to automatically unregister itself.

== SoftEther ==
SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.

You can download SoftEther for FreeBSD, Linux, Mac, Solaris, and Windows from https://www.softether.org/<ref>SoftEther VPN Official Site [https://www.softether.org/]</ref>

=== Features ===
*SSL-VPN tunnelling on HTTPS to pass though NAT and firewalls
*Revolutionary VPN over ICMP and VPN over DNS featuers
*Ethernet-bridging (L2) and IP-routing (L3) over VPN.
*Embedded dynamic-DNS and NAT-traversal
*SSL-VPN (HTTPS) and support for 6 major VPN protocols: [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_OpenVPN_Protocol OpenVPN], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server IPSEC], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server L2TP], [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_Microsoft_SSTP_VPN_Protocol MS-SSTP], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup L2TPv3], and [http://www.softether.org/3-spec EtherIP])

====Cisco L2TPv3====
Use the setup of SoftEther [https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup here] as a guide for an L2TPv3 connection to a Cisco device.

=====SoftEther settings=====
Now make the following adjustments to the IPSEC/L2TPv3 settings shown there:

* Under IPSEC/L2TP setting select the checkbox for Enable EtherIP/L2TPv3 over IPsec Server Function
* Select EtherIP / L2TP Detail Settings
* ISAKMP Phase 1 ID: Specify local IP address of Cisco device here
* Fill in username/password settings

* Under Virtual Hub management
* Select Virtual NAT and virtual DHCP server function
* Secure NAT settings wtill be used to set Virtual DHCP server settings

{| class="wikitable" style="text-align: center; width: 85%"
|+ Ports used by Softether for this configuration
! Type
! Port #
|-
| UDP
| 500
|-
| UDP
| 4500
|-
| UDP
| 1701
|}

* Encryption: If you have an issue with using AES during your initial testing, try using DES or 3DES. Once you have the connection established try switching to a more secure algorithm.

=====Cisco config=====
And then use the following config below on your Cisco device instead of what is listed on the SoftEther site to get L2TPv3 working:

{| class="wikitable" style="text-align: center; width: 85%"
|+ Information used in this example
! Local IP addess
! Peer IP (SoftEther Public IP)
! Pre-shared key
|-
| 192.168.100.100 (ISAKMP Phase 1 ID)
| 1.1.1.100
| CHANGEME
|}

* Note: By default Cisco may have NAT-Traversal enabled. This settings is not required.

* Specify the L2TPv3 settings and interface (change FastEterhnet0/0 to match your device's interface).

<pre>
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface FastEthernet0/0
</pre>

* Note: You can chance the pseudowire-class interface's name from L2TPv3 to something more descriptive if you want.

* ISAKMP settings:

<pre>
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key CHANGEME address 1.1.1.100
crypto isakmp keepalive 10 periodic
</pre>

Note: You can use AES 256 encryption here. DH group uses type 2 1024 bit encryption.

* IPSEC settings:

<pre>
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
</pre>

Note: 3des is being used here in this example. If you put this tunnel into production make sure you change the cipher used to AES!!!

* Cryptographic map:

<pre>
crypto map MAP 1 ipsec-isakmp
set peer 1.1.1.100
set transform-set IPSEC
match address IPSEC_MATCH_RULE
</pre>

* Interface configuration

<pre>
interface FastEthernet0/0
ip address 192.168.100.100 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
crypto map MAP
</pre>

Note: FastEthernet0/0 uses the local IP address specified above and has the crypto map applied.

* Use FastEthernet0/1 as the interface for the tunnel

<pre>
interface FastEthernet0/1
no ip address
duplex auto
speed auto
no cdp enable
xconnect 1.1.1.100 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
</pre>

* Access list:

<pre>
ip access-list extended IPSEC_MATCH_RULE
permit 115 any any
</pre>

* Now connect a device to FastEthernet0/1. It should get a DHCP lease from SoftEther and be on the network.

=====Troubelshooting=====
To troubleshoot the tunnel use the following commands:

<pre>
debug crypt isakmp
debug crypt ipsec
debug l2tp all
</pre>

* Show ISAKMP SA status:

<pre>
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.100 192.168.100.100 QM_IDLE 1011 ACTIVE

IPv6 Crypto ISAKMP SA

・IPSec
#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: MAP, local addr 192.168.100.100

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0)
current_peer 1.1.1.100 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 54342, #pkts encrypt: 54342, #pkts digest: 54342
#pkts decaps: 179917, #pkts decrypt: 179917, #pkts verify: 179917
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 23, #recv errors 0

local crypto endpt.: 192.168.100.100, remote crypto endpt.: 1.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x48E82D7A(1223175546)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x1B68FD22(459865378)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2107, flow_id: NETGX:107, sibling_flags 80000046, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4386973/1557)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x48E82D7A(1223175546)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2108, flow_id: NETGX:108, sibling_flags 80000046, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4386975/1557)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
</pre>

* Check L2TP session:

<pre>
#show l2tp session
L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
23239**** 1900**** 2306***** 1, Fa0/1 est 01:32:52 1
</pre>

* Check L2TP tunnel:

<pre>
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
230**** 1 ******* est 1.1.1.100 1 l2tp_default_cl
</pre>

Note: If you use AES for IPSEC it will become TunID 0.

== WireGuard ==
WireGuard can be downloaded from https://www.wireguard.com/<ref>WireGuard Offical Site [https://www.wireguard.com/]</ref>

== VPNC ==

vpnc is an open-source VPN client that is compatible with Cisco VPN setups. VPNC is much easier to configure than the Cisco client and works on almost every flavor of UNIX systems including Linux, Macs and BSD, as well as Ubuntu.

This is handy if you have a VPN server or IOS router setup and wish to use it. w9cr.net runs this as a means to get public IP's directly on nodes, bypassing NAT444 and man-in-the-middle IAX level filtering.

=== install ===
* sudo apt-get install vpnc

=== config ===

Create a configuration file for the RPI Wireless and/or RPI External profile. Usually these files would be stored in /etc/vpnc/profile_name.conf. The default /etc/vpnc/default.conf.

An example config for the W9CR.net vpn server:

'''w9cr example config'''
IPSec gateway cisco.keekles.org
IPSec id AMPRNET
IPSec secret EzAsARDC
Xauth username YOUR-CALLSIGN
Xauth password _YOUR_PASSWORD_HERE_

=== running it ===

To connect to the VPN you would run one of the following commands as root or using sudo:

* sudo vpnc -- This command would run VPNC using /etc/vpnc/default.conf, if it exists. If it does not, it would prompt for the connection information
* sudo vpnc external -- This would run VPNC using /etc/vpnc/external.conf, if it exists.

==== Starting it at boot ====

IF you're behind NAT, you want to start this at boot.

The simplest way is to call it from /etc/rc.local, but that's a bit in-elegant.

make the following file at /usr/lib/systemd/system/vpnc@.service

[Unit]
Description=VPNC connection to %i
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking
ExecStart=/usr/bin/vpnc --pid-file=/run/vpnc@%i.pid /etc/vpnc/%i.conf
PIDFile=/run/vpnc@%i.pid

[Install]
WantedBy=multi-user.target

So, in order to have your VPN autostart from the configuration file /etc/vpnc/w9cr.conf, you'd do:

systemctl enable vpnc@w9cr
systemctl start vpnc@w9cr

=== More info ===
If you want a vpn connection via w9cr.net using 44net public IP space, please contact bryan@bryanfields.net. Include your callsign and details.

== Other ==
Any other information that doesn't fit elsewhere.

= Firewall =
Information regarding firewall setup as related to the VPN configs above.

== Linux ==
The following script can be used to setup a basic firewall on a Linux based system using iptables.

Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them.

#!/bin/bash

#Modify to match your network interface
INET_IF=eth0

#Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to
#"Management only" services. Add or remove as needed. Make sure to update the ManagementFilterV4 with
#the changes
System1="XX.XX.XX.XX/YY"
System2="XX.XX.XX.XX/YY"

ManagementFilterV4=$System1,$System2

#Flush and zero all tables
modprobe ip_tables
modprobe ipt_limit
modprobe iptable_mangle
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_filter
modprobe ipv6

iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING

ip6tables -F INPUT
ip6tables -F FORWARD

#init the log-and-drop chain
iptables -F log-and-drop
iptables -X log-and-drop
iptables -N log-and-drop

ip6tables -F log-and-drop
ip6tables -X log-and-drop
ip6tables -N log-and-drop

iptables -F log-and-reject
iptables -X log-and-reject
iptables -N log-and-reject

ip6tables -F log-and-reject
ip6tables -X log-and-reject
ip6tables -N log-and-reject

#Now add in rules to affect DOCKER containers - uncomment if using Docker
#See https://unrouted.io/2017/08/15/docker-firewall/
#iptables -F DOCKER-USER
#iptables -X DOCKER-USER
#iptables -N DOCKER-USER

#ip6tables -F DOCKER-USER
#ip6tables -X DOCKER-USER
#ip6tables -N DOCKER-USER

#iptables -F FILTERS
#iptables -X FILTERS
#iptables -N FILTERS

#ip6tables -F FILTERS
#ip6tables -X FILTERS
#ip6tables -N FILTERS

echo "all tables flushed and dropped"
# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
iptables -A log-and-drop -j DROP

ip6tables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
ip6tables -A log-and-drop -j DROP

# Specific chain used for logging packets before blocking them
iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
iptables -A log-and-reject -j REJECT

ip6tables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
ip6tables -A log-and-reject -j REJECT

echo "logging chains setup"

# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

#setup DOCKER-USER related rules - uncomment if using Docker
#iptables -A DOCKER-USER -i $INET_IF -j FILTERS

#Now add any rules you want Docker to abide by for containers to -A FILTERS

#limit traffic to 80 an 443
#DCQ="2" #max requests in 1 second
#DCH="25" #max requests over 7 seconds

#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource
#iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop

#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource
#iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop

#default return chain
#iptables -A FILTERS -j RETURN

#Global blocks
#iptables -t filter -A INPUT -j DROP -s 12.34.56.78/32

#Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on.
# Requests per second
#RQS="15"
# Requests per 7 seconds
#RQH="35"

#iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP

#Uncomment the next sections if using IPSEC
#Clamp MSS on IPSEC tunnels
#iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
#iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

# allow IPSEC from other boxes
#IPSECsrc='XX.XX.XX.XX/YY' # Put in the form of XX.XX.XX.XX = IP address you want to allow IPSEC in from and YY is the netmask.

#Technically the next two are not needed as we have the policy
#iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
#iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
#iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
#iptables -A INPUT -i $INET_IF -p udp --dport 4500 -j ACCEPT --src "$IPSECsrc"
# this is needed to allow all ipsec packets when it's host to host
#iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"

#allow DNS in
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53

#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
#ip6tables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53

#allow port 80 in
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80

#allow port 443 in
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
#ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443

# allow all ssh in - uncomment ManagemetnFilterV4 and comment out the two lines below to restrict SSH access on port 22
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22
ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22

echo "end of services"
# allow ping at 2 per sec
iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF --protocol icmp --icmp-type echo-request

ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# allow responces to local initated connections
#iptables -A INPUT -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
#iptables -A FORWARD -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
ip6tables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED

# Set rp_filter to 2
for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
do
echo "2" >$i
done
# setup a default deny rule for outside traffic
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop

#uncomment if you are using Docker
#echo "Restarting Docker"
#systemctl restart docker

#uncomment the next two lines if fail2ban is installed
#echo "Restarting fail2ban"
#systemctl restart fail2ban

==External Links==
<references />

Main Page

2020-06-29T17:38:36Z

Bryan: /* Related Links */

<div style="clear:both; position:relative; box-sizing:border-box; width:100%; margin:1.2em 0 6px; min-width:47em; border:3px solid #ddd;background-color:#ffffff; color:#000; white-space:nowrap;text-align:center;font-size: 24px; color: #ff6600;">'''Welcome to the AllStarLink Wiki'''</div>
<div style="clear:both; position:relative; box-sizing:border-box; width:100%; margin:1.2em 0 6px; min-width:47em; border:1px solid #ddd; background-color:#ccddff; color:#000; white-space:nowrap;text-align:center;">AllStarLink is a world wide network of [https://en.wikipedia.org/wiki/Amateur_radio Amateur Radio] repeaters, remote base stations and hot spots accessible to each other via the Internet and/or private IP networks.

AllStarLink runs on a dedicated Linux computer (including the Raspberry Pi) that you host at your home, radio site, clubhouse, school, university, workplace, or computer center.

It is based on the open source Asterisk PBX and is released under the GNU GPL -- it is free for anyone to use.

The core of AllStar and AllStarLink is the powerful app_rpt application and associated modules that load into the Asterisk PBX system.
</div>

<div style="float:right">__TOC__</div>
==Organization==
*[[The Organization - AllStarLink Inc. ]] - What is AllStarLink?
*[[The Beginning - AllStarLink Inc]] - How AllStarLink came to be.

== How To ==

*[[Beginners Guide]] - Step by step instructions to create your account and AllStarLink node.
*[[Allmon2 Install]] - Allmon2 step by step instructions for install and setup Allmon2.
*[[ASL website password reset]] - allstarlink website instructions for password reset.
*[[Change call sign]] - Step by step call sign change on site and node.
*[[Find my node number]] - How can you find your node number(s) on your ASL account.
*[[Change node password]] - Step by step call sign change passwords.

== Como Hacer ==

*[[Guia para principaintes]] - Configuración paso a paso de AllStarLink para principiantes.
*[[Instalación de Allmon2]] - Instalación y configuración de Allmon2 para principiantes.
*[[Resetear contraseña ASL]] - Como resetear la contraseña de su cuenta en el sitio allstarlink.
*[[Cambiar el indicativo]] - Guía paso a paso para cambiar indicativo en el sitio y el nodo.
*[[Ver mi número de nodo]] - Como ver tu número de nodo(s) en tu cuenta de ASL.
*[[Cambiar la contraseña de un nodo]] - Guia paso a paso para cambiar la contraseña en un nodo.

== AllStarLink Menu ==
*[[Features]] - List of the many AllStarLink Features
*[[ASL FAQ]] - Questions and answers about the AllStarLink software distribution.
*[[:Category:How to|How To's]] - A collection of AllStarLink how to's.
*[[:Category:Node Configuration|Node Configuration]] - Detailed configuration settings.
*[[:Category:Development|Development]] - Information regarding development of the AllStarLink software (i.e., contributing, etc).
*[[Radio Connections]] - Instructions to Connect Radios, Repeaters and Other Devices to AllStar.
*[[Troubleshooting]] - Troubleshooting common problems, things to try, and hints to solve the problem.

== Downloads ==
* [https://github.com/AllStarLink/Asterisk/releases/tag/ASL-1.01 ASL AMD] Latest AllStarLink installer for x86/AMD (main site)
* [http://dvswitch.org/files/ASL_Images/Intel-AMD/Stretch/ ASL AMD] Latest AllStarLink installer for x86/AMD (alternative site)
* [http://dvswitch.org/files/ASL_Images/Raspberry_Pi/Stretch/ Pi] Latest AllStarLink image for the Raspberry Pi
* [http://dvswitch.org/files/ASL_Images/ ASL Repo] AllStarLink Image Repository
* [[ASL FAQ]] - Install ASL on your existing Debian box or VM

Note: The ASL 1.01 installer is a Network installer and still uses the dvswitch.org site to download the .deb install files.

== Descargas ==
* [https://github.com/AllStarLink/Asterisk/releases/tag/ASL-1.01 ASL AMD] Última versión del instalador de AllStarLink para x86/AMD (sitio principal).
* [http://dvswitch.org/files/ASL_Images/Intel-AMD/Stretch/ ASL AMD] Última versión del instalador de AllStarLink para x86/AMD (sitio alterno).
* [http://dvswitch.org/files/ASL_Images/Raspberry_Pi/Stretch/ Pi] Última versión de la imágen de AllStarLink para Raspberry Pi.

== Development/Building ==
* [[Compiling]] - Building ASL from source
*[[Dahdi_dummy|DAHDI Dummy]] - How to fix audio stutter on ASL based Raspberry PI images

== Related Links ==
* [https://allstarlink.org/ AllStarLink Portal] - If you are looking to set up your own AllStarLink node.
* [https://www.allstarlink.org/ AllStarLink Portal] - Our portal site. Check out the searchable and sortable [https://www.allstarlink.org/nodelist/ Node List].
* [http://stats.allstarlink.org/ AllStarLink Stats] - shows all the existing public nodes.
* [https://community.allstarlink.org/ AllStarLink Community Site] - Web based user support form (replaced app_rpt mailing list) This is the only forum the board monitors, but there is no technical knowledge.
* [http://lists.keekles.org/cgi-bin/mailman/listinfo/app_rpt-users AllStarLink users mailing list]- This is the app_rpt mailing list for discussion, help and helping others. '''This is the only group that developers monitor and respond on.'''
* [https://groups.io/g/AllStarLink AllStarLink Groups.io mailing group]. This is the app_rpt discussion group on Groups.io - this is for people who don't know what they are doing helping other people who don't know what they are doing.
* [https://github.com/AllStarLink/ Source Code] - All of the source code for the AllStarLink Asterisk and app_rpt is available on GitHub.

== History ==
* [[History]] from the Duuude, Jim Dixon WB6NIL SK 12/16/2016.
* [[Thru-hole_Voter_Board|Thru-hole Voter Board]] from Jim Dixon

== References ==
* [http://rogerdudler.github.io/git-guide/ Git - The Simple Guide] - A handy reference for getting started with Git.
* [https://ryanstutorials.net/linuxtutorial/cheatsheet.php Ryans Tutorials - Linux Tutorial - Cheat Sheet] Handy Cheat Sheet of Linux commands.
* [https://training.linuxfoundation.org/resources/free-courses/introduction-to-linux/ The Linux Training Foundation - Introduction to Linux] A free eight week course with optional certificate that teaches how to use Linux.

Custom Node Announcements

2020-06-04T20:08:25Z

Bryan: /* Important changes */

AllStar supports custom node announcements or node names. These will be played in place of the node number.

The distribution of these is optional and each node will use rsync to download new ones about 2-3 times per day. This is done via the rc.updatenodelist script in ASL 1.01 and before, or NodeNameUpdate.sh via cron in newer releases. It requires '''rsync''' to be installed.

== Important changes ==

As of June 4, 2019 rsync://allstarlink.org no longer works. This has moved to rsync.allstarlink.org.

It is suggested you change the rc.updatenodelist file to use rsync.allstarlink.org.

The following sed command can make the change automatically for you.

sed -i 's/rsync:\/\/allstarlink.org\/connect-messages/rsync:\/\/rsync.allstarlink.org\/connect-messages/g' /usr/local/bin/rc.updatenodelist

Be sure you reboot or kill the rc.updatenodelist process to have it respawn from init.

== Making custom announcements ==

Steve Rodgers has a PDF document on producing a file in the format required for any custom announcement in AllStar.

[https://www.audacityteam.org/ Audacity] can be used to convert almost any sound file into the proper format.

[[File:RecordingSoundFiles.pdf]]

If you intend to make the announcement avialble network wide, please see the requirements for node names below

== Adding new announcements ==

AllStar requires the following for node announcements:

* ulaw 8 bit wave
* under 10 seconds
* under 100k in size

The file should be named ''$nodeNumber.ulaw'' and placed in /var/lib/asterisk/sounds/rpt/nodenames

This will add it to that local node. Should you want it to be used across all nodes, see the next section.

== Network Announcements ==

To enable the node announcements to propagate to the rest of the nodes, AllStarLink can add them to the main repository. Eventually this will be in the web portal, but for now must be done via a email.

The following applies to network announcements:
<blockquote>A networks announcement may consist of a reading of the node number, callsign, location or other short identification of the node. This should be inoffensive benign language; suitable for any audience. The ASL admin team will remove and ban users caught abusing this service.</blockquote>Once you have the announcement working locally, please email it to [http://mailto:helpdesk@allstarlink.org helpdesk@allstarlink.org].

Our admin team will test it and then add it to the repository. Nodes will begin updating it, but it can take up to 24 hours for some nodes to update.

[[Category:Node Configuration]]

Custom Node Announcements

2020-06-04T20:04:43Z

Bryan: /* Important changes */

AllStar supports custom node announcements or node names. These will be played in place of the node number.

The distribution of these is optional and each node will use rsync to download new ones about 2-3 times per day. This is done via the rc.updatenodelist script in ASL 1.01 and before, or NodeNameUpdate.sh via cron in newer releases. It requires '''rsync''' to be installed.

== Important changes ==

As of June 4, 2019 rsync://allstarlink.org no longer works. This has moved to rsync.allstarlink.org.

It is suggested you change the rc.updatenodelist file to use rsync.allstarlink.org.

The following sed command can make the change automatically for you.

sed -i 's/rsync:\/\/allstarlink.org\/connect-messages/rsync:\/\/rsync.allstarlink.org\/connect-messages/g' /usr/local/bin/rc.updatenodelist

== Making custom announcements ==

Steve Rodgers has a PDF document on producing a file in the format required for any custom announcement in AllStar.

[https://www.audacityteam.org/ Audacity] can be used to convert almost any sound file into the proper format.

[[File:RecordingSoundFiles.pdf]]

If you intend to make the announcement avialble network wide, please see the requirements for node names below

== Adding new announcements ==

AllStar requires the following for node announcements:

* ulaw 8 bit wave
* under 10 seconds
* under 100k in size

The file should be named ''$nodeNumber.ulaw'' and placed in /var/lib/asterisk/sounds/rpt/nodenames

This will add it to that local node. Should you want it to be used across all nodes, see the next section.

== Network Announcements ==

To enable the node announcements to propagate to the rest of the nodes, AllStarLink can add them to the main repository. Eventually this will be in the web portal, but for now must be done via a email.

The following applies to network announcements:
<blockquote>A networks announcement may consist of a reading of the node number, callsign, location or other short identification of the node. This should be inoffensive benign language; suitable for any audience. The ASL admin team will remove and ban users caught abusing this service.</blockquote>Once you have the announcement working locally, please email it to [http://mailto:helpdesk@allstarlink.org helpdesk@allstarlink.org].

Our admin team will test it and then add it to the repository. Nodes will begin updating it, but it can take up to 24 hours for some nodes to update.

[[Category:Node Configuration]]

Custom Node Announcements

2020-06-04T20:03:31Z

Bryan:

AllStar supports custom node announcements or node names. These will be played in place of the node number.

The distribution of these is optional and each node will use rsync to download new ones about 2-3 times per day. This is done via the rc.updatenodelist script in ASL 1.01 and before, or NodeNameUpdate.sh via cron in newer releases. It requires '''rsync''' to be installed.

== Important changes ==

As of June 4, 2019 rsync://allstarlink.org no longer works.

It is suggested you change the re.updatenodelist file to use rsync.allstarlink.org.

The following sed command can make the change automatically for you.

sed -i 's/rsync:\/\/allstarlink.org\/connect-messages/rsync:\/\/rsync.allstarlink.org\/connect-messages/g' /usr/local/bin/rc.updatenodelist

== Making custom announcements ==

Steve Rodgers has a PDF document on producing a file in the format required for any custom announcement in AllStar.

[https://www.audacityteam.org/ Audacity] can be used to convert almost any sound file into the proper format.

[[File:RecordingSoundFiles.pdf]]

If you intend to make the announcement avialble network wide, please see the requirements for node names below

== Adding new announcements ==

AllStar requires the following for node announcements:

* ulaw 8 bit wave
* under 10 seconds
* under 100k in size

The file should be named ''$nodeNumber.ulaw'' and placed in /var/lib/asterisk/sounds/rpt/nodenames

This will add it to that local node. Should you want it to be used across all nodes, see the next section.

== Network Announcements ==

To enable the node announcements to propagate to the rest of the nodes, AllStarLink can add them to the main repository. Eventually this will be in the web portal, but for now must be done via a email.

The following applies to network announcements:
<blockquote>A networks announcement may consist of a reading of the node number, callsign, location or other short identification of the node. This should be inoffensive benign language; suitable for any audience. The ASL admin team will remove and ban users caught abusing this service.</blockquote>Once you have the announcement working locally, please email it to [http://mailto:helpdesk@allstarlink.org helpdesk@allstarlink.org].

Our admin team will test it and then add it to the repository. Nodes will begin updating it, but it can take up to 24 hours for some nodes to update.

[[Category:Node Configuration]]

Backups

2020-04-23T04:46:56Z

Bryan: /* Initialize the repo */

=Server Backups=

AllStarLink, Inc uses a per server backup method based on borg.

= Installing Borg on Ubuntu 16 =

the default package that ships with ubuntu 16.04 LTS is borg 1.0 based and we use the latest 1.1 version as it has several security fixes.

== Install nessary packages==

apt-get install libacl1-dev python3-dev libssl-dev gcc g++ python3-llfuse

== install pip ==

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py

== Install Borg ==
pip3 install borgbackup

== Test for proper version ==
root:~# borg -V
borg 1.1.7

which borg
/usr/local/bin/borg

== Install the scripts ==
This will install a new ssh key for root that matches the Rsync.net account and place the borg.inc program in the /root/ directory.

cd /
tar -xvf /root/borg-root-config.tar

= Edit the borg script=

On the Db servers we add a command to dump the database to /var/mysql-backup-current.sql.bz2

= Initialize the repo=

Copy the export lines to your shell and run then do

echo $BORG_REPO
ASLUSER@host.rsync.net:borg/ASL/$HOST

The borg/ASL/db-ord needs to be created on the server
ssh -t ASLUSER@host.rsync.net mkdir -p borg/ASL/$HOST

now we need to init the repo at that location
borg init -e keyfile-blake2 -p -v

= export the key =

borg key export --paper

Email this output GPG encrypted to the admin team members.

'''If we lose this key, there is no way to restore the backup.''' This means if the server dies, we need the paper key record and the passphrase.

= Do the first backup =

/root/borg.inc

Check that it's succeed

= move borg.inc to cron =

mv /root/borg.inc /srv/borg.sh

= edit crontab =

edit /etc/crontab to run daily at 8am UTC

#borg backup
30 8 * * * root /srv/borg.sh

Reload the crontab file

service cron reload

= Mounting and restoring =
Borg makes it easy to mount a backup on the server using "borgfs".

If this is done on a different server or during a restore operation on new servers, the key files need to be imported from the paper key. Selected admin users have the paper keys backed up in encrypted email.

For example on a our db-fnt server:

Take the first 5 lines from the /srv/borg.sh file and export them on the cli:

export BORG_REMOTE_PATH=/usr/local/bin/borg1/borg1
export HOST=
export BORG_REPO=
export BORG_PASSPHRASE=
export BORG=/usr/local/bin/borg

Note if doing this on a different server, BORG_REPO= must be the server you intend to restore from.

#import the paper key
borg key import --paper $BORG_REPO

#make a directory to mount the backups on:
mkdir /mnt/backups

#now mount the borg repo
borgfs $BORG_REPO /mnt/backups/

The files will now be in /mnt/backups:

ls /mnt/backups/
db-fnt.allstarlink.org-2018-10-31_08:30 db-fnt.allstarlink.org-2019-02-28_08:30
db-fnt.allstarlink.org-2018-11-30_08:30 db-fnt.allstarlink.org-2019-03-02_08:30
db-fnt.allstarlink.org-2018-12-31_08:30 db-fnt.allstarlink.org-2019-03-03_08:30
db-fnt.allstarlink.org-2019-01-31_08:30 db-fnt.allstarlink.org-2019-03-04_08:30
db-fnt.allstarlink.org-2019-02-03_08:30 db-fnt.allstarlink.org-2019-03-05_08:30
db-fnt.allstarlink.org-2019-02-10_08:30 db-fnt.allstarlink.org-2019-03-06_08:30
db-fnt.allstarlink.org-2019-02-17_08:30 db-fnt.allstarlink.org-2019-03-07_08:30
db-fnt.allstarlink.org-2019-02-24_08:30 db-fnt.allstarlink.org-2019-03-08_08:30

You can now go into any of these directories and restore files as of the date for the respective directory using normal UNIX utilities.

[[Category: Infrastructure]]

Category:Contenido en español

2020-04-09T20:23:42Z

Bryan: Created page with "Informativo de AllStarLink en español"

Informativo de AllStarLink en español

Guía para principaintes ASL-AsteriskNG

2020-04-09T20:21:37Z

Bryan: fixed links, added category

[[category:Contenido en español]]
Configuración de AllStarLink para principiantes.

== El primer paso es crear una cuenta. ==

Visita la pagina [https://web-tpa.allstarlink.org/ https://allstarlink.org/] y da click en '''<Login/Sign Up>'''
[[File:site_menu.png|frameless|border|533x533px]]

y luego click en '''<Sign Up>'''.

[[File:Asl sign up click here .png|none|thumb|800x800px]]Da click en '''<Begin registration>''' y llena el formulario.

== Descarga la imágen de ASL ==

Mientras esperas la confirmación de tu cuenta (suele demorar 24 horas) puedes descargar la imágen que utilizarás en tu nodo AllStarLink.

Visita [[Main_Page#Downloads|wiki.allstarlink.org]] y baja a la sección de descargas "'''Downloads'''" y selecciona la imágen apropiada para tu equipo.

[[File:ASL download.png|frameless|border|533x533px]]

Transfiere la imágen que descargaste a una memoria. Ya sea esta una memoria USB, un CD o DVD, o una tarjeta microSD (Raspberry Pi) dependiendo de tu equipo.

== Ingresa a tu cuenta ==

Necesitarás ingresar a tu cuenta [https://web-tpa.allstarlink.org/ https://allstarlink.org/]
[[File:Asl login.png|none|thumb|800x800px]]

Da click en '''Login/Sign Up''' como se muestra en la siguiente imágen.

== Crea un servidor ==

Necesitarás crear un servidor "server" : da click en '''Portal''' y luego en '''Server Settings'''.
[[File:Asl server1 .png|none|thumb|800x800px]]
Da click en <Add a new server>

Por favor lee las instrucciones en cada página.

Luego da click en <Proceed with Server Setup> si es necesario.

Llena todos los campos de información y da click en <submit> al fondo de la página.
[[File:Asl_server_settings_.png|none|thumb|800x800px]]Server Name = Nombre de tu servidor, p.e. MegaRaspberryPi.

Server Location = Ciudad donde estará ubicado el servidor, p.e. Ciudad de México

Site = Nombre del sitio donde estará el servidor p.e. Cerro del Chiquihuite.

Affiliation = Radioclub al que está afiliado el nodo (opcional).

Hostname = Nombre que darás a la computadora donde instalaras ASL (opcional).

IAX Port = 4569 (no modificar).

Proxy IP = IP del servidor Proxy (opcional).

Para la Latitud y Longitud, puedes usar el mapa o ingresar los valores.

== Solicita un número de nodo ==

Hasta arriba de la página, da click en <portal> y luego en <node settings>
[[File:Asl_node_.png|none|thumb|800x800px]]

Luego da click <Request a new node number>

[[File:Asl_request_node_.png|none|thumb|800x800px]]Selecciona en que servidor quieres que sea asignado el nuevo número de nodo

Si necesitas más de un número de nodo para el mismo servidor, repite este proceso.

Un comentario diciendo que requieres un nodo adicional para el mismo servidor es recomendable en dado caso, en Inglés se escribe asi: 'additional node on same server'.
[[File:Asl_request_node2_.png|none|thumb|800x800px]]

Una ves que hayas solicitado tu número de nodo y sea procesado, recibirás un email con la confirmación.

== Editar la configuración del nodo ==

Entra a tu cuenta en [https://web-tpa.allstarlink.org/ https://allstarlink.org/]

Da click en <portal> y luego en <node settings>

Los números de nodos AllStarLink que te han sido asignados estarán ahí desplegados.

Selecciona el número de nodo que deseas ver/editar.

Llena los campos con la información de tu nodo y da click en <submit>
[[File:Asl node settings .png|none|thumb|800x800px]]

Apunta en una hoja tu número de nodo, contraseña y el indicativo que le asignaste, ya que los necesitarás más adelante para configurartu sistema AllStarLink.

== Instala y configura AllStarLink en tu computadora ==

Consulta el manuala de tu computadora para instalar la imágen en ella. Si es una Raspberry Pi, te podemos recomendar la aplicación BalenaEtcher, la cual hace muy sencillo ese proceso.

Instala la imágen de AllStarLink en tu computadora. Coloca la memoria en tu sistema e inicia el sistema.

En el caso que estés utilizando una Raspberry Pi sin teclado y monitor, puedes conectarte por SSH usando una conexión de red alámbrica utilizanlo la IP que le asigno tu red/modem.

En la pantalla de acceso te solicitará ingresar un usuario, el cual es "repeater" y luego presiona <enter>

Ingresa el password de default que es "allstarlink".

Posteriormente te solicitará cambiar el password, solicitando primero en password anterior "allstarlink" y que ingreses dos veces el nuevo de tu elección. Toma nota del usuario y contraseña.

AL termino es posible que se cierre la ventana y tengas que volver a conectarte por SSH.

Para los usuarios familiarizados con Linux, pueden editar los archivos de forma manual.

Para los usuarios que no están familiarizados con Linux, ASL y Linux CLI (command line interface), pueden seguir paso a paso el procedimiento:

Escribe sudo asl-menu como se muestra en el siguiente ejemplo:

repeater@repeater:~$ sudo asl-menu

Esto cargará el menú de configuración de AllStarLink.
[[File:Asl menu main screen.png|none|thumb|640x640px]]

== Configuración del software AllStarLink en tu computadora ==

Selecciona la opción 1.
[[File:002_first_time.png|none|thumb|640x640px]]

Como es la primer ves que configuras tu nodo, responde Yes para configurar la contraseña para el usuario "root". No olvides tomar nota del usuario root y su contraseña.
[[File:003_password.png|none|thumb|640x640px]]

Ahora nos preguntará si deseamos cambiar la contraseña del usuario "repeater", la cual ya habíamos cambiado, así que responde No, salvo que nuevamnete la quieas cambiar. No olvides tomar nota.
[[File:004_repeater_password.png|none|thumb|640x640px]]

A continuación haremos el ajuste de la zona horaria.
[[File:005_timezone.png|none|thumb|640x640px]]

Selecciona el continente donde estará el nodo.
[[File:006_continent.png|none|thumb|640x640px]]

Selecciona la ciudad horaria donde estará el nodo.
[[File:007_city.png|none|thumb|640x640px]]

A continuación podremos cambiar el nombre de nuestro nodo, el cual por default se llama repeater.
[[File:008_message.png|none|thumb|640x640px]]

Responde Yes para poder hacer los cambios.
[[File:009_edit_hostname.png|none|thumb|640x640px]]

Ingresa el nombre que le quieres dar a tu equipo.
[[File:010_hostname.png|none|thumb|640x640px]]

Si deseas configurarlo en un dominio, ingresalo, de lo contrario solo da enter.
[[File:011_domain_name.png|none|thumb|640x640px]]

Da Ok en el mensaje donde se confirman los cambios que acabas de realizar.
[[File:012_message.png|none|thumb|640x640px]]

Ahora podremos hacer los cambios del DHCP, da Ok.
[[File:013_dhcp.png|none|thumb|640x640px]]

Nuevamente da Ok
[[File:014_network.png|none|thumb|640x640px]]

Para configurar la red como DHCP o IP Estática, selecciona Yes.
[[File:015_dhcp_static.png|none|thumb|640x640px]]

Selecciona si deseas DHCP con la D o IP estática con la S. En este ejemplo, seleccioné D, así que la IP será dinámica.
[[File:016_dhcp_static.png|none|thumb|640x640px]]

Da Ok al mensaje.
[[File:017_message.png|none|thumb|640x640px]]

Da Ok al mensaje.
[[File:018_message.png|none|thumb|640x640px]]

Da Ok al mensaje.
[[File:019_message.png|none|thumb|640x640px]]

A continuación ingresaremos el número de nodo. Selecciona la opción A1 en el menú.
[[File:020_a_menu_a1.png|none|thumb|640x640px]]

Selecciona la opción N1 en el menú.
[[File:021_n_menu_n1.png|none|thumb|640x640px]]

Ingresa el número de nodo que deseas configurar. Este es el que previamente se te asingnó en el sitio de AllStarLink.
[[File:022_node_number.png|none|thumb|640x640px]]

Selecciona la opción N2 en el menú.
[[File:023_n_menu_n2.png|none|thumb|640x640px]]

Ingresa la contraseña para el número de nodo que deseas configurar. Este es el que previamente ingresaste en el sitio de AllStarLink para tu número de nodo.
[[File:024_node_password.png|none|thumb|640x640px]]

Selecciona la opción N3 en el menú.
[[File:025_n_menu_n3.png|none|thumb|640x640px]]

Ingresa el indicativo que utilizará este nodo para identificarse, debe ser el mismo que configuraste en tu nodo en el sitio AllStarLink.
[[File:026_callsign.png|none|thumb|640x640px]]

Selecciona la opción N4 en el menú.
[[File:027_n_menu_n4.png|none|thumb|640x640px]]

Selecciona la opción I1 en el menú.
[[File:028_i_menu_i1.png|none|thumb|640x640px]]

Da ok.
[[File:029_message.png|none|thumb|640x640px]]

Selecciona la opción N5 en el menú.
[[File:030_n_menu_n5.png|none|thumb|640x640px]]

Si tu nodo operará en simplex como Hot spot o enlazado a un repetidor selecciona 1.
Si tu nodo será parte del control de un repetidor selecciona 2.
[[File:031_rptr_mode.png|none|thumb|640x640px]]

Selecciona la opción N6 en el menú.
[[File:032_n_menu_n6.png|none|thumb|640x640px]]

Ingresa un password que utilizarás para controlar tu nodo desde una página web.
[[File:033_password.png|none|thumb|640x640px]]

Da Ok.
[[File:034_message.png|none|thumb|640x640px]]

Da Ok.
[[File:036_message.png|none|thumb|640x640px]]

Selecciona la opción N9 en el menú.
[[File:037_n_menu_n9.png|none|thumb|640x640px]]

Da Ok.
[[File:038_message.png|none|thumb|640x640px]]

Da Ok.
[[File:039_message.png|none|thumb|640x640px]]

Da Ok.
[[File:040_message.png|none|thumb|640x640px]]

Da Ok.
[[File:041_message.png|none|thumb|640x640px]]

Da Ok.
[[File:042_message.png|none|thumb|640x640px]]

Da Ok.
[[File:043_message.png|none|thumb|640x640px]]

Da Ok.
[[File:044_message.png|none|thumb|640x640px]]

Selecciona la opción back en el menú.
[[File:045_n_menu_back.png|none|thumb|640x640px]]

Selecciona la opción AZ en el menú.
[[File:046_a_menu_az.png|none|thumb|640x640px]]

Corrobora que los datos que configuraste coinciden con tus notas y da Ok.
[[File:047_review.png|none|thumb|640x640px]]

Responde Yes para respaldar la configuración que acabamos de hacer.
[[File:048_backup.png|none|thumb|640x640px]]

Da Ok.
[[File:049_message.png|none|thumb|640x640px]]

Da Ok.
[[File:050_message.png|none|thumb|640x640px]]

Da Ok.
[[File:051_message.png|none|thumb|640x640px]]

Selecciona la opción Exit en el menú.
[[File:052_a-menu_exit.png|none|thumb|640x640px]]

Responde Yes, ya que previamente guardamos los cambios.
[[File:053_exit.png|none|thumb|640x640px]]

Si deseas que al iniciar tu raspberry entre a este menu responde Yes, de lo contrario responde No.
[[File:054_select_menu_sartup.png|none|thumb|640x640px]]

Si respondiste que No, recuerda que puedes volver a entrar, escribe sudo asl-menu como se muestra en el siguiente ejemplo:

repeater@repeater:~$ sudo asl-menu

[[File:055_message.png|none|thumb|640x640px]]

Ahora el sistema se reiniciará para aplicar los cambios en la configuración. Da Ok.
[[File:056_reboot.png|none|thumb|640x640px]]

== Ajustes de audio AllStarLink ==

Escribe sudo asl-menu como se muestra en el siguiente ejemplo:

repeater@repeater:~$ sudo asl-menu

Selecciona la opción 4.
[[File:101_asl_menu_4.png|none|thumb|640x640px]]

Con la opción F, podemos probar si el nodo activa correctamente el PTT de tu radio o repetidor.

Con la opción 2, podemos ajustar el volumen de audio que va del radio/repetidor hacia el nodo con la ayuda de un medidor gráfico.
Para ello, transmite con otro radioun tono o voz y ajusta los valores entre 0 y 999 y da Enter para que se apliquen. si no ingresas ningún valor y das Enter, saldrás de esta opción, dejando el último valor selecionado.

Con la opción T, podemos activar la transmisión de un tono para ajustar los niveles de transmisión del nodo al radio.

Con la opción 3, podemos ajustar el volumen de audio que va del nodo hacia el radio/repetidor.
Para ello, ajusta los valores entre 0 y 999 y da Enter para que se apliquen. habrá un tono de 5 segundos para que pruebes. Si no ingresas ningún valor y das Enter, saldrás de esta opción, dejando el último valor selecionado. al final desactiva la función de transmisión de tono con la T.

Una ves realizados los ajustes, guardalos con la opción W y Enter.

Para salir del menu selecciona la opción 0 (zero) y Enter.

== Ajustes de polaridad PTT y COS ==

Si tu radio/repetidor, requiere que se invierta la polaridad de los pines PTT, COS/CTCSS entra al menú principal de ASL, selecciona la opción 6.
[[File:103_asl_menu_6.png|none|thumb|640x640px]]

Selecciona la opción I.
[[File:104_config_menu_i.png|none|thumb|640x640px]]

Aparecerá un archivo de texto en el cual podremos hacer los cambios de la polaridad de la siguiente forma:

Para invertir PTT:
Busca una línea con la palabra invertptt = y cambia el valor.
0 = Transmite al poner el pin a tierra.
1 = Transmite al poner como circuito abierto.
[[File:105_invertptt.png|none|thumb|640x640px]]

Para invertir COS/CTCSS:
Busca una línea con la palabra carrierfrom = y cambia el valor.
Haz lo mismo con la línea con la palabra ctcssfrom = y cambia el valor.
no = No detecta carrier.
usb = Activo en alto.
usbinvert = activo en bajo.
[[File:106_invertcos.png|none|thumb|640x640px]]

Al terminar de hacer los cambios presiona CTRL + X y luego presiona Y y Enter. Regresarás al menú y selecciona back.
[[File:107_asl_menu_9.png|none|thumb|640x640px]]

Selecciona la opción G para que se reinicie el programa de AllStarLink y se apliquen los cambios. Posteriormente selecciona back.
[[File:107_asl_menu_9.png|none|thumb|640x640px]]

Con esto tu nodo deberá estar operando.

Proxy

2020-04-08T18:06:44Z

Bryan: /* Manual Configuration for Server Proxy Clients */

==Description/Explanation ==

Occasionally there is a need to have an Allstar Link Server in an 'itinerant' location (one that is non-permanent and possibly even moving). In such a situation it is certainly quite likely that the device's IP address may change quite often (perhaps even several times per hour or more). Also, the form of IP connectivity available to the device may not necessarily be suitable for normal Server operation (such as being behind NAT translation, firewalls, etc. that the Server owner has no control of). Normal operation requires farily stable IP addressing and full public access to at least UDP port 4569 (for IAX2 connectivity) to the Server. Typical examples of 'itinerant' environments include setting up a tiny portable node in a hotel room, utilizing the Internet connectivity provided by the hotel, or having a mobile node on a mobile data network that provides connectivity via some sort of NAT arrangement.

In a situation like this, it is possible to set up a Proxy relationship between such a Server and a Server located in a permanent position with a permanent IP address and good connectivity. For the purposes of explanation, the Server in the 'itinerant' location/situation will be referred to as the Server Proxy Client, and the Server that is in the Permanent/Stable location/situation will be referred to as the Server Proxy Server.

When such a relationship exists, all inbound traffic destined for Nodes on the Server Proxy Client is directed to the Server Proxy Server, which accepts and authenticates the traffic, then forwards it off to the Server Proxy Client via a direct (non-public) peering arrangement. Any traffic outbound from Nodes on the Server Proxy Client is directed to the Server Proxy Server, which forwards it to the appropriate location, thus requiring the Server Proxy Client only to be 'reachable' by the Server Proxy Server, and not all nodes on the entire Internet.

== Portal-Based Configuration for Server Proxy Clients ==

We don't support configuration of clients in the portal. The best way is to set it up manually, and then add the IP of the proxy server in the portal for the client.

If you don't want to do this (or if your proxy server is quasi-static), and you have control of the proxy server, have the proxy server use your node number and password and register it to register.allstarlink.org

In iax.conf on the proxy server:
<pre>
register=NODE#:PASSWORD@register.allstarlink.org:4569
Where node # is the number/pass of the proxied node.
</pre>

== Manual Configuration for Server Proxy Clients ==

First, you must configure a peering arrangement with the Proxy Server.

This is done by adding the following into the /etc/asterisk/iax.conf file:
<pre>
[radio-proxy]
type=user
deny=0.0.0.0/0.0.0.0
permit=<Server Proxy Server IP Address>/255.255.255.255
context=radio-secure-proxy
disallow=all
allow=g726aal2
transfer=no

[radio-proxy-out]
type=peer
host=<Server Proxy Server IP Address>
username=<First (or only) node number on this Server to be proxied>
secret=<Agreed-Upon Password for specified node (for Proxy peering)>
auth=md5
disallow=all
allow=g726aal2
transfer=no
</pre>

You must put in an appropriate register statement for all nodes on the
Server Proxy Client allowing registration with the Server Proxy Server
using Agreed-Upon Passwords.

If the Server Proxy Server is the Allstar Network Registration Server, then
the IP Address will be 67.215.233.178, the Username and Password will be node number
and node password of one of the nodes on the system that is registered with it, and
no additional registration line is necessary, since there already is one for that
node.

The following needs to be added to the /etc/asterisk/rpt.conf file:
<pre>
[nodes]
<Stuff that was already there, etc....>
_20XX = radio-proxy-out/0%s
_20XXX = radio-proxy-out/0%s
_21XX = radio-proxy-out/0%s
_21XXX = radio-proxy-out/0%s
_22XX = radio-proxy-out/0%s
_22XXX = radio-proxy-out/0%s
_23XX = radio-proxy-out/0%s
_23XXX = radio-proxy-out/0%s
_24XX = radio-proxy-out/0%s
_24XXX = radio-proxy-out/0%s
_25XX = radio-proxy-out/0%s
_25XXX = radio-proxy-out/0%s
_26XX = radio-proxy-out/0%s
_26XXX = radio-proxy-out/0%s
_27XXX = radio-proxy-out/0%s
_27XXXX = radio-proxy-out/0%s
_28XXX = radio-proxy-out/0%s
_28XXXX = radio-proxy-out/0%s
_29XXX = radio-proxy-out/0%s
_29XXXX = radio-proxy-out/0%s
_4XXXX = radio-proxy-out/0%s
_4XXXXX = radio-proxy-out/0%s
_5XXXX = radio-proxy-out/0%s
_5XXXXX = radio-proxy-out/0%s
; note the . wildcard doesn't work here in rpt.conf
;_2. = radio-proxy-out/0%s don't work like extensions
</pre>

The following needs to be added to the /etc/asterisk/extensions.conf file:

<pre>
[radio-secure-proxy]
exten => _0X.,1,Goto(allstar-sys|${EXTEN:1}|1)
</pre>
Plus, for each node on the system (also to be put in the radio-secure-proxy section):
<pre>
exten => <Node Number>,1,rpt,<Node Number>|X
</pre>

=Configuration for Server Proxy Servers=

First, you must configure a peering arrangement with the Server Proxy Client.
This is done by adding the following into the /etc/asterisk/iax.conf file for each node in the peering arrangement:

<pre>
[<Node Number>]
type=friend
host=dynamic
username=radio-proxy
secret=<Agreed-Upon Password for the Proxy peering>
auth=md5
context=radio-in
disallow=all
allow=g726aal2
transfer=no
</pre>

The following needs to be done to the /etc/asterisk/extensions.conf file:

The following section needs to be added:
<pre>
[radio-in]
exten => _0N.,1,Rpt(${EXTEN:1}|F)
exten => _0N.,n,Hangup
</pre>
The following section needs to replace the existing [radio-secure] section:
<pre>
[radio-secure]
exten=_20XX,1,Rpt,${EXTEN}
exten=_21XX,1,Rpt,${EXTEN}
exten=_22XX,1,Rpt,${EXTEN}
exten=_23XX,1,Rpt,${EXTEN}
exten=_24XX,1,Rpt,${EXTEN}
exten=_25XX,1,Rpt,${EXTEN}
exten=_26XX,1,Rpt,${EXTEN}
exten=_27XXX,1,Rpt,${EXTEN}
exten=_28XXX,1,Rpt,${EXTEN}
exten=_29XXX,1,Rpt,${EXTEN}
exten=_4XXXX,1,Rpt,${EXTEN}
exten=_5XXXX,1,Rpt,${EXTEN}
</pre>
The following needs to be added to the [allstar-sys] section:

<pre>
exten => _9.,1,Rpt(${EXTEN:2}|X|${EXTEN:1:1})
exten => _9.,n,Hangup
</pre>

The following needs to be added to the /etc/asterisk/rpt.conf file:

<pre>
[proxy]
ipaddr=<Public IP address of this Server Proxy Server>
</pre>

The Server Proxy Server will be able to determine (from the IP address as distributed in the /var/lib/asterisk/rpt_extnodes file), the nodes for which it needs to provide Proxy service.

[[Category:Node Configuration]]

Event Management

2020-02-21T07:30:45Z

Bryan:

[[Category:How to]]
As of app_rpt version 0.259, 10/9/2010, there exists a method by which a user can specify actions to be taken when certain events occur, such as transitions in receive and transmit keying, presence and modes of links, and external inputs, such as GPIO pins on the URI (or similar USB devices).

Bear in mind, this now also includes the ability to set the condition of external devices, such

as output pins on a URI (or similar USB devices), or a Parallel Printer Port.

'''[[Manipulating GPIO|Manipulating GPIO (and Parallel Printer Port) signals within chan_usbradio and chan_simpleusb.]]'''

The actions to be taken, and methods and steps required for doing so are specified in the rpt.conf
file under the [events] section (or other named section, settable with events=sectionname under the
node number section also in rpt.conf).

This subsystem utilizes Asterisk channel variables (or global variables if you dare) to indicate the

state of various signals and modes and are named as such:
RPT_RXKEYED -- Set to 1 when the node's main (RF) receiver is receiving a valid signal
RPT_TXKEYED -- Set to 1 when the node's main (RF) transmitter is transmitting
RPT_NUMLINKS -- Count of links currently connected to node
RPT_LINKS -- List of Node numbers currently linked to this node and their mode and receive keying
status, as follows:

<NUMLINKS>,<MODE><NODEMUM>[,<MODE><NODEMUM>...]

For example: 2,T2000,R2001 would indicate that there are 2 nodes linked currently,
first one is node 2000 in Transceive mode, and the second one is node 2001 in Receive-Only
(monitor) mode.

RPT_NUMALINKS -- Count of adjacent links currently connected to node
RPT_ALINKS -- List of Node numbers currently linked adjacent to this node and their mode and receive
keying status, as follows:

<NUMALINKS>,<NODEMUM><MODE><RXKEYED>[,<NODEMUM><MODE><RXKEYED>...]

For example: 2,2000TU,2001RK would indicate that there are 2 adjacent nodes linked currently,
first one is node 2000 in Transceive mode, and is not presently sending a keying
signal towards this node, and the second one is node 2001 in Receive-Only (monitor)
mode, and is presently sending a keying signal towards this node.

Adjacent nodes are ones that are directly connected to this node. This differs from the RPT_LINKS
in that the RPT_LINKS is a list of all nodes, whether connected directly, or connected through
a node that is connected directly. The keying information is not given with the RPT_LINKS because
in that context it is meaningless.
There may also be others included from external devices/sources, such as the URI (or similar USB

devices), or a Parallel Printer Port that will appear if so configured (within the configuration

for that particular device),

such as:
RPT_URI_GPIO1 -- This would be the GPIO 1 pin, if configured as an input.
RPT_URI_GPIO4 -- This would be the GPIO 4 pin, if configured as an input.
RPT_PP12 -- This would be the Parallel Printer Port, pin 12 (input)

These are set to "0" or "1" (the state of the input pin).
Each line of the [events] section is specified as follows:
<action-spec> = <action>|<type>|&ltvar-spec>

If action is 'V' (for "setting variable"), then action-spec is the variable being set.
If action is 'G' (for "setting global variable"), then action-spec is the global variable being set.
If action is 'F' (for "function"), then action-spec is a DTMF function to be executed (if result is 1).
If action is 'C' (for "rpt command"), then action-spec is a raw rpt command to be executed (if
result is 1).
If action is 'S' (for "shell command"), then action-spec is a shell command to be executed (if
result is 1).

If type is 'E' (for "evaluate statement" (or perhaps "equals") ) then the var-spec is a full statement
containing expressions, variables and operators per the expression evaluation built into Asterisk.
If type is 'T' (for "going True"), var-spec is a single (already-defined) variable name, and the result
will be 1 if the varible has just gone from 0 to 1.
If type is 'F' (for "going False"), var-spec is a single (already-defined) variable name, and the
result will be 1 if the varible has just gone from 1 to 0.
If type is 'N' (for "no change"), var-spec is a single (already-defined) variable name, and the result
will be 1 if the varible has not changed.
Examples:

Set the channel variable 'MYVAR' true if main receiver has valid signal and transmitter is

not transmitting. Presumable this variable will be used in a later statement for something.
MYVAR = v|e|${RPT_RXKEYED} & !${RPT_TXKEYED}
Have the system give the time of day after all links are disconnected. This performs the

specified rpt command when the 'RPT_NUMLINKS' variable goes from true to false, and therefore

happens when all links are disconnected (if and only if some were connected previously).
status,2 = c|f|RPT_NUMLINKS

Note: although 'RPT_NUMLINKS' ''is'' an Integer count of links, it can also be treated as a
boolean, since non-zero values evaluate to the same as '1'.
Execute the DTMF command '*1234' (whatever the heck that is) when node 2000 connects to this node.
TEMPVAR = v|e|${RPT_LINKS} =~ "\",2000.\""
*1234 = f|t|TEMPVAR

Note: We are interested in executing the function ONLY when the node connects. Therefore, you must
define a variable the meets the condition you are looking for in general (in this case, node 2000
being connected, then you have to execute the desired function when that variable goes from 1 to 0
(changes to false).

Any time you are using regex to look for a node number int the 'RPT_LINKS' variable, you must
put a comma in front of the qualifying string to make sure that it does not match some other
node number that has the desired information (in this case, the digits '2000') within a longer
node number.
Get a detailed directory listing of the '/tmp' directory, and put its output into the file

'/tmp/example.txt' every time node 2001 is connected to, and stops indicating keying towards our node

(not that anyone would ever really want to do that... its just an example).
TEMPVAR = v|e|${RPT_ALINKS} =~ "\",2001[TRC]K\""
ls -l /tmp > /tmp/example.txt = s|f|TEMPVAR
If you wish to set channel variable(s) for a node from the CLI, you may use the following command:
*CLI> rpt setvar <nodenum> <name=value> [<name=value>...]
For Example, this would set the "MYVAR" variable to "1" for node 2000:
*CLI> rpt setvar 2000 MYVAR=1
If you wish to display all the variables for a node, use the following command:
*CLI> rpt showvars <nodenum>
Also, a channel variable for a node may be set from the Asterisk Dialplan as follows:
rpt(<nodenum>,V,<name=value>)
For example, for extension 1234 priority 5, set variable 'MYVAR' to '0' for node 2000:
exten => 1234,5,rpt(2000,V,MYVAR=0)
Granted, there may very well be some things (such as interesting information that can be expressed
within this subsystem) that has been overlooked, and any suggestions and/or comments regarding this
whole thing would be much appreciated.

This also opens a completely new avenue of customization and individual creativity for each system
implementer. There are many innovative things that can be done with this. Also there are many just plain
silly ones, such as connecting your doorbell to one the input pins on the URI, and having the system
connect to your favorite Echolink node or something when someone rings the doorbell.

At some point there should be a contest to see who can come up with the most utterly ludicrous
appication of this subsystem. There are many possibilities to explore in this area. Hint: you will
get '''major''' extra bonus points if it involves the script re-writing itself (self-modifying
code, that exhibits at least plausibility of long-term stability (going to poo-poo in less then
1000 iterations is ''just'' not acceptible)).

In any case, please contribute whatever wonderful configurations you come up with so that all users
may have the benefits of all the wonderful ideas everyone comes up with.

Extentions.conf

2020-01-27T18:44:54Z

Bryan:

= extensions.conf =
The extensions.conf config file is used to route incoming connections from remote nodes or connections to the correct node number in app_rpt. It also is used to route outgoing autopatch connections to various channels and VOIP termination providers.

= Contexts used by app-rpt=

[radio-secure] -

[iax-client] - used by IAX users

[radio] - used for IAX connections between nodes

[check_route] - used to check the call routing for autopatch

[pstn-out]

[allstar-sys] - used by the phone portal

[allstar-public] - used by web transceiver

[radio-in]

Here is an example of how extensions.conf is used to handle incoming connections for a single node:
[radio-secure]
exten => 1234,1,rpt,1234
In the above case, two nodes are defined as asterisk extensions in a “context” called radio-secure defined by a stanza [radio-secure] . An incoming connection directed to extension 1234 will end up calling app_rpt (rpt) with a value of 1234 which should a node number defined in rpt.conf.
[[Category:Node Configuration]]
[[Category:Config Files]]

Blacklist or whitelist

2020-01-27T18:32:35Z

Bryan: /* Web Portal */

Occasionally it becomes necessary to limit connections to your node. With this configuration you can either blacklist (block) or whitelist (allow) inbound connections. Outbound connections are not blocked. Only one list can be used at a same time and it applies to all nodes on the server. If using the whitelist all nodes on the local server (127.0.0.1) are allowed. The lists are managed with these Asterisk CLI commands:

* Blacklist
** <code>*CLI> database put blacklist 1998 "any comment"</code>
** <code>*CLI> database del blacklist 1998</code>
** <code>*CLI> database show blacklist</code>
* Whitelist
** <code>*CLI> database put whitelist 1000 "any comment"</code>
** <code>*CLI> database del whitelist 1000</code>
** <code>*CLI> database show whitelist</code>
*Both
** <code>*CLI> database show</code>

''Note'': WA3DSP wrote a [https://hamvoip.org/downloads/node-ban-allow.sh menu script] for the above commands.

==Blacklist Configuration==
Add this to extensions.conf just below the [radio-secure] context.
<pre>
[radio-secure]
...

; To add a node to the blacklist:
; database put blacklist 1998 “any comment”
; to remove:
; database del blacklist 1998
; to list
; database show blacklist

[blacklist]
exten => _XXXX!,1,NoOp(${CALLERID(num)})
exten => _XXXX!,n,GotoIf($[${DB_EXISTS(blacklist/${CALLERID(num)})}]?blocked)
exten => _XXXX!,n,Goto(radio-secure,${EXTEN},1)
exten => _XXXX!,n(blocked),Hangup

[whitelist]
exten => _XXXX!,1,NoOp(${CALLERID(num)})
exten => _XXXX!,n,NoOp(${IAXPEER(CURRENTCHANNEL)})
exten => _XXXX!,n,GotoIf($["${IAXPEER(CURRENTCHANNEL)}" = "127.0.0.1"]?radio-secure,${EXTEN},1) ;permit local IPs
exten => _XXXX!,n,GotoIf($[${DB_EXISTS(whitelist/${CALLERID(num)})}]?radio-secure,${EXTEN},1)
exten => _XXXX!,n,Hangup
</pre>

In iax.conf modify the [radio] context by adding and/or commenting context = lines.
<pre>
[radio]
type = user
disallow = all
allow = ulaw
allow = adpcm
allow = gsm
codecpriority = host
;context = radio-secure
;context = whitelist
context = blacklist
transfer = no
</pre>

== Web Portal ==
If you want to have a blacklist for the web portal users you will need to modify the [allstar-public] context in extentions.conf

<pre>
[allstar-public]

exten => s,1,Ringing
exten => s,n,Set(RESP=${CURL(https://register.allstarlink.org/cgi-bin/authwebphone.pl?${CALLERID(name)})})
exten => s,n,Set(NODENUM=${CALLERID(number)})
exten => s,n,GotoIf($["${RESP:0:1}" = "?"]?hangit)
exten => s,n,GotoIf($["${RESP:0:1}" = ""]?hangit)
exten => s,n,GotoIf($["${RESP:0:5}" != "OHYES"]?hangit)
exten => s,n,Set(CALLSIGN=${RESP:5})
exten => s,n,Wait(3)
exten => s,n,Playback(rpt/node|noanswer)
exten => s,n,Saydigits(${NODENUM})
exten => s,n,Set(CALLERID(name)=${CALLSIGN})
exten => s,n,Set(CALLERID(num)=0)
exten => s,n,GotoIf($[${DB_EXISTS(blacklist/${CALLERID(name)})}]?blacklisted)
exten => s,n,Rpt(${NODENUM}|X)
exten => s,n,Hangup
exten => s,n(hangit),Answer
exten => s,n(hangit),Wait(1)
exten => s,n(hangit),Hangup
exten => s,n(blacklisted),Playback(privacy-you-are-blacklisted)
exten => s,n(blacklisted),Playback(goodbye)
exten => s,n(blacklisted),Wait(1)
exten => s,n(blacklisted),Hangup
</pre>
Whitelist is not implemented here, but it should be easy to do

To block a web-portal user you will need to add the callsign in capital letters to the blacklist.
* <code>*CLI> database put blacklist KM6RPT "no comment"</code>

[[Category:How to]]
[[Category:Node Configuration]]

Blacklist or whitelist

2020-01-27T18:31:52Z

Bryan: /* Web Portal */

Occasionally it becomes necessary to limit connections to your node. With this configuration you can either blacklist (block) or whitelist (allow) inbound connections. Outbound connections are not blocked. Only one list can be used at a same time and it applies to all nodes on the server. If using the whitelist all nodes on the local server (127.0.0.1) are allowed. The lists are managed with these Asterisk CLI commands:

* Blacklist
** <code>*CLI> database put blacklist 1998 "any comment"</code>
** <code>*CLI> database del blacklist 1998</code>
** <code>*CLI> database show blacklist</code>
* Whitelist
** <code>*CLI> database put whitelist 1000 "any comment"</code>
** <code>*CLI> database del whitelist 1000</code>
** <code>*CLI> database show whitelist</code>
*Both
** <code>*CLI> database show</code>

''Note'': WA3DSP wrote a [https://hamvoip.org/downloads/node-ban-allow.sh menu script] for the above commands.

==Blacklist Configuration==
Add this to extensions.conf just below the [radio-secure] context.
<pre>
[radio-secure]
...

; To add a node to the blacklist:
; database put blacklist 1998 “any comment”
; to remove:
; database del blacklist 1998
; to list
; database show blacklist

[blacklist]
exten => _XXXX!,1,NoOp(${CALLERID(num)})
exten => _XXXX!,n,GotoIf($[${DB_EXISTS(blacklist/${CALLERID(num)})}]?blocked)
exten => _XXXX!,n,Goto(radio-secure,${EXTEN},1)
exten => _XXXX!,n(blocked),Hangup

[whitelist]
exten => _XXXX!,1,NoOp(${CALLERID(num)})
exten => _XXXX!,n,NoOp(${IAXPEER(CURRENTCHANNEL)})
exten => _XXXX!,n,GotoIf($["${IAXPEER(CURRENTCHANNEL)}" = "127.0.0.1"]?radio-secure,${EXTEN},1) ;permit local IPs
exten => _XXXX!,n,GotoIf($[${DB_EXISTS(whitelist/${CALLERID(num)})}]?radio-secure,${EXTEN},1)
exten => _XXXX!,n,Hangup
</pre>

In iax.conf modify the [radio] context by adding and/or commenting context = lines.
<pre>
[radio]
type = user
disallow = all
allow = ulaw
allow = adpcm
allow = gsm
codecpriority = host
;context = radio-secure
;context = whitelist
context = blacklist
transfer = no
</pre>

== Web Portal ==
If you want to have a blacklist for the web portal users you will need to modify the [allstar-public] context in extentions.conf

<pre>
[allstar-public]

exten => s,1,Ringing
exten => s,n,Set(RESP=${CURL(https://register.allstarlink.org/cgi-bin/authwebphone.pl?${CALLERID(name)})})
exten => s,n,Set(NODENUM=${CALLERID(number)})
exten => s,n,GotoIf($["${RESP:0:1}" = "?"]?hangit)
exten => s,n,GotoIf($["${RESP:0:1}" = ""]?hangit)
exten => s,n,GotoIf($["${RESP:0:5}" != "OHYES"]?hangit)
exten => s,n,Set(CALLSIGN=${RESP:5})
exten => s,n,Wait(3)
exten => s,n,Playback(rpt/node|noanswer)
exten => s,n,Saydigits(${NODENUM})
exten => s,n,Set(CALLERID(name)=${CALLSIGN})
exten => s,n,Set(CALLERID(num)=0)
exten => s,n,GotoIf($[${DB_EXISTS(blacklist/${CALLERID(name)})}]?blacklisted)
exten => s,n,Rpt(${NODENUM}|X)
exten => s,n,Hangup
exten => s,n(hangit),Answer
exten => s,n(hangit),Wait(1)
exten => s,n(hangit),Hangup
exten => s,n(blacklisted),Playback(privacy-you-are-blacklisted)
exten => s,n(blacklisted),Playback(goodbye)
exten => s,n(blacklisted),Wait(1)
exten => s,n(blacklisted),Hangup
</pre>
Whitelist is not implemented here, but it should be easy to do

To block a web-portal user you will need to add the callsign in capital letters to the blacklist.
** <code>*CLI> database put blacklist KM6RPT "no comment"</code>

[[Category:How to]]
[[Category:Node Configuration]]

Blacklist or whitelist

2020-01-27T18:31:25Z

Bryan:

Occasionally it becomes necessary to limit connections to your node. With this configuration you can either blacklist (block) or whitelist (allow) inbound connections. Outbound connections are not blocked. Only one list can be used at a same time and it applies to all nodes on the server. If using the whitelist all nodes on the local server (127.0.0.1) are allowed. The lists are managed with these Asterisk CLI commands:

* Blacklist
** <code>*CLI> database put blacklist 1998 "any comment"</code>
** <code>*CLI> database del blacklist 1998</code>
** <code>*CLI> database show blacklist</code>
* Whitelist
** <code>*CLI> database put whitelist 1000 "any comment"</code>
** <code>*CLI> database del whitelist 1000</code>
** <code>*CLI> database show whitelist</code>
*Both
** <code>*CLI> database show</code>

''Note'': WA3DSP wrote a [https://hamvoip.org/downloads/node-ban-allow.sh menu script] for the above commands.

==Blacklist Configuration==
Add this to extensions.conf just below the [radio-secure] context.
<pre>
[radio-secure]
...

; To add a node to the blacklist:
; database put blacklist 1998 “any comment”
; to remove:
; database del blacklist 1998
; to list
; database show blacklist

[blacklist]
exten => _XXXX!,1,NoOp(${CALLERID(num)})
exten => _XXXX!,n,GotoIf($[${DB_EXISTS(blacklist/${CALLERID(num)})}]?blocked)
exten => _XXXX!,n,Goto(radio-secure,${EXTEN},1)
exten => _XXXX!,n(blocked),Hangup

[whitelist]
exten => _XXXX!,1,NoOp(${CALLERID(num)})
exten => _XXXX!,n,NoOp(${IAXPEER(CURRENTCHANNEL)})
exten => _XXXX!,n,GotoIf($["${IAXPEER(CURRENTCHANNEL)}" = "127.0.0.1"]?radio-secure,${EXTEN},1) ;permit local IPs
exten => _XXXX!,n,GotoIf($[${DB_EXISTS(whitelist/${CALLERID(num)})}]?radio-secure,${EXTEN},1)
exten => _XXXX!,n,Hangup
</pre>

In iax.conf modify the [radio] context by adding and/or commenting context = lines.
<pre>
[radio]
type = user
disallow = all
allow = ulaw
allow = adpcm
allow = gsm
codecpriority = host
;context = radio-secure
;context = whitelist
context = blacklist
transfer = no
</pre>

== Web Portal ==
If you want to have a blacklist for the web portal users you will need to modify the [allstar-public] context in extentions.conf

<pre>
[allstar-public]

exten => s,1,Ringing
exten => s,n,Set(RESP=${CURL(https://register.allstarlink.org/cgi-bin/authwebphone.pl?${CALLERID(name)})})
exten => s,n,Set(NODENUM=${CALLERID(number)})
exten => s,n,GotoIf($["${RESP:0:1}" = "?"]?hangit)
exten => s,n,GotoIf($["${RESP:0:1}" = ""]?hangit)
exten => s,n,GotoIf($["${RESP:0:5}" != "OHYES"]?hangit)
exten => s,n,Set(CALLSIGN=${RESP:5})
exten => s,n,Wait(3)
exten => s,n,Playback(rpt/node|noanswer)
exten => s,n,Saydigits(${NODENUM})
exten => s,n,Set(CALLERID(name)=${CALLSIGN})
exten => s,n,Set(CALLERID(num)=0)
exten => s,n,GotoIf($[${DB_EXISTS(blacklist/${CALLERID(name)})}]?blacklisted)
exten => s,n,Rpt(${NODENUM}|X)
exten => s,n,Hangup
exten => s,n(hangit),Answer
exten => s,n(hangit),Wait(1)
exten => s,n(hangit),Hangup
exten => s,n(blacklisted),Playback(privacy-you-are-blacklisted)
exten => s,n(blacklisted),Playback(goodbye)
exten => s,n(blacklisted),Wait(1)
exten => s,n(blacklisted),Hangup
<pre>
Whitelist is not implemented here, but it should be easy to do

To block a web-portal user you will need to add the callsign in capital letters to the blacklist.
** <code>*CLI> database put blacklist KM6RPT "no comment"</code>

[[Category:How to]]
[[Category:Node Configuration]]

Main Page

2019-12-28T05:44:57Z

Bryan: /* Related Links */

Welcome to the AllStarLink WiKi. AllStarLink is a world wide network of [https://en.wikipedia.org/wiki/Amateur_radio Amateur Radio] repeaters, remote base stations and hot spots accessible to each other via the Internet and/or private IP networks. AllStarLink runs on a dedicated Linux computer (including the Raspberry Pi) that you host at your home, radio site or computer center. It is based on the open source Asterisk PBX. The app_rpt module is a powerful radio/repeater controller. AllStarLink is open source GPL software free for anyone to use.

Recently we've moved some things off of this front page. If you don't see what you are looking for look at the [[:Category:How to|How To's]] or use the search located on the top of every page. We've imported all of the content from the docs site [http://docs.allstarlink.org docs.allstarlink.org] into this Wiki.

__NOTOC__
==Organization==
*[[The Organization - AllStarLink Inc. ]] - What is AllStarLink?
*[[The Beginning - AllStarLink Inc]] - How AllStarLink came to be.

==AllStarLink Menu==
*[[Features]] - List of the many AllStarLink Features
*[[Beginners Guide]] - Step by step instructions to create your account and AllStarLink node.
*[[ASL FAQ]] - Questions and answers about the AllStarLink software distribution.
*[[:Category:How to|How To's]] - A collection of AllStarLink how to's.
*[[:Category:Node Configuration|Node Configuration]] - Detailed configuration settings.
*[[:Category:Development|Development]] - Information regarding development of the AllStarLink software (i.e., contributing, etc).
*[[Radio Connections]] - Instructions to Connect Radios, Repeaters and Other Devices to AllStar.
*[[Troubleshooting]] - Troubleshooting common problems, things to try, and hints to solve the problem.

==Downloads==
* [https://github.com/AllStarLink/Asterisk/releases/tag/ASL-1.01 ASL AMD] Latest AllStarLink installer for x86/AMD (main site)
* [http://dvswitch.org/files/ASL_Images/Intel-AMD/Stretch/ ASL AMD] Latest AllStarLink installer for x86/AMD (alternative site)
* [http://dvswitch.org/files/ASL_Images/Raspberry_Pi/Stretch/ Pi] Latest AllStarLink image for the Raspberry Pi
* [http://dvswitch.org/files/ASL_Images/ ASL Repo] AllStarLink Image Repository
* [[ASL FAQ]] - Install ASL on your existing Debian box or VM

Note: The ASL 1.01 installer is a Network installer and still uses the dvswitch.org site to download the .deb install files.

==Related Links==
* [https://allstarlink.org/ AllStarLink Portal] - If you are looking to set up your own AllStarLink node.
* [https://www.allstarlink.org/ AllStarLink Portal] - Our portal site. Check out the searchable and sortable [https://www.allstarlink.org/nodelist/ Node List].
* [http://stats.allstarlink.org/ AllStarLink Stats] - shows all the existing public nodes.
* [https://community.allstarlink.org/ AllStarLink Community Site] - Web based user support form (replaced app_rpt mailing list)
* [http://lists.keekles.org/cgi-bin/mailman/listinfo/app_rpt-users AllStarLink users mailing list]- '''(archived)''' This is the app_rpt mailing list for discussion, help and helping others
* [https://groups.io/g/AllStarLink AllStarLink Groups.io mailing group]. This is the app_rpt discussion group on Groups.io
* [https://github.com/AllStarLink/ Source Code] - All of the source code for the AllStarLink Asterisk and app_rpt is available on GitHub.

==History==
* [[History]] from the Duuude, Jim Dixon WB6NIL SK 12/16/2016.
* [[Thru-hole_Voter_Board|Thru-hole Voter Board]] from Jim Dixon

==References==
* [http://rogerdudler.github.io/git-guide/ Git - The Simple Guide] - A handy reference for getting started with Git.
* [https://ryanstutorials.net/linuxtutorial/cheatsheet.php Ryans Tutorials - Linux Tutorial - Cheat Sheet] Handy Cheat Sheet of Linux commands.
* [https://training.linuxfoundation.org/resources/free-courses/introduction-to-linux/ The Linux Training Foundation - Introduction to Linux] A free eight week course with optional certificate that teaches how to use Linux.

Allmon

2019-10-19T21:25:08Z

Bryan: Redirected page to Allmon2

#REDIRECT [[Allmon2]]

Allmon2

2019-10-19T21:24:45Z

Bryan: Created page with "Docs are missing from the wiki on this. https://github.com/tsawyer/allmon2 Package pending for 1.10"

Docs are missing from the wiki on this.

https://github.com/tsawyer/allmon2

Package pending for 1.10

Backups

2019-10-17T20:35:25Z

Bryan: /* Install nessary packages */

=Server Backups=

AllStarLink, Inc uses a per server backup method based on borg.

= Installing Borg on Ubuntu 16 =

the default package that ships with ubuntu 16.04 LTS is borg 1.0 based and we use the latest 1.1 version as it has several security fixes.

== Install nessary packages==

apt-get install libacl1-dev python3-dev libssl-dev gcc g++ python3-llfuse

== install pip ==

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py

== Install Borg ==
pip3 install borgbackup

== Test for proper version ==
root:~# borg -V
borg 1.1.7

which borg
/usr/local/bin/borg

== Install the scripts ==
This will install a new ssh key for root that matches the Rsync.net account and place the borg.inc program in the /root/ directory.

cd /
tar -xvf /root/borg-root-config.tar

= Edit the borg script=

On the Db servers we add a command to dump the database to /var/mysql-backup-current.sql.bz2

= Initialize the repo=

Copy the export lines to your shell and run then do

echo $BORG_REPO
ASLUSER@host.rsync.net:borg/ASL/db-ord

The borg/ASL/db-ord needs to be created on the server
ssh -t ASLUSER@host.rsync.net mkdir -p borg/ASL/db-ord

now we need to init the repo at that location
borg init -e keyfile-blake2 -p -v

= export the key =

borg key export --paper

Email this output GPG encrypted to the admin team members.

'''If we lose this key, there is no way to restore the backup.''' This means if the server dies, we need the paper key record and the passphrase.

= Do the first backup =

/root/borg.inc

Check that it's succeed

= move borg.inc to cron =

mv /root/borg.inc /srv/borg.sh

= edit crontab =

edit /etc/crontab to run daily at 8am UTC

#borg backup
30 8 * * * root /srv/borg.sh

Reload the crontab file

service cron reload

= Mounting and restoring =
Borg makes it easy to mount a backup on the server using "borgfs".

If this is done on a different server or during a restore operation on new servers, the key files need to be imported from the paper key. Selected admin users have the paper keys backed up in encrypted email.

For example on a our db-fnt server:

Take the first 5 lines from the /srv/borg.sh file and export them on the cli:

export BORG_REMOTE_PATH=/usr/local/bin/borg1/borg1
export HOST=
export BORG_REPO=
export BORG_PASSPHRASE=
export BORG=/usr/local/bin/borg

Note if doing this on a different server, BORG_REPO= must be the server you intend to restore from.

#import the paper key
borg key import --paper $BORG_REPO

#make a directory to mount the backups on:
mkdir /mnt/backups

#now mount the borg repo
borgfs $BORG_REPO /mnt/backups/

The files will now be in /mnt/backups:

ls /mnt/backups/
db-fnt.allstarlink.org-2018-10-31_08:30 db-fnt.allstarlink.org-2019-02-28_08:30
db-fnt.allstarlink.org-2018-11-30_08:30 db-fnt.allstarlink.org-2019-03-02_08:30
db-fnt.allstarlink.org-2018-12-31_08:30 db-fnt.allstarlink.org-2019-03-03_08:30
db-fnt.allstarlink.org-2019-01-31_08:30 db-fnt.allstarlink.org-2019-03-04_08:30
db-fnt.allstarlink.org-2019-02-03_08:30 db-fnt.allstarlink.org-2019-03-05_08:30
db-fnt.allstarlink.org-2019-02-10_08:30 db-fnt.allstarlink.org-2019-03-06_08:30
db-fnt.allstarlink.org-2019-02-17_08:30 db-fnt.allstarlink.org-2019-03-07_08:30
db-fnt.allstarlink.org-2019-02-24_08:30 db-fnt.allstarlink.org-2019-03-08_08:30

You can now go into any of these directories and restore files as of the date for the respective directory using normal UNIX utilities.

[[Category: Infrastructure]]

DNS Servers

2019-10-16T17:02:22Z

Bryan: /* regsvcs.allstarlink.org */

[[Category: Infrastructure]]

ASL utilizes DNS servers based on powerdns with a mysql backend.

These DNS servers support the following:
* AllStarlink.org DNS authoritative
* registration server redundancy
* DNS lookup for nodes information

= Authoritative DNS servers =

The authoritative DNS servers run on karl-tpa.allstarlink.org and smithers-fnt.allstarlink.org with the backend in the distributed database. These servers may be administered via 'pdnsutil' on the cli or via the gui at http://karl-tpa.allstarlink.org:9191 or http://smithers-fnt.allstarlink.org:9191 over the VPN or via the bastion hosts.

DNSSEC is enabled on all domains and trust is expanded to all sub servers.

Secondary DNS is very important as provided by ns[1-4].keekles.org and ns6.gandi.net. This is very important as if the database is hard down in FNT and TPA, the primary DNS will be offline. With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.

= regsvcs.allstarlink.org =

This Zone is served by the registration servers, and is pulled directly from the database. There is no secondary on these zones, just the three primary servers on the registration servers.

The redundancy of registration is handled by a TTL of 120 seconds on all the records. We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers. If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.

On the DNS server we have modified the default query for a lookup to:

gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?

This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.

If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds. This is a "dead-man switch" function which will enable losing any one node in the cluster.

'''register.allstarlink.org''' is a CNAME to '''register.regscvs.allstarlink.org''' under this. The node list servers are under this as well as '''node[1-4].allstarllink.org''' CNAME '''nodes.regsvcs.allstarlink.org
'''
== recovery of a down server ==

Need to fill this out, right now it's a manual verification, db edit and reset.

= DNS node lookup =

nodes.allstarlink.org is delegated to a DNS running on the db servers. The users_Nodes table has a trigger which is run and creates entries/edits them on the records table in the 'allstar' database. This populates a SRV, TXT and A record for every node in the system when it's updated. The trigger has been optimized and has little to no preformance impact on the registration process.

Note that servers not in nodes list can appear in DNS, there is no ageing out of entries in DNS. It's up to the server to know it's registered.

== SRV record ==
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.

where 4569 is the IAX port and then it will do a A lookup on 50000.nodes.allstarlink.org. for the IP.

A remote base will be returned like:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.

== A record ==

<nodenumber>.nodes.allstarlink.org. and <nodenumber>.remotebase.nodes.allstarlink.org. will return the IP address of the IAX server or the proxy IP if defined.

== TXT Record ==

The TXT record is used for debugging purposes with a query below:

TXT <nodenumber>.nodes.allstarlink.org.

This will return:
"NN=50000" "RT=2019-02-28 18:41:29" "RB=0" "IP=44.98.248.144" "PIP=" "PT=4569" "RH=register-fnt"
NN is node number
RT is the last update registration time
RB is 0 for node is not a remote base, RB is 1 if it is a remote base
IP is the IP address of the node
PIP is the proxy IP of the node if set
PT is the port
RH is the registration server the node last registered to.

DNS Servers

2019-10-16T17:00:55Z

Bryan: Created page with "Category: Infrastructure ASL utilizes DNS servers based on powerdns with a mysql backend. These DNS servers support the following: * AllStarlink.org DNS authoritative..."

[[Category: Infrastructure]]

ASL utilizes DNS servers based on powerdns with a mysql backend.

These DNS servers support the following:
* AllStarlink.org DNS authoritative
* registration server redundancy
* DNS lookup for nodes information

= Authoritative DNS servers =

The authoritative DNS servers run on karl-tpa.allstarlink.org and smithers-fnt.allstarlink.org with the backend in the distributed database. These servers may be administered via 'pdnsutil' on the cli or via the gui at http://karl-tpa.allstarlink.org:9191 or http://smithers-fnt.allstarlink.org:9191 over the VPN or via the bastion hosts.

DNSSEC is enabled on all domains and trust is expanded to all sub servers.

Secondary DNS is very important as provided by ns[1-4].keekles.org and ns6.gandi.net. This is very important as if the database is hard down in FNT and TPA, the primary DNS will be offline. With the secondary servers online DNS will continue to work, and NMS requires DNS for the allstarlink.org zone.

= regsvcs.allstarlink.org =

This Zone is served by the registration servers, and is pulled directly from the database. There is no secondary on these zones, just the three primary servers on the registration servers.

The redundancy of registration is handled by a TTL of 120 seconds on all the records. We've added another field in the 'records' table 'UnixSeconds' which is NULL by default, but updated by the heartbeat health check scripts on the servers. If the heartbeat script detects the DB or connectivity down at a site, it will shut down that server and stop updating the DNS UnixSeconds.

On the DNS server we have modified the default query for a lookup to:

gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 AND (UnixSeconds is NULL OR UnixSeconds > (UNIX_TIMESTAMP() - 120)) and type=? and name=?

This will only return a record if UnixSeconds is Null or has been updated in the last 120 seconds.

If the node loses connectivity, it will be timed out of DNS due to this in 120 seconds. This is a "dead-man switch" function which will enable losing any one node in the cluster.

register.allstarlink.org is a CNAME to register.regscvs.allstarlink.org under this. The node list servers are under this as well as node[1-4].allstarllink.org CNAME nodes.regsvcs.allstarlink.org

== recovery of a down server ==

Need to fill this out, right now it's a manual verification, db edit and reset.

= DNS node lookup =

nodes.allstarlink.org is delegated to a DNS running on the db servers. The users_Nodes table has a trigger which is run and creates entries/edits them on the records table in the 'allstar' database. This populates a SRV, TXT and A record for every node in the system when it's updated. The trigger has been optimized and has little to no preformance impact on the registration process.

Note that servers not in nodes list can appear in DNS, there is no ageing out of entries in DNS. It's up to the server to know it's registered.

== SRV record ==
_iax._srv.<nodenumber>.allstarlink.org. will return for a node as follows:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.nodes.allstarlink.org.

where 4569 is the IAX port and then it will do a A lookup on 50000.nodes.allstarlink.org. for the IP.

A remote base will be returned like:

_iax._udp.50000.nodes.allstarlink.org. 30 IN SRV 10 10 4569 50000.remotebase.nodes.allstarlink.org.

== A record ==

<nodenumber>.nodes.allstarlink.org. and <nodenumber>.remotebase.nodes.allstarlink.org. will return the IP address of the IAX server or the proxy IP if defined.

== TXT Record ==

The TXT record is used for debugging purposes with a query below:

TXT <nodenumber>.nodes.allstarlink.org.

This will return:
"NN=50000" "RT=2019-02-28 18:41:29" "RB=0" "IP=44.98.248.144" "PIP=" "PT=4569" "RH=register-fnt"
NN is node number
RT is the last update registration time
RB is 0 for node is not a remote base, RB is 1 if it is a remote base
IP is the IP address of the node
PIP is the proxy IP of the node if set
PT is the port
RH is the registration server the node last registered to.

AllStarLink Infrastructure

2019-10-16T08:55:57Z

Bryan:

This is a page concerning the various servers and hosts which comprise the ASL network services

= Overview =

The ASL architecture is designed to be scalable across donated/purchased virtual machines. Any bare metal servers will be setup with a VM technology, ASL is agnostic to the chosen hypervisor.

At the core of ASL service is a distributed database, which is active-active across all nodes. Registration servers talk to this database along with the nodes list and DNS servers. These services are the core of ASL services; IAX2 registration, nodes list and DNS. All other services are nice to have, but don't affect the availability of the network for end users.

The core servers are all interconnected using host to host IPSEC. This not tunnels, but rather host to host, where traffic is encrypted between hosts using pre-shared keys. These have proven to be reliable and work well even over the best effort of the internet. The DB servers require encrypted channels, as they don't support encryption at the application level. This also simplifies networking between ASL hosts.

DNS is serviced for primary DNS with short TTL's on register.allstarlink.org. Should any one server go offline, it's pulled from the DNS and turns down after 30 seconds. For the remainder of ASL hosts, several secondary servers exist.

= Servers =
All servers should have a local use in the format of jdoe for the user. Password auth should not be used, ssh should be setup. Sudo should be used for admin access.

when adding a user, use "Firstname Lastname, CALLSIGN" as the name, and the cellphone as the phone number.

Don't want to put your cellphone in? you don't get to admin the box.

== Tampa Hypervisor ==

All users should have access to this box via SSH keys. Please place your public key in your home directory and your user should be in the "sudo" group to enable sudo.

This box is DL360 with 12 cores and 128 GB of ram. There are 8 146.8 GB 15k SAS disks in a Raid 50 config.

It's primary IP is 44.98.254.129/27 which is a logical interface "44net" on the 44net bridge.

enp3s0f0 is 208.38.136.11 and is physically the left most port on the box. Our upstream router has a static route pointing 44.98.254.128/27 at this interface.

The VM's are given addresses out of 44.98.254.128/27

The ILO is at https://192.168.8.5/ This is behind the VPN and is a seperate network. You will need VPN credentials and a vpn config for this.

The ILO needs java installed to get at the console, but is licensed for full video access.

The ILO MAC is B4B5.2F5B.B90C

====== The ILO admin password is ======
<poem style="border: 2px solid #d6d2c5; background-color: #f9f4e6;padding: 1em; padding-top:0px; font-size:12px;">
<nowiki>
-----BEGIN PGP MESSAGE-----
hQEMA4nyEUPSzEPpAQgAuJvcngnoXbZq/audRVP09zPHKRZWoP6gZhrNpMVpu1fN
x0vGPbhWw94iloMjAWONeyLkNzOg2KGaSc1I7GY7dKQ8+0Snqez/lb0PAp5P1P+y
c2owsvqJ616G4mZTZ0ZAUXMfY4Rmoz0YDctJatbGxanT4jLpmQMua9jx6Ukjl+F+
BZHB+jZwzOeVx3lNOYuX7hrHu6NLjDkoFiBOHDQBY0d0CPamYhRm25d/eIcN2Zpf
pqXauSZJlFoKBhYRxpw3KzMMJhwR2F4Mda58fwJeuhTVf2HxijvqEOhv4NTgsSNJ
M7MLn13Yxyru8mEw+TM0JSw4Kd8/bSUE6E7iYYXl8NLAMgEhVuvJkiwUolYu+U3b
qVGOJD3+oAgdOqa9rZzecLGwCRUErXEWa3/1EvgWh+g31HG49ombZpC4AhHpWqXq
nPZ/7YJmg9SLmMB2FvGfsaxIXXj+5fSJHHCPfAXNwNb4GmsNIbPkqXjPBELVb3hd
woJxU0tc57MoJK8322WcoE4uKsV2r4oxZEK5g8/L3otN6Oz4VMgkQQyFUIBnGp7o
Mflja33bvBflp6rnDH+IlC7qdtOmNqMQ3bWuKUxIWr3P/+xEUBjSwIR8ohW7XaLV
BNQ5qnRi7iTF0o/JFBy6d6g7oQ1ZbqlDOoYmtwnz9dEkhU8X
=SIcB
-----END PGP MESSAGE-----
</nowiki></poem>

===== Syslog and fail2ban =====

The VM's are setup for remote syslog to 44.98.254.129.

Fail2ban is configured to nullroute IPs and email the admin contact after 2 bad logins. As it's done with a nullroute, fail2ban can run on the hypervisor and will catch login attempts on the VM's. This means if you get locked out via fail2ban, you're locked out of all VMs.

There is a firewall configured at /etc/network/firewall.sh. Note this protects the hypervisor (INPUT) and to the 44net subnet (FORWARD). By default everything is blocked to the external interface and new services must be added to allow them out.

The Hard Disks are arranged as follows:
{| class="wikitable"
|5
|6
|7
|8
|-
|1
|2
|3
|4
|}
The disks are 146.8 gb 15k SAS drives

Marked: HPDC firmware manufactured by segate for HP.

===== VM management =====
[https://github.com/kimchi-project Kimchi] is used for server management of the VM's and gives a nice easy way to setup a server. It's basically a frontend for virsh

The network config is based on this https://jamielinux.com/docs/libvirt-networking-handbook/custom-routed-network.html

To provision a server from a template:
# login to [https://208.38.136.11:8001 Kimchi]
# Click on Virtualization and then Add
# Give the server a logical name and choose a template
# Click Create
# The server will be instantiated, but not started, if you want to change things, nows the time.
# You'll need to provision the network
# To assign an IP that's static we use DHCP, but assign a static lease.
# do 'echo 52:54:00:73:XX:XX,44.98.254.x' >> /var/lib/dnsmasq/44net/hostsfile" from the CLI. This needs the MAC address of the server and the static IP it will be on.
# do 'service dnsmasq@44net reload' to reload the dnsmasq config
# Double check everything and you can boot the server.
It will now boot and install ubuntu and should have a public IP in the 44net range

You will want to ensure it's auto started and will need to do that from the CLI using the virsh "autostart" command. This ensures the server will boot when the box restarts.

<pre>
virsh # list
Id Name State
----------------------------------------------------
1 ASL-Stats running
7 TestVM running

virsh # dominfo TestVM
Id: 7
Name: TestVM
UUID: a4dbcba6-f493-4bdc-b5b0-40b714e9e9a4
OS Type: hvm
State: running
CPU(s): 1
CPU time: 130.6s
Max memory: 1048576 KiB
Used memory: 1048576 KiB
Persistent: yes
Autostart: disable
Managed save: no
Security model: apparmor
Security DOI: 0
Security label: libvirt-a4dbcba6-f493-4bdc-b5b0-40b714e9e9a4 (enforcing)

virsh # autostart TestVM
Domain TestVM marked as autostarted

virsh # dominfo TestVM
Id: 7
Name: TestVM
UUID: a4dbcba6-f493-4bdc-b5b0-40b714e9e9a4
OS Type: hvm
State: running
CPU(s): 1
CPU time: 137.6s
Max memory: 1048576 KiB
Used memory: 1048576 KiB
Persistent: yes
Autostart: enable
Managed save: no
Security model: apparmor
Security DOI: 0
Security label: libvirt-a4dbcba6-f493-4bdc-b5b0-40b714e9e9a4 (enforcing)

</pre>
[[Category: Infrastructure]]

User talk:K3JKH

2019-10-10T01:35:30Z

Bryan: Welcome!

[]

User:K3JKH

2019-10-10T01:35:30Z

Bryan: Creating user page for new user.

I have an IRLP node and am wanting to expand with an allstar node.

User talk:N7GHT

2019-10-10T01:35:13Z

Bryan: Welcome!

[]

User:N7GHT

2019-10-10T01:35:13Z

Bryan: Creating user page for new user.

N7GHT working on adding all-star links to several a mature repeaters

User talk:KG9NA

2019-10-10T01:34:37Z

Bryan: Welcome!

[]

User:KG9NA

2019-10-10T01:34:37Z

Bryan: Creating user page for new user.

I have been a licensed for more than 25 years and I am now trying to get back into ham radio. My call sign is KG9NA and I look forward to getting into AllStar digital radio.

User talk:K9BIF

2019-10-10T01:34:18Z

Bryan: Welcome!

[]

User:K9BIF

2019-10-10T01:34:18Z

Bryan: Creating user page for new user.

I Am the Owner of The M-CARS Repeater System
https://www.qsl.net/k9bif

User talk:N0MHO

2019-10-10T01:33:32Z

Bryan: Welcome!

[]

User:N0MHO

2019-10-10T01:33:32Z

Bryan: Creating user page for new user.

I have been interested in radio for about 45 years it started with CB like so many others and then changed into ham radio. I have ran my own two way radio repair shop and now work for a local telephone company. Our group has 4 repeaters that I take care of and I am interested in All Star Link for the main reason of being able to link our repeaters together.
....... ART ...........

User talk:N9TCQ

2019-10-10T01:33:07Z

Bryan: Welcome!

[]

User:N9TCQ

2019-10-10T01:33:07Z

Bryan: Creating user page for new user.

Ham radio to dmr link

Admin Committee

2019-09-17T14:23:47Z

Bryan:

'''The below is no longer valid'''

The Admin Committee/Team is the core server admins for AllStarLink.

Fundamentally it's a meritocracy, people who can get stuff done work with others to get stuff done. If you have the ability, time and want to help out, please reach out to an existing member or send an email to [mailto:helpdesk@allstarlink.org helpdesk@allstarlink.org].

= Responsibilities =
The below are general responsibilities of the Admin Committee. This is not a complete list and we don't expect every member to be able to do everything.

* Maintain all AllStarLink services for the community
* Develop new methods and procedures enabling the goal of always available services
* Work with and take direction from the AllStarLink Board of Directors
* Communicate with the community via app_rpt list
* Work tickets in the helpdesk

= Qualifications =

We encourage anyone interested to assist and reach out to [mailto:helpdesk@allstarlink.org helpdesk@allstarlink.org] or another admin team member if they want to help out. With many people working on the same problem we can make easy work.

* Express an interest in committing time to help
* Be well known to an existing member of the team
* Be present in the slack, email and possibly IRC channel
* Have time to devote to working tickets or working on the other parts of the project
* Protect the secure information of our members and do not disclose any sensitive information outside of the admin committee with out prior board approval.

= Needs =

The project has needs for anyone with any of the following skills:

* Front End HTML/PHP/SQL
* Linux sysadmin
* MariaDB
* Networking
* Perl (not for new use)
* Python
* Ansible/puppet
* Linux/KVM
* VMware
* more people to work tickets
* Technical Writers

User talk:ZS6MN

2019-07-02T06:03:18Z

Bryan: Welcome!

[]

User:ZS6MN

2019-07-02T06:03:18Z

Bryan: Creating user page for new user.

pensioener love to play radio

User talk:KJ3LR

2019-07-02T06:02:39Z

Bryan: Welcome!

[]

User:KJ3LR

2019-07-02T06:02:39Z

Bryan: Creating user page for new user.

I have been an Amateur radio op since 1991.

Server Provisioning

2019-07-02T01:16:33Z

Bryan: /* Mandatory Software */

This is intended to be a reference for setting up a VM or Server for AllStatLink.

= Server Overview =

== Basic Requirements ==
AllStarLink has standardized on Ubuntu 16.04 LTS for it's servers.

The minimum configuration of any server will be 2 cores of 2 GHz or faster, 4 GiB of ram and 40 GiB of Disk.

All new servers shall support IPv6, or have it available from the hosting provider.

Reverse IP's shall be delegated via a CNAME to $NAME.PTR.allstarlink.org, where $NAME is the name of the server.

All servers shall be partitioned to use / as the only partition unless a specific configuration is required.

== Install guide ==

When provisioning a new server

* check the VM is setup (cpu/mem/disk) as it should be, if not contact the provider

cat /proc/cpuinfo |grep processor
processor : 0
processor : 1
processor : 2
processor : 3

* on the server install python (apt-get install python). This is needed for the ansibile provisioning
* setup the server in the infrastructure configs and push the users and keys to it.

=== Mandatory Software ===

All servers require this software

apt-get install ntp ntpdate python vim screen ipsec-tools strongswan fail2ban snmp haveged libacl1-dev python3-dev libssl-dev gcc g++ fio pbzip2 ncdu

=== Mandatory Configs ===

==== Ubuntu 18 Config ====

Ubuntu 18 uses the net netplan config. It's gay as fuck.

First you need to disable the resolved service:

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
rm /etc/resolv.conf
sudo touch /etc/cloud/cloud-init.disabled
sudo apt-get purge cloud-init
apt-get install ifupdown

Configure /etc/network/interfaces

systemctl unmask networking
systemctl enable networking
systemctl restart networking

systemctl stop systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
systemctl disable systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
systemctl mask systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
apt-get --assume-yes purge nplan netplan.io

==== Network Config ====
* The network should be configured to use /etc/network/interfaces, and add DNS and the firewall to it and search in the allstarlink.org domain

# The primary network interface
auto eth0
iface eth0 inet6 static
address 9805:0900:0340:1000::2600/64
autoconf 0
accept_ra 2
iface eth0 inet static
address 44.103.0.49
netmask 255.255.255.0
network 44.103.0.0
broadcast 44.103.0.255
gateway 44.103.0.1
dns-nameservers 44.103.0.4 1.1.1.1
dns-search allstarlink.org
up /etc/network/firewall.sh

* There is typically only one network interface, and it will be named dynamically. We must setup this using udev to be persistent

root@server# ifconfig |grep HWaddr
eth0 Link encap:Ethernet HWaddr 52:54:00:73:86:06

Now take this HWaddr and put it in the config file
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:73:86:06", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth0"' >/etc/udev/rules.d/70-persistent-net.rules

* configure screen to use the scroll back buffer
vim /etc/screenrc
uncomment "termcapinfo xterm|xterms|xs|rxvt ti@:te@"

* configure bash completion for interactive shells
vim /etc/bash.bashrc
uncomment the stuff below
# enable bash completion in interactive shells

* set the host name
echo "domain.allstarlink.org" >/etc/hostname

* set the default editor
update-alternatives --config editor
Then select #3 vim.basic

* setup a firewall as /etc/network/firewall.sh and chmod +x it. You'll need to edit this based on the machine. Note the stuff in tampa uses a firewall on the HV too.
#!/bin/bash

INET_IF=eth0

#Flush and zero all tables
modprobe ip_tables
modprobe ipt_limit
modprobe iptable_mangle
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_filter

iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING

#init the log-and-drop chain
iptables -F log-and-drop
iptables -X log-and-drop
iptables -N log-and-drop
#init log-and-reject
iptables -F log-and-reject
iptables -X log-and-reject
iptables -N log-and-reject

echo "all tables flushed and dropped"
# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
iptables -A log-and-drop -j DROP

# Specific chain used for logging packets before blocking them
iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
iptables -A log-and-reject -j REJECT
echo "logging chains setup"

# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

#Global blocks
#iptables -t filter -A INPUT -j DROP -s 119.118.232.185/24

# allow IPSEC from other boxes
IPSECsrc='199.47.174.150,44.98.254.151,44.103.0.48,44.103.0.49,44.98.254.145,44.72.21.13,44.72.21.12'
#Technically the next two are not needed as we have the policy
iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
# this is needed to allow all ipsec packets when it's host to host
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"

# allow all ssh in
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22

#allow http and https
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
# allow asterisk 4569
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 4569
# allow DNS
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53

echo "end of services"
# allow ping at 2 per sec
iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF --protocol icmp --icmp-type echo-request
# allow responces to local initated connections
#iptables -A INPUT -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
#iptables -A FORWARD -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
# Set rp_filter to 2
for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
do
echo "2" >$i
done
# setup a default deny rule for outside traffic
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop

* setup fail2ban for ssh and have it null route offenders. edit ignoreip as needed
vi /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1/8 199.47.172.0/22 44.98.254.0/24 44.72.21.0/24 44.103.0.0/24
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 3600
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
banaction = route

* Set the TimeZone to UTC
sudo timedatectl set-timezone UTC
* Set the server up in forward and reverse DNS
** for reverse have the provider do a CNAME in their reverse file pointing to $DOMAIN.PTR.allstarlink.org. In the allstarlink.org DNS zone add an entry
example:
stats IN PTR stats.allstarlink.org.
This will do a lookup on 130.254.98.44.in-addr.arpa. and return a CNAME pointing to stats.PTR.allstarlink.org, which has a PTR record pointing to stats.allstarlink.org.

=== Configure IPSEC ===
AllStarLink servers use strong crypto using host to host IPSEC between them for protection of services. This is configured only between servers that need it, as we don't have dynamic tunneling enabled, and each server needs a config for each tunnel. This can quickly add up to lots of configrations.

This example will show two servers, 1 and 2 with IP 44.1.1.1 and 44.2.2.2 respectively.

==== Server 1 ====
We need to provision the ipsec tools to know about the connections and configure a pre shared key (PSK).
Note the left server is always the local server.

/etc/ipsec.conf
conn one-to-two
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.1.1.1
right=4.2.2.2
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.1.1.1 44.2.2.2 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Server 2 ====

/etc/ipsec.conf
conn two-to-one
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.2.2.2
right=4.1.1.1
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.2.2.2 44.1.1.1 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Verify IPsec ====

The 'ipsec' command is used to verify the tunnel is up between the servers

root@server# ipsec status
two-to-one[839]: ESTABLISHED 98 minutes ago, 44.1.1.1[44.1.1.1]...44.2.2.2[44.2.2.2]
two-to-one{13209}: INSTALLED, TRANSPORT, reqid 695, ESP SPIs: c824e4db_i c1e4bf5c_o
two-to-one{13209}: 44.1.1.1/32 === 44.2.2.2/32
If they are not up, check /var/log/syslog and restart ipsec on both servers. Some times a server can get in a bad status if there is a mis-config. Also it's worth noting that IPSEC is processed by iptables once it's decrypted, the <code>iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" </code> line in the firewall allows all IPsec packets once decrypted to bypass the firewall. This is able to prevent traffic between unencrypted services on the servers (e.g. mysql will not connect if the ipsec is down).

=== Configure Postfix ===

Postfix is installed to forward mail for root to a smtp host.

<code>apt-get install postfix mailutils</code>

This will run an installer with a curses interface and you must select '''Satallite System'''. Check the '''System mail''' name is the hostname of the server, and the '''SMTP relay host''' is ''morty.keekles.org''. '''Root and postmaster mail''' should be ''rootmail@allstarlink.org''.

Should you need to reconfigure this use:

<code> dpkg-reconfigure postfix </code>

other aliases are setup in /etc/aliases. You must run ''newaliases'' after this is updated for them to take effect.

= Verification =

It's important to verify the server provisiong before being put into production.

== Items to check ==
* reboot the server/vm, do all services start properly?
* Is the IP address configured on the server on eth0?
* Is the hostname set?
* Is it configured in DNS both forward and reverse?
* Is the firewall active (try netcat on a non-permitted port)
* IPSEC is active <code>ipsec status</code>?
* Does Screen work in an xterm with scroll back?
* Is the time set via ntp <code>ntptime</code> and is the timezone set to UTC?
* Is fail2ban working? Make a couple test connections and see if the IP is null routed <code>ip route show</code>

You may need to check your other services on this server now.

= Network Monitoring =
It's time to hand off the server to the NMS team. Please ensure SNMP is configured and an IPSEC tunnel is built to nms.allstarlink.org
Logging will be sucked up by graylog.

Please ensure it's being watched in librenms by asking on the admin list or in the slack.

[[Category: Infrastructure]]

Server Provisioning

2019-07-02T01:09:10Z

Bryan: /* Ubuntu 18 Config */

This is intended to be a reference for setting up a VM or Server for AllStatLink.

= Server Overview =

== Basic Requirements ==
AllStarLink has standardized on Ubuntu 16.04 LTS for it's servers.

The minimum configuration of any server will be 2 cores of 2 GHz or faster, 4 GiB of ram and 40 GiB of Disk.

All new servers shall support IPv6, or have it available from the hosting provider.

Reverse IP's shall be delegated via a CNAME to $NAME.PTR.allstarlink.org, where $NAME is the name of the server.

All servers shall be partitioned to use / as the only partition unless a specific configuration is required.

== Install guide ==

When provisioning a new server

* check the VM is setup (cpu/mem/disk) as it should be, if not contact the provider

cat /proc/cpuinfo |grep processor
processor : 0
processor : 1
processor : 2
processor : 3

* on the server install python (apt-get install python). This is needed for the ansibile provisioning
* setup the server in the infrastructure configs and push the users and keys to it.

=== Mandatory Software ===

All servers require this software

<code>apt-get install ntp ntpdate python vim screen ipsec-tools strongswan fail2ban snmp haveged libacl1-dev python3-dev libssl-dev gcc g++ fio pbzip2 ncdu</code>

=== Mandatory Configs ===

==== Ubuntu 18 Config ====

Ubuntu 18 uses the net netplan config. It's gay as fuck.

First you need to disable the resolved service:

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
rm /etc/resolv.conf
sudo touch /etc/cloud/cloud-init.disabled
sudo apt-get purge cloud-init
apt-get install ifupdown

Configure /etc/network/interfaces

systemctl unmask networking
systemctl enable networking
systemctl restart networking

systemctl stop systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
systemctl disable systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
systemctl mask systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
apt-get --assume-yes purge nplan netplan.io

==== Network Config ====
* The network should be configured to use /etc/network/interfaces, and add DNS and the firewall to it and search in the allstarlink.org domain

# The primary network interface
auto eth0
iface eth0 inet6 static
address 9805:0900:0340:1000::2600/64
autoconf 0
accept_ra 2
iface eth0 inet static
address 44.103.0.49
netmask 255.255.255.0
network 44.103.0.0
broadcast 44.103.0.255
gateway 44.103.0.1
dns-nameservers 44.103.0.4 1.1.1.1
dns-search allstarlink.org
up /etc/network/firewall.sh

* There is typically only one network interface, and it will be named dynamically. We must setup this using udev to be persistent

root@server# ifconfig |grep HWaddr
eth0 Link encap:Ethernet HWaddr 52:54:00:73:86:06

Now take this HWaddr and put it in the config file
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:73:86:06", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth0"' >/etc/udev/rules.d/70-persistent-net.rules

* configure screen to use the scroll back buffer
vim /etc/screenrc
uncomment "termcapinfo xterm|xterms|xs|rxvt ti@:te@"

* configure bash completion for interactive shells
vim /etc/bash.bashrc
uncomment the stuff below
# enable bash completion in interactive shells

* set the host name
echo "domain.allstarlink.org" >/etc/hostname

* set the default editor
update-alternatives --config editor
Then select #3 vim.basic

* setup a firewall as /etc/network/firewall.sh and chmod +x it. You'll need to edit this based on the machine. Note the stuff in tampa uses a firewall on the HV too.
#!/bin/bash

INET_IF=eth0

#Flush and zero all tables
modprobe ip_tables
modprobe ipt_limit
modprobe iptable_mangle
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_filter

iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING

#init the log-and-drop chain
iptables -F log-and-drop
iptables -X log-and-drop
iptables -N log-and-drop
#init log-and-reject
iptables -F log-and-reject
iptables -X log-and-reject
iptables -N log-and-reject

echo "all tables flushed and dropped"
# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
iptables -A log-and-drop -j DROP

# Specific chain used for logging packets before blocking them
iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
iptables -A log-and-reject -j REJECT
echo "logging chains setup"

# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

#Global blocks
#iptables -t filter -A INPUT -j DROP -s 119.118.232.185/24

# allow IPSEC from other boxes
IPSECsrc='199.47.174.150,44.98.254.151,44.103.0.48,44.103.0.49,44.98.254.145,44.72.21.13,44.72.21.12'
#Technically the next two are not needed as we have the policy
iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
# this is needed to allow all ipsec packets when it's host to host
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"

# allow all ssh in
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22

#allow http and https
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
# allow asterisk 4569
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 4569
# allow DNS
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53

echo "end of services"
# allow ping at 2 per sec
iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF --protocol icmp --icmp-type echo-request
# allow responces to local initated connections
#iptables -A INPUT -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
#iptables -A FORWARD -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
# Set rp_filter to 2
for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
do
echo "2" >$i
done
# setup a default deny rule for outside traffic
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop

* setup fail2ban for ssh and have it null route offenders. edit ignoreip as needed
vi /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1/8 199.47.172.0/22 44.98.254.0/24 44.72.21.0/24 44.103.0.0/24
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 3600
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
banaction = route

* Set the TimeZone to UTC
sudo timedatectl set-timezone UTC
* Set the server up in forward and reverse DNS
** for reverse have the provider do a CNAME in their reverse file pointing to $DOMAIN.PTR.allstarlink.org. In the allstarlink.org DNS zone add an entry
example:
stats IN PTR stats.allstarlink.org.
This will do a lookup on 130.254.98.44.in-addr.arpa. and return a CNAME pointing to stats.PTR.allstarlink.org, which has a PTR record pointing to stats.allstarlink.org.

=== Configure IPSEC ===
AllStarLink servers use strong crypto using host to host IPSEC between them for protection of services. This is configured only between servers that need it, as we don't have dynamic tunneling enabled, and each server needs a config for each tunnel. This can quickly add up to lots of configrations.

This example will show two servers, 1 and 2 with IP 44.1.1.1 and 44.2.2.2 respectively.

==== Server 1 ====
We need to provision the ipsec tools to know about the connections and configure a pre shared key (PSK).
Note the left server is always the local server.

/etc/ipsec.conf
conn one-to-two
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.1.1.1
right=4.2.2.2
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.1.1.1 44.2.2.2 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Server 2 ====

/etc/ipsec.conf
conn two-to-one
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.2.2.2
right=4.1.1.1
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.2.2.2 44.1.1.1 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Verify IPsec ====

The 'ipsec' command is used to verify the tunnel is up between the servers

root@server# ipsec status
two-to-one[839]: ESTABLISHED 98 minutes ago, 44.1.1.1[44.1.1.1]...44.2.2.2[44.2.2.2]
two-to-one{13209}: INSTALLED, TRANSPORT, reqid 695, ESP SPIs: c824e4db_i c1e4bf5c_o
two-to-one{13209}: 44.1.1.1/32 === 44.2.2.2/32
If they are not up, check /var/log/syslog and restart ipsec on both servers. Some times a server can get in a bad status if there is a mis-config. Also it's worth noting that IPSEC is processed by iptables once it's decrypted, the <code>iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" </code> line in the firewall allows all IPsec packets once decrypted to bypass the firewall. This is able to prevent traffic between unencrypted services on the servers (e.g. mysql will not connect if the ipsec is down).

=== Configure Postfix ===

Postfix is installed to forward mail for root to a smtp host.

<code>apt-get install postfix mailutils</code>

This will run an installer with a curses interface and you must select '''Satallite System'''. Check the '''System mail''' name is the hostname of the server, and the '''SMTP relay host''' is ''morty.keekles.org''. '''Root and postmaster mail''' should be ''rootmail@allstarlink.org''.

Should you need to reconfigure this use:

<code> dpkg-reconfigure postfix </code>

other aliases are setup in /etc/aliases. You must run ''newaliases'' after this is updated for them to take effect.

= Verification =

It's important to verify the server provisiong before being put into production.

== Items to check ==
* reboot the server/vm, do all services start properly?
* Is the IP address configured on the server on eth0?
* Is the hostname set?
* Is it configured in DNS both forward and reverse?
* Is the firewall active (try netcat on a non-permitted port)
* IPSEC is active <code>ipsec status</code>?
* Does Screen work in an xterm with scroll back?
* Is the time set via ntp <code>ntptime</code> and is the timezone set to UTC?
* Is fail2ban working? Make a couple test connections and see if the IP is null routed <code>ip route show</code>

You may need to check your other services on this server now.

= Network Monitoring =
It's time to hand off the server to the NMS team. Please ensure SNMP is configured and an IPSEC tunnel is built to nms.allstarlink.org
Logging will be sucked up by graylog.

Please ensure it's being watched in librenms by asking on the admin list or in the slack.

[[Category: Infrastructure]]

Server Provisioning

2019-07-02T01:01:38Z

Bryan: /* Mandatory Configs */

This is intended to be a reference for setting up a VM or Server for AllStatLink.

= Server Overview =

== Basic Requirements ==
AllStarLink has standardized on Ubuntu 16.04 LTS for it's servers.

The minimum configuration of any server will be 2 cores of 2 GHz or faster, 4 GiB of ram and 40 GiB of Disk.

All new servers shall support IPv6, or have it available from the hosting provider.

Reverse IP's shall be delegated via a CNAME to $NAME.PTR.allstarlink.org, where $NAME is the name of the server.

All servers shall be partitioned to use / as the only partition unless a specific configuration is required.

== Install guide ==

When provisioning a new server

* check the VM is setup (cpu/mem/disk) as it should be, if not contact the provider

cat /proc/cpuinfo |grep processor
processor : 0
processor : 1
processor : 2
processor : 3

* on the server install python (apt-get install python). This is needed for the ansibile provisioning
* setup the server in the infrastructure configs and push the users and keys to it.

=== Mandatory Software ===

All servers require this software

<code>apt-get install ntp ntpdate python vim screen ipsec-tools strongswan fail2ban snmp haveged libacl1-dev python3-dev libssl-dev gcc g++ fio pbzip2 ncdu</code>

=== Mandatory Configs ===

==== Ubuntu 18 Config ====

Ubuntu 18 uses the

==== Network Config ====
* The network should be configured to use /etc/network/interfaces, and add DNS and the firewall to it and search in the allstarlink.org domain

# The primary network interface
auto eth0
iface eth0 inet6 static
address 9805:0900:0340:1000::2600/64
autoconf 0
accept_ra 2
iface eth0 inet static
address 44.103.0.49
netmask 255.255.255.0
network 44.103.0.0
broadcast 44.103.0.255
gateway 44.103.0.1
dns-nameservers 44.103.0.4 1.1.1.1
dns-search allstarlink.org
up /etc/network/firewall.sh

* There is typically only one network interface, and it will be named dynamically. We must setup this using udev to be persistent

root@server# ifconfig |grep HWaddr
eth0 Link encap:Ethernet HWaddr 52:54:00:73:86:06

Now take this HWaddr and put it in the config file
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:73:86:06", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth0"' >/etc/udev/rules.d/70-persistent-net.rules

* configure screen to use the scroll back buffer
vim /etc/screenrc
uncomment "termcapinfo xterm|xterms|xs|rxvt ti@:te@"

* configure bash completion for interactive shells
vim /etc/bash.bashrc
uncomment the stuff below
# enable bash completion in interactive shells

* set the host name
echo "domain.allstarlink.org" >/etc/hostname

* set the default editor
update-alternatives --config editor
Then select #3 vim.basic

* setup a firewall as /etc/network/firewall.sh and chmod +x it. You'll need to edit this based on the machine. Note the stuff in tampa uses a firewall on the HV too.
#!/bin/bash

INET_IF=eth0

#Flush and zero all tables
modprobe ip_tables
modprobe ipt_limit
modprobe iptable_mangle
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_filter

iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING

#init the log-and-drop chain
iptables -F log-and-drop
iptables -X log-and-drop
iptables -N log-and-drop
#init log-and-reject
iptables -F log-and-reject
iptables -X log-and-reject
iptables -N log-and-reject

echo "all tables flushed and dropped"
# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
iptables -A log-and-drop -j DROP

# Specific chain used for logging packets before blocking them
iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
iptables -A log-and-reject -j REJECT
echo "logging chains setup"

# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

#Global blocks
#iptables -t filter -A INPUT -j DROP -s 119.118.232.185/24

# allow IPSEC from other boxes
IPSECsrc='199.47.174.150,44.98.254.151,44.103.0.48,44.103.0.49,44.98.254.145,44.72.21.13,44.72.21.12'
#Technically the next two are not needed as we have the policy
iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
# this is needed to allow all ipsec packets when it's host to host
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"

# allow all ssh in
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22

#allow http and https
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
# allow asterisk 4569
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 4569
# allow DNS
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53

echo "end of services"
# allow ping at 2 per sec
iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF --protocol icmp --icmp-type echo-request
# allow responces to local initated connections
#iptables -A INPUT -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
#iptables -A FORWARD -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
# Set rp_filter to 2
for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
do
echo "2" >$i
done
# setup a default deny rule for outside traffic
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop

* setup fail2ban for ssh and have it null route offenders. edit ignoreip as needed
vi /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1/8 199.47.172.0/22 44.98.254.0/24 44.72.21.0/24 44.103.0.0/24
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 3600
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
banaction = route

* Set the TimeZone to UTC
sudo timedatectl set-timezone UTC
* Set the server up in forward and reverse DNS
** for reverse have the provider do a CNAME in their reverse file pointing to $DOMAIN.PTR.allstarlink.org. In the allstarlink.org DNS zone add an entry
example:
stats IN PTR stats.allstarlink.org.
This will do a lookup on 130.254.98.44.in-addr.arpa. and return a CNAME pointing to stats.PTR.allstarlink.org, which has a PTR record pointing to stats.allstarlink.org.

=== Configure IPSEC ===
AllStarLink servers use strong crypto using host to host IPSEC between them for protection of services. This is configured only between servers that need it, as we don't have dynamic tunneling enabled, and each server needs a config for each tunnel. This can quickly add up to lots of configrations.

This example will show two servers, 1 and 2 with IP 44.1.1.1 and 44.2.2.2 respectively.

==== Server 1 ====
We need to provision the ipsec tools to know about the connections and configure a pre shared key (PSK).
Note the left server is always the local server.

/etc/ipsec.conf
conn one-to-two
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.1.1.1
right=4.2.2.2
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.1.1.1 44.2.2.2 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Server 2 ====

/etc/ipsec.conf
conn two-to-one
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.2.2.2
right=4.1.1.1
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.2.2.2 44.1.1.1 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Verify IPsec ====

The 'ipsec' command is used to verify the tunnel is up between the servers

root@server# ipsec status
two-to-one[839]: ESTABLISHED 98 minutes ago, 44.1.1.1[44.1.1.1]...44.2.2.2[44.2.2.2]
two-to-one{13209}: INSTALLED, TRANSPORT, reqid 695, ESP SPIs: c824e4db_i c1e4bf5c_o
two-to-one{13209}: 44.1.1.1/32 === 44.2.2.2/32
If they are not up, check /var/log/syslog and restart ipsec on both servers. Some times a server can get in a bad status if there is a mis-config. Also it's worth noting that IPSEC is processed by iptables once it's decrypted, the <code>iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" </code> line in the firewall allows all IPsec packets once decrypted to bypass the firewall. This is able to prevent traffic between unencrypted services on the servers (e.g. mysql will not connect if the ipsec is down).

=== Configure Postfix ===

Postfix is installed to forward mail for root to a smtp host.

<code>apt-get install postfix mailutils</code>

This will run an installer with a curses interface and you must select '''Satallite System'''. Check the '''System mail''' name is the hostname of the server, and the '''SMTP relay host''' is ''morty.keekles.org''. '''Root and postmaster mail''' should be ''rootmail@allstarlink.org''.

Should you need to reconfigure this use:

<code> dpkg-reconfigure postfix </code>

other aliases are setup in /etc/aliases. You must run ''newaliases'' after this is updated for them to take effect.

= Verification =

It's important to verify the server provisiong before being put into production.

== Items to check ==
* reboot the server/vm, do all services start properly?
* Is the IP address configured on the server on eth0?
* Is the hostname set?
* Is it configured in DNS both forward and reverse?
* Is the firewall active (try netcat on a non-permitted port)
* IPSEC is active <code>ipsec status</code>?
* Does Screen work in an xterm with scroll back?
* Is the time set via ntp <code>ntptime</code> and is the timezone set to UTC?
* Is fail2ban working? Make a couple test connections and see if the IP is null routed <code>ip route show</code>

You may need to check your other services on this server now.

= Network Monitoring =
It's time to hand off the server to the NMS team. Please ensure SNMP is configured and an IPSEC tunnel is built to nms.allstarlink.org
Logging will be sucked up by graylog.

Please ensure it's being watched in librenms by asking on the admin list or in the slack.

[[Category: Infrastructure]]

Server Provisioning

2019-07-02T00:57:22Z

Bryan: Updated v6 config

This is intended to be a reference for setting up a VM or Server for AllStatLink.

= Server Overview =

== Basic Requirements ==
AllStarLink has standardized on Ubuntu 16.04 LTS for it's servers.

The minimum configuration of any server will be 2 cores of 2 GHz or faster, 4 GiB of ram and 40 GiB of Disk.

All new servers shall support IPv6, or have it available from the hosting provider.

Reverse IP's shall be delegated via a CNAME to $NAME.PTR.allstarlink.org, where $NAME is the name of the server.

All servers shall be partitioned to use / as the only partition unless a specific configuration is required.

== Install guide ==

When provisioning a new server

* check the VM is setup (cpu/mem/disk) as it should be, if not contact the provider

cat /proc/cpuinfo |grep processor
processor : 0
processor : 1
processor : 2
processor : 3

* on the server install python (apt-get install python). This is needed for the ansibile provisioning
* setup the server in the infrastructure configs and push the users and keys to it.

=== Mandatory Software ===

All servers require this software

<code>apt-get install ntp ntpdate python vim screen ipsec-tools strongswan fail2ban snmp haveged libacl1-dev python3-dev libssl-dev gcc g++ fio pbzip2 ncdu</code>

=== Mandatory Configs ===

* The network should be configured to use /etc/network/interfaces, and add DNS and the firewall to it and search in the allstarlink.org domain

# The primary network interface
auto eth0
iface eth0 inet6 static
address 9805:0900:0340:1000::2600/64
autoconf 0
accept_ra 2
iface eth0 inet static
address 44.103.0.49
netmask 255.255.255.0
network 44.103.0.0
broadcast 44.103.0.255
gateway 44.103.0.1
dns-nameservers 44.103.0.4 1.1.1.1
dns-search allstarlink.org
up /etc/network/firewall.sh

* There is typically only one network interface, and it will be named dynamically. We must setup this using udev to be persistent

root@server# ifconfig |grep HWaddr
eth0 Link encap:Ethernet HWaddr 52:54:00:73:86:06

Now take this HWaddr and put it in the config file
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:73:86:06", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth0"' >/etc/udev/rules.d/70-persistent-net.rules

* configure screen to use the scroll back buffer
vim /etc/screenrc
uncomment "termcapinfo xterm|xterms|xs|rxvt ti@:te@"

* configure bash completion for interactive shells
vim /etc/bash.bashrc
uncomment the stuff below
# enable bash completion in interactive shells

* set the host name
echo "domain.allstarlink.org" >/etc/hostname

* set the default editor
update-alternatives --config editor
Then select #3 vim.basic

* setup a firewall as /etc/network/firewall.sh and chmod +x it. You'll need to edit this based on the machine. Note the stuff in tampa uses a firewall on the HV too.
#!/bin/bash

INET_IF=eth0

#Flush and zero all tables
modprobe ip_tables
modprobe ipt_limit
modprobe iptable_mangle
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_filter

iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING

#init the log-and-drop chain
iptables -F log-and-drop
iptables -X log-and-drop
iptables -N log-and-drop
#init log-and-reject
iptables -F log-and-reject
iptables -X log-and-reject
iptables -N log-and-reject

echo "all tables flushed and dropped"
# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
iptables -A log-and-drop -j DROP

# Specific chain used for logging packets before blocking them
iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
iptables -A log-and-reject -j REJECT
echo "logging chains setup"

# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

#Global blocks
#iptables -t filter -A INPUT -j DROP -s 119.118.232.185/24

# allow IPSEC from other boxes
IPSECsrc='199.47.174.150,44.98.254.151,44.103.0.48,44.103.0.49,44.98.254.145,44.72.21.13,44.72.21.12'
#Technically the next two are not needed as we have the policy
iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
# this is needed to allow all ipsec packets when it's host to host
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc"

# allow all ssh in
iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22

#allow http and https
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
# allow asterisk 4569
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 4569
# allow DNS
#iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
#iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53

echo "end of services"
# allow ping at 2 per sec
iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF --protocol icmp --icmp-type echo-request
# allow responces to local initated connections
#iptables -A INPUT -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
#iptables -A FORWARD -i $INET_IF --match state --state NEW,INVALID -j log-and-drop
iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
# Set rp_filter to 2
for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
do
echo "2" >$i
done
# setup a default deny rule for outside traffic
iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop

* setup fail2ban for ssh and have it null route offenders. edit ignoreip as needed
vi /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1/8 199.47.172.0/22 44.98.254.0/24 44.72.21.0/24 44.103.0.0/24
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 3600
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
banaction = route

* Set the TimeZone to UTC
sudo timedatectl set-timezone UTC
* Set the server up in forward and reverse DNS
** for reverse have the provider do a CNAME in their reverse file pointing to $DOMAIN.PTR.allstarlink.org. In the allstarlink.org DNS zone add an entry
example:
stats IN PTR stats.allstarlink.org.
This will do a lookup on 130.254.98.44.in-addr.arpa. and return a CNAME pointing to stats.PTR.allstarlink.org, which has a PTR record pointing to stats.allstarlink.org.

=== Configure IPSEC ===
AllStarLink servers use strong crypto using host to host IPSEC between them for protection of services. This is configured only between servers that need it, as we don't have dynamic tunneling enabled, and each server needs a config for each tunnel. This can quickly add up to lots of configrations.

This example will show two servers, 1 and 2 with IP 44.1.1.1 and 44.2.2.2 respectively.

==== Server 1 ====
We need to provision the ipsec tools to know about the connections and configure a pre shared key (PSK).
Note the left server is always the local server.

/etc/ipsec.conf
conn one-to-two
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.1.1.1
right=4.2.2.2
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.1.1.1 44.2.2.2 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Server 2 ====

/etc/ipsec.conf
conn two-to-one
authby=secret
#auto=start enabled the tunnel to come up even if there is not traffic for it.
auto=start
keyexchange=ike
left=4.2.2.2
right=4.1.1.1
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=restart

vim /etc/ipsec.secrets
44.2.2.2 44.1.1.1 : PSK "This is the AllStarLink PSK"
Then do an 'ipsec restart' on the server.

==== Verify IPsec ====

The 'ipsec' command is used to verify the tunnel is up between the servers

root@server# ipsec status
two-to-one[839]: ESTABLISHED 98 minutes ago, 44.1.1.1[44.1.1.1]...44.2.2.2[44.2.2.2]
two-to-one{13209}: INSTALLED, TRANSPORT, reqid 695, ESP SPIs: c824e4db_i c1e4bf5c_o
two-to-one{13209}: 44.1.1.1/32 === 44.2.2.2/32
If they are not up, check /var/log/syslog and restart ipsec on both servers. Some times a server can get in a bad status if there is a mis-config. Also it's worth noting that IPSEC is processed by iptables once it's decrypted, the <code>iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" </code> line in the firewall allows all IPsec packets once decrypted to bypass the firewall. This is able to prevent traffic between unencrypted services on the servers (e.g. mysql will not connect if the ipsec is down).

=== Configure Postfix ===

Postfix is installed to forward mail for root to a smtp host.

<code>apt-get install postfix mailutils</code>

This will run an installer with a curses interface and you must select '''Satallite System'''. Check the '''System mail''' name is the hostname of the server, and the '''SMTP relay host''' is ''morty.keekles.org''. '''Root and postmaster mail''' should be ''rootmail@allstarlink.org''.

Should you need to reconfigure this use:

<code> dpkg-reconfigure postfix </code>

other aliases are setup in /etc/aliases. You must run ''newaliases'' after this is updated for them to take effect.

= Verification =

It's important to verify the server provisiong before being put into production.

== Items to check ==
* reboot the server/vm, do all services start properly?
* Is the IP address configured on the server on eth0?
* Is the hostname set?
* Is it configured in DNS both forward and reverse?
* Is the firewall active (try netcat on a non-permitted port)
* IPSEC is active <code>ipsec status</code>?
* Does Screen work in an xterm with scroll back?
* Is the time set via ntp <code>ntptime</code> and is the timezone set to UTC?
* Is fail2ban working? Make a couple test connections and see if the IP is null routed <code>ip route show</code>

You may need to check your other services on this server now.

= Network Monitoring =
It's time to hand off the server to the NMS team. Please ensure SNMP is configured and an IPSEC tunnel is built to nms.allstarlink.org
Logging will be sucked up by graylog.

Please ensure it's being watched in librenms by asking on the admin list or in the slack.

[[Category: Infrastructure]]

User talk:KC6WJJ

2019-06-07T04:42:03Z

Bryan: Welcome!

[]

User:KC6WJJ

2019-06-07T04:42:03Z

Bryan: Creating user page for new user.

I am a disabled Viet Nam Vet, retired police officer and retired gunsmith. I have been a HAM sense 1991. I have climbed towers and setup field day trailers when I was with The Super System in the 90's. enjoy talking to other people and where else can you talk to people from all over.

I like to build things and like to learn new things. I am teaching some of my grand children to become Hams, as our future is in our young people.

I am helping to set up a Ham Radio station at the City of Orange, American Legion. Our hpoe is to get young vets to get into Ham
radio.

User talk:Ab8yk

2019-06-07T04:41:42Z

Bryan: Welcome!

[]

User:Ab8yk

2019-06-07T04:41:42Z

Bryan: Creating user page for new user.

long time echolink but trying out allstar