Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

How you can access your Radio over the Internet (WAN) TODAY

Stu Phillips - K6TU
Stu Phillips - K6TU Member ✭✭
edited June 2020 in SmartSDR for Windows
Here is a simple and inexpensive solution to get WAN access over the Internet to your Flex-6000 series radio TODAY.

The following solution allows you secure (authenticated and encrypted) access to your Radio that is located behind your Internet access device (cable/DSL/fiber modem) and it's firewall. No dedicated hardware is required, and the solution allows access from Mac, Linux, iOS and Windows - all at the same time if you must!

This solution is NEITHER supported or endorsed by FlexRadio.  DO NOT CALL THEM FOR SUPPORT, INSTALLATION PROBLEMS or anything else.  You undertake the use of this solution at your own risk and accept that you are your own technical support for this form of operation.

The solution is to use the SoftEther VPN (virtual private network) from the University of Tokyo, Japan.  You can download this open source, excellent and free software from:

http://www.softether.org/

The simplest deployment of this solution is to run the VPN Server on a PC at your home.  Most PCs have more than enough horse power to run the VPN server and transport SmartSDR traffic without breaking into a sweat.  Although beyond the scope of this post, its very easy to configure the server to run on a Raspberry Pi (version B or 2 preferred).

You do need to configure your Internet access device to allow transit through it's firewall function - this is covered in detail (ports, protocols etc) on the SoftEther.org web site. If you are unfamiliar with configuring the firewall function, you will have to consult either your ISP or the documentation for specific information.

The SoftEther VPN server also interacts with a (free) dynamic DNS service that is built into the server and provides you with a named access to the VPN server which will track any IP address changes of your Internet access device.  The server has its own GUI interface when running on Windows and can be set up in a couple of minutes.  Again the SoftEther.org web site has extensive "how to" with screen shots to help you.

On the client side (your laptop running Windows and SmartSDR), install the SoftEther VPN client.  SoftEther.org provides a GUI based client that is very simple to install as well as a VPN server management GUI that lets you configure the VPN Server remotely.

When configuring a connection back to the server, specify connection to TCP port 5555 - this is the default SoftEther TCP port for its TCP/SSL VPN connection.  Using this particular protocol enables automatic compression and automatic (under the covers) recovery of lost or out of order packets from the Radio.

So how does it work?

The SoftEther VPN provides remote access to your home LAN that looks like a virtual Ethernet cable:

http://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/2.Remote_Access_VPN_to_LAN

This allows the broadcast traffic from your home network to travel over the Internet to the VPN connection on your laptop. This allows SmartSDR to "see" the radio and seamlessly connect to it for operation over the Internet.

Automatic compression and the TCP protocol help optimize the connection and reduce the bandwidth required between the radio and your laptop.

How much bandwidth is required over the Internet?

Running remote audio and a modest (1024x768) window for SmartSDR will consume approximately 1 Megabit per second when displaying 1 panafall display at 24 frames per second for the pan adaptor update and 12 waterfall lines a second.

A larger screen display will consume proportionally more bandwidth and scales with the width of the display - smaller means less bandwidth, bigger means more.

You can reduce the amount of bandwidth consumed by reducing the frame rate of the pan adaptor updates and reducing the number of lines per second on the waterfall.  The further left you drag the sliders on the display controls for SmartSDR, the less bandwidth will be consumed.

You will be surprised how few frames per second will still give you a usable display.

Running DAX is NOT RECOMMENDED and will likely saturate your available uplink bandwidth unless you have a very good Internet connection.  Each DAX channel consumes 1.5 Megabits/second so YOU HAVE BEEN WARNED!

Remember that if you are connected to the Internet via your cell phone, wireless hot spot, tablet etc, YOU ARE PAYING FOR BANDWIDTH CONSUMED and the traffic you receive counts towards the bandwidth cap on your account.  1 MBps is about 450 MBytes an hour.

How good an Internet link do I need at home?

To really use your radio effectively over the Internet, you will need an Internet link at home that provides at least 3 Megabits per second of UPLINK traffic with good reliability.  Reliability means that the 3 MBps is available at any time of the day/night and without significant packet loss.

The majority of Internet services today are heavily ASYMMETRIC - you get significantly more DOWNLINK bandwidth than UPLINK.  This is because most Internet customers consume more content (streaming videos, music, web browsing etc) than they generate.

You can measure your Internet access speed by using one of the speed tests.  This one:

http://www.speedtest.net/index.php

is heavily used by ISPs to show their customers how good (or not so good!) their connections may be and help set expectations about the quality of the experience you will get (or not!).

If your Internet UPLINK speed is less than 3 MBps, DONT WASTE YOUR TIME USING THIS SOLUTION - YOU WILL BE VERY FRUSTRATED AND DISAPPOINTED.

How well does this work anyway?

With a good uplink available from the home network here in the San Francisco Bay Area, I have run SmartSDR remotely and made QSO's from all over the United States - even using LTE on my iPad hot spot from rural locations where there was no other Internet access available to me.

If the SpeedTest link above shows that I have reasonable latency (< 100 ms) and decent bandwidth (> 3 MBps) back to a test server in the Bay Area, my SmartSDR experience even at 24 fps is like sitting on the network at home.

Put bluntly, HOTEL networks on Wifi generally ****.  Even paying for "premium" WiFi access in most hotels is a waste of money and a bad joke.  Hotels are now stuck with their customers expecting FREE access and so provide as slow/bad service as they can get away with...

In general, if you are in a large metropolitan area and your home is similarly situated in another metropolitan area (and you pay for "above average" Internet connectivity from home), you will have a very positive experience.

From my work office which is in the same metro area, I get amazing connectivity and can make QSO's with ease (until the boss catches me... oh wait, the boss is ME ;-).

Internationally, you mileage WILL vary and will depend on the quality of the place you are staying and the Internet infrastructure between you and the home country.  You may have to resort to turning the frame rate on the pan adaptor to ZERO and operating with just remote audio (this and the meters will require about 100 KBps FWIW).

Is remote operation legal?

If you are in the United States and operate under an FCC license, remote operation is 100% legit BUT you must set the Flex-6000 Transmit timeout (on the Transmit tab of the SmartSDR setup) to comply with FCC Part 97 section 97.213 (b):
(b) Provisions are incorporated to limit transmission by the station to a period of no more than 3 minutes in the event of malfunction in the control link. 
If you are licensed by a regulatory authority other than the FCC, you must consult your own regulations to determine whether remote operation is permissible.

But SmartSDR release 2.0 will make this solution obsolete?


Most likely - yes!  But many of the same restrictions regarding UPLINK bandwidth and the quality of Internet connectivity will remain as constraints.

The compression in the SoftEther VPN client on Windows removes much of the redundant overhead present in the data streams from the radio today but a good quality panafall display is moving a LOT of data.

I don't speak for FlexRadio and I have high regard for the engineering team.  It's likely than when they begin work on release 2.0, they will come up with new and innovative ways of representing data and further reducing the amount of bandwidth required for remote operation.


In the meantime, for those itching to use SmartSDR over the WAN today, here's a viable solution assuming you have the uplink bandwidth.

73 and enjoy!
Stu K6TU
«1345

Comments

  •   VE6KWA
    VE6KWA Ken Member ✭✭
    edited May 2020
    Clear & concise.... Well done Stu !
  • Justin Smith
    Justin Smith Member
    edited June 2015
    Hi Stu:
    Thank you for providing such a practical and detailed guide to help free us to work our FlexRadio 6000 radios while away on business or vacation, provided we have adequate bandwidth and packet integrity. I will be setting up WAN access using your method this afternoon, thanks to the clarity of your directions.  (Even though, with far less effort, I could just use the Internet directly to do most of what I would be using WAN access to my 6500 to accomplish, and gain additional features not possible with amateur radio - but where is the novelty or sense of adventure with direct use of the Internet compared to WAN access to a 6000?  One has to be a ham to appreciate this challenge.)
  • DV
    DV Member ✭✭
    edited May 2020
    Stu, quite a tutorial.  Thanks for the information.  How to you handle the audio?
  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited May 2020

    I have a question regarding the client computer: Once the client is set up on a portable, can you access the VPN on the same LAN in order to check that everything is working before trying it over a WAN?

    Jim, K6QE

  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited May 2020

    Also regarding the firewall settings: I the "same old game" of setting port forwarding of the router to 5555 and assigning a static I/P address to the serving computer?


    Jim, K6QE

  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Enable the remote audio on SmartSDR and use the audio devices on your computer (laptop) - speakers and mic.

    Stu K6TU
  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Good question - I haven't tried that configuration as it wouldn't verify that the firewall configuration is correct.  I connected back into my VPN from my iPad - you can configure the iPad to use L2TP/IPSEC (which you will have to configure on the VPN server - see the SoftEther.org instructions) and then connect back to your VPN server over 4G.

    Its helpful to have a second network connection like this so you can check out that you have the firewall configuration set correctly.

    Stu K6TU
  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Yes - it is usually easiest to to assign a static IP address to the VPN server on the INSIDE network - that way you can set the firewall forwarding rules to point to that device and not worry about the address changing when the computer reboots.

    The DynDNS built into the VPN server will take care of the EXTERNAL (WAN) address changing.

    Stu K6TU
  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited June 2015

    Yes, the DNS server built into the server is a really nice touch. Thank you, Stu.


    Jim, K6QE

  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited June 2015

    I have DYNDNS and I frequently check my remoting capabilities by using the DNS name from my LAN. I assume I should be able to do the same thing with the VPN server. I'll give it a try and make a fool of myself. However, the more mistakes I make the more I learn.


    Jim, K6QE

  • Steve W6SDM
    Steve W6SDM Member ✭✭
    edited May 2020
    Stu,

    You made a complex subject seem relatively simple.  Thanks for that.
  • Javier, KC2QII
    Javier, KC2QII Member ✭✭
    edited June 2016
    Stu,

      Thanks for introducing us to Softether.  I got the server running on a Raspberry Pi 2 B+ in my home network, with the Office PC client working well, at least when receiving JT65A.  With the waterfall display at the lowest setting, the throughput is about 700 KBps.

    73, Javier
    KC2QII
  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Javier,

    The waterfall rate AND the pan frame rate both affect the amount of data needed between the radio and the client.  If you slide them full left, it pretty much stops all updates.

    At that point you will have two sources of data - the remote audio (assuming its enabled ;-) and the various metering updates.  The metering updates alone consume about 30 KBps - remote audio is set to require 70 Kbps - so you should be able to get down to a no-display diet of around 100 Kbps.

    Anything on top of this is additional LAN broadcast traffic that is traversing the link...

    I didn't mention this (to avoid additional complexity) in the original post.

    SoftEther also supports an amazing selection of filters/access lists - does my networking bones good - ahhhhhh...

    The simplest approach is to add MAC level filters that restricts traffic to and from the different devices.  An access list entry is required for each source & destination MAC address - for example;

    Accept: MAC address from radio
    Accept: MAC address to radio
    Accept: MAC address to VPN MAC address from client
    Accept: MAC address to VPN MAC to client
    Accept: MAC address to broadcast FROM client
    Drop: Everything else

    Some debugging may be necessary on this list - its compiled from memory! :-)

    I'm not sure that the MAC filters are worth the effort.  I have a pretty large home network including some 30+ devices (a couple of file servers, a number of WiFi access points, PCs, MACs, home entertainment devices, VOIP devices, UPS, Ethernet Serial servers, LAN switches...) - despite all this, the residual background "crud" is about 10 Kbps - if the link is that thin to make this a relevant difference, its likely not going to work anyway!

    Hope this helps!
    Stu K6TU
  • Javier, KC2QII
    Javier, KC2QII Member ✭✭
    edited June 2016
    Stu,

     My network is similar to yours, sans MAC, plus three Raspberry Pi GPS NTP servers.  I will have to look into a trade off or MAC access list versus load on the Raspberry Pi.  Not sure how much the load is at this time, but when the server is running, I get timeouts when attempting to telnet into the Pi.

    Javier
  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Interesting - are you saturating your uplink?  Running on a Pi2B+ over clocked at 1 GHz, I can saturate my 10 MBps uplink - takes a number of pan adaptors, slices and DAX all running together to do this BTW.

    At that point, the load on the Pi is about 125% CPU - the SoftEther server is multi-threaded and so core friendly.  This is running compression and encryption BTW so the CPU load on the Pi is as bad as it gets - its not just data movement.

    This is also using the same physical interface for input and output - SoftEther recommends using a separate physical interface for in from out.

    I haven't checked the SoftEther code but most Ethernet chips have a number of MAC address filters implemented on chip; most Linux drivers allow access to these so its possible that SoftEther maps the access filters to the hardware.  In which case they are gratis.  I didn't notice any CPU load difference when I added the MAC level filters to my configuration.

    Even with the 10 MBps saturated, I was still able to SSH into the Pi...

    Stu K6TU
  • Javier, KC2QII
    Javier, KC2QII Member ✭✭
    edited June 2016
    Stu

      It is not an up link saturation issue, at least, that I can see by looking at my home network router WAN interface.  My service provided uplink has been a consistent 5 Mbps, and I barely peaked above 2 Mbps with a single slice, max refresh, DAX and remote audio running. I will have to check again, at home to make sure, but I read somewhere that the server runs with a higher than normal priority on the Pi.

    Javier
  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Yes - the server runs at NICE+20 if I remember correctly.  Somewhere in its vpncmd command line utility, I think there is an override of this...

    Stu K6TU
  • spopiela
    spopiela Member
    edited May 2020
    This a great tutorial thread. . After reading it, I was emboldened. I was able to set up and run remote WAN operation with a 6300 this past weekend and enjoyed it immensely. My new NETGEAR router at home base is fairly new and has "Open VPN" built in . So I activated it and downloaded all the info for the laptop that I was to use remotely. It was very easy for me ( a non IT person) . The docs did say that that the router would not do VPN with Apple devices which is a limitation but I can live with it. My home and remote location both have good internet speed up and download (40 MPPS down and 10 MMPs up) and the latest Intel and Windows software computers . Obviously the Internet speeds get better or worse over the course of the day at both locations. Having a router with VPN built in made it very easy. I can easily connect in and see my home network, network attached Storage and connect and use my Flex 6300. Flex has created a great product and I'm just excited about what 's coming!!! Stan N1THL
  • Stu Phillips - K6TU
    Stu Phillips - K6TU Member ✭✭
    edited August 2016
    Stan,

    Congratulations!  I don't want to rain on the parade but one of the reasons why I spec'd the SoftEther VPN solution is that it's a very robust server from a security point of view due to its open source nature, wide spread use and the excellent support team at the University of Tokyo where it was written.

    Because of its open nature and widespread deployment, its continually being reviewed for any security weaknesses.  That isn't to say it can't be hacked but I suspect the odds are way down relative to proprietary implementations even of OpenVPN.

    More over, the SoftEther VPN server works with iOS devices as well as Windows, OSX, Linux.  It's an all in on solution.

    When it comes to devices accessible from the Internet like a VPN Server, I am utterly paranoid and very skeptical of software packages that aren't open to review.

    Just 2 cents...
    Stu K6TU
  • Larry Benoit
    Larry Benoit Member ✭✭
    edited December 2016
    FYI, OpenVPN is actually cloned into SoftEther VPN.

    I've enabled OpenVPN on an Asus RT-AC86P router with Windows 7 clients. In initial testing it is stable and performs well for Remote WAN operation of a Flex 6500.  Others have reported good results with the Asus RT-N66U router. Based on my limited experience, a minimum of 5 mbps upload speed is necessary for satisfactory results.

    OpenVPN is open source and community supported. It has excellent security and  runs on Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows (2000/XP and later versions). 

    For details....
    https://openvpn.net/index.php/open-source/335-why-openvpn.html

    From Wikipedia...
    "OpenVPN
    is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities ......OpenVPN has been integrated into SoftEther VPN, an open-source multi-protocol VPN server, to allow users connect to the VPN server from existing OpenVPN clients."

    http://en.wikipedia.org/wiki/OpenVPN

    I've not compared SoftEther VPN with an OpenVPN solution (router implementation) and therefore have no opinion on the relative merits of the two applications. However, I would note that www.SoftEther.org has an extensive comparative analysis trashing the capabilities of OpenVPN :-)).  Regardless, both offer viable solutions for remote WAN operations. For me the OpenVPN solution was simple, as I already had an AC1900 router with OpenVPN software built-in.

    73,
    Larry KB1VFU



  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited June 2015

    Is OpenVPN compatible or useable with Ios devices as the iPhone, etc.? Thank you for the valuable info.


    Jim, K6QE

  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited June 2015

    It would seem that having OpenVPN available on a router would solve all the problems of remoting the Flex 6000 radios. Since the software is available for LAN operation why go any further? I just tried OpenVPN and five minutes later I was connected directly to my LAN and using my 6500. Everything is just like I am sitting on my patio. I am using the Linksys WRT1900AC and it takes 30 seconds to have a server up and running. The obvious advantage is that you don't need a server computer as the router is your server.


    Jim, K6QE

  • spopiela
    spopiela Member
    edited June 2020
    My router is a Netgear R7000 (AC1900) which has the OpenVPN loaded in the router firmware. It was easy to set up and run my 6300 remotely. This version will not operate with IOS devices. Other versions might? Stan N1THL
  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited January 2017
    Apple has an app for OpenVPN for the iPad and iPhone. However, I have yet to try it with my Linksys WRT1900AC.
  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited June 2015
    I wonder if all equipment is turned off on a LAN except for the Flex radio, how anyone could hack the system using OpenVPN?
  • KY6LA_Howard
    KY6LA_Howard La Jolla, CA. Paris and Sablet FranceMember ✭✭✭
    edited January 2017
    OpenVPN usually does not work with iOS devices UNLESS your VPN device is one of the expensive CISCO routers. If u check the documentation on Netgear, Lynksys and other inexpensive routers you will see fine print exclusions for iOS. Hence Softether is the preferred solution
  • KY6LA_Howard
    KY6LA_Howard La Jolla, CA. Paris and Sablet FranceMember ✭✭✭
    edited June 2015
    NO
  • KY6LA_Howard
    KY6LA_Howard La Jolla, CA. Paris and Sablet FranceMember ✭✭✭
    edited June 2015
    It only works with Cisco routers
  • KY6LA_Howard
    KY6LA_Howard La Jolla, CA. Paris and Sablet FranceMember ✭✭✭
    edited June 2015
    The radio is connected to a. Computer. Then it can be hacked
  • Walt - KZ1F
    Walt - KZ1F Member ✭✭
    edited November 2016
    The ability for someone outside your LAN to hack you is a function of what ports are open and where they terminate. There are (or were) many ports open on Windows due to how WIndows works that have been historically exploited to hack into Windows. With other OSs, i.e. Linux, it is easier to completely close all exploitable ports, if there is no door or window, nobody can break in...so to speak. Further, there are route-able and non-route-able IP classes. The reason most internal corporate and certainly home networks are on the 192 class A address range is that is non-route-able. Standardly this equates to a non-routeable class C domain such as 192.168.0 or 192.168.1. Someone outside your LAN can not directly reach out and touch hardware with IP address in that range.  You can, however, do router magic to enable packets addressed to your router, having a routable address, i.e. 172.x.x.x, to port forward traffic to a device with an, otherwise, non-routeable IP address. So long as the radio is invisible and untouchable to anything outside of your LAN and you've stopped all daemon processes on your computer, no email, no browser, no autoupdating, no SSHD, no FTPD, etc. then there is no termination point for a hacker to exploit.

    There are people, white (and grey)  hat hackers, that make a living trying to find vectors into a network that others could exploit. Further, one of the more prominent use cases for virtual machines is to have them be the termination of any port forwarding such that even if the VM was hacked via an open vector, the hacker would be quarantined in the VM, unable to access any other resource. This is often done to segregate HTTPD daemons as well as mail servers.

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.