Projects

Setting Up a HamCloud WireGuard VPN Gateway on a VM

As a tech or cybersecurity enthusiast, you might be running a homelab to experiment with various technologies and enhance your skills. If you do, or if you are capable of maintaining a 24/7 VM (or even a physical server), this guide will help you set up a HamCloud WireGuard VPN gateway. This setup can even be done on a single-board computer (SBC) like a Raspberry Pi (though I haven’t tested this personally, it should theoretically work).

This gateway will allow you to access HamNet within your entire home network by configuring your home router to route traffic through the VPN tunnel. It’s a great alternative if your local repeaters are not yet part of HamNet, providing you with seamless connectivity to the network.

Prerequisites:

  • A VM running Ubuntu inside your home network (or a physical computer/Raspberry Pi).
  • A static IP configured for the above VM, so you can setup a static route
  • Basic understanding of networking and VPNs.
  • Access to your home router for static route configuration.
  • You must be a licensed radio amateur, so you can obtain a ARRL LOWT Certificate to login to the HamCloud VPN.

Note: For security reasons, this setup should not be done on an internet-facing VM, such as a VM from a cloud provider. Always use a VM within your home network.

Step 1: Update and Install Required Packages

Start by updating your system and installing WireGuard, to do this SSH into your VM and do as such:

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install wireguard -y

Step 2: Generate WireGuard Keys

wg genkey | tee private.key | wg pubkey > public.key

Step 3: Add your WireGuard key to HamCloud

Now you need to add your public key to your HamCloud account, to do this first you need to actually retrieve it, so do as such:

cat public.key

Your key will print to your console, so now you need to copy this key and go into your HamCloud Panel, and you will go to Wireguard > + (Add Buton) > set public key

Then you will paste the public key you copied previously on the appropriate field and press submit:

You will then go back to the previous page, but it will not show the public key you configured, click on it to get back into the config view page and copy the whole config file as you will need it later.

Step 4: Configure WireGuard

Create the WireGuard configuration file:

sudo nano /etc/wireguard/wg0.conf

Now you will paste the config you copied from before that should look something like this:

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 44.148.xxx.xxx/32

[Peer]
PublicKey = xxxxxxx
AllowedIPs = 44.128.0.0/10
Endpoint = vpn.hc.r1.ampr.org:50000
PersistentKeepalive = 25

Note the YOUR_PRIVATE_KEY thing? We need to replace it by our real one so lets get it and copy it:

cat private.key

Now edit the file again and replace the key by the real one:

sudo nano /etc/wireguard/wg0.conf

Step 5: Start WireGuard

Bring up the WireGuard interface:

sudo wg-quick up wg0

Verify the interface is up:

ip a

Step 6: Enable IP Forwarding

Edit the sysctl configuration to enable IP forwarding:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Step 7: Configure NAT with iptables

Set up NAT to masquerade traffic going out of the WireGuard interface:

sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

Allow traffic forwarding:

sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

Step 8: Make iptables Rules Persistent

Install the iptables-persistent package to save the rules:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

Step 9: Configure Static Route on Your Home Router

To direct AMPRNet traffic through the VM, add a static route on your home router, the exact steps will depend on your Router or Firewall, googling for “Add Static Route” and your router model should do the trick, when you do configure it as such:

Destination Network: 44.128.0.0/10
Gateway: The IP address of your VM on your local network

You can test if its working by seeing if you can ping any HamNet IP form any other device on your network, such as this:

Personally, im running a Sophos (Home) Firewall, for me the setup looks like this:

Bonus: Set Up Port Forwarding (Optional – To host HamNet services)

If you want to forward specific ports (e.g., 80 and 443) to an internal IP to expose services on HamNet, use the following iptables rules:

sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 80 -j DNAT --to-destination 10.10.5.1:80
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 443 -j DNAT --to-destination 10.10.5.1:443
sudo iptables -A FORWARD -i wg0 -p tcp --dport 80 -d 10.10.5.1 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -p tcp --dport 443 -d 10.10.5.1 -j ACCEPT

You might want to set the forward target to your home firewall and manage the access rules and actual forwarding for internal services from there for easier management and better security.

By following these steps, you have set up a WireGuard VPN gateway on your VM, allowing you to route traffic through HamNet from any device on your home network.

73, CR8ACT

Navigating Firmware Updates on Legacy Dell PowerEdge R410 Servers: A Homelab Odyssey

In the realm of homelabbing, managing and maintaining legacy hardware can often turn into an adventurous challenge. Such was my recent experience with a Dell PowerEdge R410 server. The task at hand was updating its firmware, a task that became an odyssey, especially as Dell had discontinued support and removed update packages for the server. Here is a detailed account of the journey.

The Challenge: iDRAC, TLS Protocols, and Browser Compatibility

Our adventure begins with iDRAC (Integrated Dell Remote Access Controller), an integral tool for remote server management. The stumbling block: the iDRAC firmware on the R410 does not support modern Transport Layer Security (TLS) protocols. The workaround: using Mozilla Firefox with TLS1 enabled.

Despite modern browsers shunning TLS1 due to known security vulnerabilities, the legacy iDRAC firmware necessitated its usage.

The Roadblock: “Non-Dell Authorized” Updates

After navigating through the quagmire of outdated security protocols, I hit a roadblock during the firmware update installation. Each attempt was met with the message, “The updates you are trying to install are not Dell authorized,” due to expired Dell certificates. Dell’s decision not to renew these certificates for legacy systems meant the only path forward was patient experimentation, made arduous due to the server’s slow boot times.

The Silver Lining: Self-Updating iDRAC and Lifecycle Controller

As I ventured deeper into the server’s firmware labyrinth, a pivotal revelation surfaced: the iDRAC could update itself and the Lifecycle Controller. These self-updates included new certificates, indispensable for the proper functioning of the Unified Server Configurator (USC), thereby laying the groundwork for the remaining firmware updates.

Achieving this required a detailed sequence of steps:

  1. Download the iDRAC6 Image Executable: The first order of business was to download the iDRAC6 image executable. This executable, named “iDRAC6_1.92_A00_FW_IMG.exe“, is crucial for the update and could be downloaded from the official Dell support website.
  2. Extract the iDRAC6 Executable: After obtaining the executable, the next step was to extract its contents. Operating within a Linux environment, I used the ‘unzip’ command. This action produced a file named “firmimg.d6”. The extraction process may differ depending on your operating system.
  3. Log into the iDRAC Firmware Update Tool: Armed with the “firmimg.d6” file, I logged into the iDRAC Firmware Update tool. This web-based interface manages iDRAC settings and updates.
  4. Initiate the iDRAC Update: Inside the Firmware Update tool, I navigated to the update section and uploaded the “firmimg.d6” file. Confirming the update initiated the process. This stage required patience as the iDRAC system updated itself and rebooted.
  5. Download and Unpack the “BDF_1.5.5_BIN-12.usc” file: While the iDRAC was updating, I concurrently downloaded another key file, “BDF_1.5.5_BIN-12.usc”, from the Dell support website. After downloading, I unpacked this file in preparation for the subsequent update.
  6. Run the Firmware Update: Once the iDRAC update completed, I returned to the Firmware Update tool and input the unpacked .usc file. This action updated the Lifecycle Controller and installed the new certificates, rendering the USC functional once more.
  7. Reboot the Server: The final step was to reboot the Dell PowerEdge R410 server. This reboot enabled the server to integrate the updates properly, and subsequently, I gained access to a fully functional USC.

The realisation that iDRAC could self-update and update the Lifecycle Controller marked a vital breakthrough amidst the challenges. This experience reaffirmed that in the world of homelabbing, there’s always a way to overcome seemingly insurmountable obstacles.

The Home Stretch: Updating the Remaining Firmware

With the USC operational again, it was time to update the remaining firmware. Since Dell had removed the update packages from its repositories, I turned to ‘updateyodell.net‘, a reliable third-party firmware repository for Dell’s legacy systems. Here’s the streamlined process:

  1. Boot the Dell PowerEdge R410 server and press F10 to access the Unified Server Configurator (USC).
  2. Within the USC, navigate to Platform Update.
  3. Choose ‘FTP Server’ as your repository location.
  4. When asked for the FTP Server details, enter the ones on ‘updateyodell.net‘.
  5. Proceed with the connection. The USC will now connect to the third-party repository and identify all applicable updates for your Dell R410 server.
  6. Once the updates are listed, select all that apply, and initiate the download and installation process.
  7. Reboot the server after the updates have been installed.

Following these steps, your legacy Dell PowerEdge R410 server should be fully updated, humming along smoothly in your homelab setup.

While firmware updates on legacy systems can feel like a Homeric odyssey, perseverance, patience, and a bit of ingenuity can lead to success. As we navigate our individual tech journeys, let’s remember to share our experiences and learnings along the way.

Sources:

  1. “The updates you are trying to apply are not Dell-authorized updates.” Frednotes. https://frednotes.wordpress.com/2012/11/21/the-updates-you-are-trying-to-apply-are-not-dell-authorized-updates/
  2. “iDRAC6 1.92 A00 Firmware Image.” Dell. https://www.dell.com/support/home/pt-pt/drivers/driversdetails?driverid=kg43r
  3. “BDF 1.5.5 BIN-12 USC File.” Dell. https://www.dell.com/support/home/pt-pt/drivers/driversdetails?driverid=g3g5f
  4. “Dell R410 BIOS Update.” Reddit. https://www.reddit.com/r/homelab/comments/yh75bk/dell_r410_bios_update/
  5. “Dell Firmware and BIOS Update Repository.” UpdateYoDell. https://updateyodell.net/

Playing with SDR, ADS-B (Plane Tracking), and what is next

What even is SDR?

SDR stands for Software Defined Radio. In short, it is a piece of software that runs on your computer and enables you to use your computer’s sound card as a receiver.

If you’re unfamiliar with SDR, then you may not know that it has been around since the 1980’s, and was originally known as direct conversion receivers (DCR). An example of what a modern SDR “kit” looks like is below:

SDRs are commonly used as a hobbyist application. Most people have at least heard of them, and know they do what their name suggests – define radios!

What can you do with an SDR?

You can do various different things using an SDR as follows:

  • Receive broadcast radio
  • Amateur radio
  • Radio astronomy
  • Track ships via AIS transmissions
  • Track aircraft via Mode S transponder (And this will be today’s project)
  • Listen in in “walkie talkies”

Project 1: ADS-B – Tracking Planes

Back in January, I started to play around with SDR, mostly in order to be able to track aircraft using their Mode-S Transponder signals.

Hardware

My ADS-B station is currently running the following hardware:

SDR Dongle: AirNav RadarBox FlightStick

Antenna: AirNav ADS-B 1090MHz External Antenna

Board: Raspberry Pi 3 Model B+

Enclosure: Random box bought at the local supermarket, and some DIY hot-glue stuff

Network connection is currently done via Wi-Fi

Software

This station is currently running the PiAware image, including dump1090-fa (that will out of the box feed data to https://flightaware.com/), with some additional software installed to feed into some other sites:

Some other websites/services do it the other way around though, by connecting (while having the relevant firewall exceptions) my station to obtain data, instead of the other way around, these services are:

And some other additional software for metrics purposes:

  • ADSB Stats Logger, to generate some metrics about the station performance (more on this shortly)
  • graph1090, to generate signal and traffic metrics
  • timelapse1090, to generate air traffic timelapse

Results

I have been gathering aircraft tracking data since January 2022 with this setup, and these are some metrics of this data, but before sharing the numbers I’ll share my maximum theorical range (according to heywhatsthat.com) at my antenna location, taking terrain into consideration for airborne targets (where red represents the horizon visual range, orange for targets at 10k feet, and the blue line for targets at 30k feet):

Versus my actual range:

If you want to check the live feeds you can do so here:

ADSB Stats Logger:

Data range: 2022-03-08 13:14:53 - 2022-09-03 13:38:11
Unique Flights: 1600
Unique Operators: 522
Max Altitude: Flight SAT408 37.206644315757394 km at 2022-08-19 21:38:10
Max Speed: Flight MEDIC16 1836.0728000000001 kmh at 2022-05-29 22:10:01
Max Station Distance: Flight AFR457 664.5046626435085 km at 2022-07-21 03:33:57
Min Station Distance: Flight RYR2624 0.012642261112371317 km at 2022-05-15 19:38:21
Max Signal: Flight UAL216 -0.9 db at 2022-06-02 11:22:28
Min Signal: Flight AEA194 -28.6 db at 2022-08-04 07:52:23

graphs1090 (6 months period)

Whats next?

In the last few weeks I have been playing around with a couple new SDR things to make an upgrade to my SDR setup with a new project, these things are:

AIS Ship Tracking

AIS Ship Tracking

Listening to Air Traffic Control

Santa Maria ATIS
Ponta Delgada ATIS

I’m currently waiting for Amazon to deliver some adaptors and connectors, so I can connect further gear to my external antenna to develop both these two projects, so stay tuned for future posts about them 🙂