VPN discussion on which type

Mike-VA3MW

For my Network gurus (you know who you are).

Please answer some details on VPNs and the features they provide (or don't provide).

Here are the questions; feel free to answer them in a follow-up post. I will do my best to summarize in a spreadsheet.

Please only answer if you have experience with what works and what doesn't.

1. Name of VPN (SoftEther, WireGuard, OpenVPN, TailScale, ZeroTier, Ubiquity, etc)
2. Server (radio end) requirements (RPI, runs on a Router, etc)
3. Client requires (runs on PC, MAC or external hardware)
4. Solves CGNAT issues (yes/no) - look at this as accessing your FLEX-6000 radio installed on a CGNAT ISP such as StarLink, etc.
5. Low Latency (or long latency)
6. Eliminates SmartLink (or a SmartLink workaround)
7. What skills are required (Newbie can install, a typical geek can figure it out, or you need to have a CCNA certification). For reference, a Newbie may not even know how IP addresses are used or understand the numbering
8. Is your solution in use today and would you recommend it
9. Have you tested it using SmartSDR?

Many thanks in advance for this.

Mike-VA3MW

Let me answer the first one

1. SoftEther
2. It does not run in a router, but you can run it on a PI3 or a PC inside the network with 1 simple port forward (more if using iOS
3. Client run on just about all devices (PC, MAC, iPhone, etc)
4. No, not really, but you can have a setup with their Azure services that will solve CGNAT but with long latency
5. Low as long as you are not using an Azure server in the middle
6. Yes. CAT, DAX and IQ data will work - there will likely be data loss of UDP packets at times
7. Typical geek can figure it out as long as you have a little networking experience
8. I have used it for years

Mike

MarkS

Mike - An additional item that might be helpful in your survey. Have you tested the implementation on SmartSDR (Windows 10, Windows11)? Have you tested the implementation on SmartSDR (Mac/iOS/iPadOS)?

Mark wd9jen.

Ha Gei

I can second all of that..

Softethernet is more or less the the only VPN that can be used , as only a very few can transport frames on the so called ISO LAYER2 .

We have been playing with the azure broker based VPN for a setup in denmark.. no fun … works but barely

You need ONE side with a dynamic or fixed public IP adress.. it can be either IPV4 or IPV6 . It does not matter if the "server" is at home or at the radio site. Only the Server needs port forwarding.

Starlink and the like, i never tried, but i would have doubts on latency.

I use softethernet since over 10 years ( 5 for Flex , before we needed it for multi site contesting ) and have helped quite a few guys to bringt theirs alive.

One hurdle can be your antivirus or firewall , if it does not like some types of non IP based packets which smartsdr uses.

73

Harald DL9NDW

Alan

• 
  Name of VPN Pep VPN: https://www.peplinkworks.com/Tech-PepVPN.asp

• Server (radio end) requirements; runs on PepWave Router. PepWave has a large set of routers for all budgets, mobile and at-home options, all running the same firmware. https://www.peplink.com

• Client requires: Client and Server both run on PepWave Router.

• Solves CGNAT issues; yes.  Only one end of the VPN needs a public IP. The other end can be CGNAT. In fact, many of the PepWave routers have built-in cellular radios.

• Low Latency; I typically see 30ms radio round trip time.

• Eliminates SmartLink (or a SmartLink workaround; Yes. The PepWave VPN firmware allows for level two bridging.

• https://www.youtube.com/watch?v=YTA6FOCWlWE&t=234s

  See this video regarding setting up Level Two Bridge:

  https://www.youtube.com/watch?v=sI_Ucf74IQQ

• Is your solution in use today: Yes. PepVPN is In use for small and large businesses worldwide. It is not free. Entry level cost is around $1K, all in. You will have a commercial solution for remote access to a CGNAT based cellular or StarLink Flex Remote Location. No extra boxes; everything is built into the PepLink router hardware and firmware.

• Have you tested it using SmartSDR? yes.

• Alan. WA9WUD

K5CG

I posted my answer here prior to logging in and it asked me to "Comment as…" and I clicked that expecting to login and the response to be posted, but no. It did't do that and I had to start over. That didn't work as expected. Here it is again.

1. Name of VPN: ZeroTier
2. Server (radio end) requirements: runs on a router or RPI
3. Client requires: runs on Windows, MacOS, Linux (rpm/deb), FreeBSD, QNAP/Synology (via Docker).
4. Solves CGNAT issues (yes/no): Yes
5. Low Latency (or long latency): Not measured but usuable in my test
6. Eliminates SmartLink (or a SmartLink workaround): Yes
7. What skills are required: a typical geek can figure it out, see this doc I made.
8. Is your solution in use today and would you recommend it: Not in use as it was a PoC, would recommend it however.
9. Have you tested it using SmartSDR? Yes, on Windows 10.

Danny
K5CG

Alan

I watched the level two video, and it was probably not a good example of how easy the level two bridge setup is.

When you watch the video on setting up the level two bridge, you only need to set the VPN/LAN tie. All other settings he discusses are unique to his hardware and not necessary for a typical router to router PepVPN tunnel.

The takeaway is that after setting up the level Two PepVPN/LAN bridge, the router at your station, behind the CGNAT, will be the DHCP server. The station router will assign your remote router's DHCP. All devices connected to the remote router will be assigned an IP address from the station router, all on the same subnet, and all receiving the UDP frames from Flex connected to the station router.

Alan. WA9WUD

Ron Koenig

1. Name of VPN (SoftEther, WireGuard, OpenVPN, TailScale, ZeroTier, Ubiquity, etc)

ZeroTier

1. Server (radio end) requirements (RPI, runs on a Router, etc)

Runs on Most Routers or a Pi

1. Client requires (runs on PC, MAC or external hardware)

Most OS

1. Solves CGNAT issues (yes/no) - look at this as accessing your FLEX-6000 radio installed on a CGNAT ISP such as StarLink, etc.

YES, have tested with Tmob

1. Low Latency (or long latency)

Faster than Smartlink

1. Eliminates SmartLink (or a SmartLink workaround)

YES !

1. What
   skills are required (Newbie can install, a typical geek can figure it
   out, or you need to have a CCNA certification). For reference, a Newbie
   may not even know how IP addresses are used or understand the numbering

I have no skills and made it work in an hour or 2,

1. Is your solution in use today and would you recommend it

Yes, in use for Competitive Multi op 100% Remote Contesting

1. Have you tested it using SmartSDR?

Yes...

I do not understand why in 2024 we are even discussing this…

2023 Flex Banquet @ Dayton… I asked Steve why we do not have direct IP access to OUR Radios. He said there was no reason and he thought we already did…

Having to use VPN's and the extra issues / potential latency increases they add should NOT be a thing. We should have had direct access years ago and there is NO excuse not to. Flex Engineers need to get with the program. Not a week goes by that there is not a discussion about VPN's and many many users now rely on them. They add a complexity that should NOT be needed.

EVERY other device at my station has direct access. Flex is the Only device that you must jump through hoops and use 3rd party software to make work. How did Every other manufacturer realize this was important ?

KD0RC

Danny and Ron, your comments got quarantined by the spam filter. I released your comments when I discovered them in the spam queue this morning. Going forward, you should not have this issue.

Tim KE4UK

I'm sure not wanting to sound ignorant but at 76 years old my learning days are getting a bit harder. I have everything, I think, I need to work remotely, I think. I am using TMobile and got it thinking oh boy, much faster speed than Century Link which was under 6mpbs or lower. I could work remote but would drop out do to the low speed. I didn't realize that TMobile didn't have port forwarding so therein created my problem. I purchased NordVPN and my own dedicated ip. I have an Asus router and turned off the wifi things on the TMobile modem so it is used as a modem and not a router. Now… with all that… I have not been able to make things work. The verbiage dealing with it all doesn't register. It's like when I was in the military and was working on a carburetor and had this guy that knew all about the carburetor helping me. He tore the carb all the way down and left me. Kind of how I feel now. I think I have all the parts but don't know how to put them together. So all of the terminology and videos appear to be like separate pieces of a puzzle and for a complete newbie I just haven't been able to solve the puzzle. So a video, in lamen terms, from the very start to the very finish would be better suited, at least for this old man.

73's

Tim KE4UK

Mike-VA3MW

@KD0RC Thanks Len, I totally forgot to check the Spam Q.

Mike-VA3MW

From Dave WO2X

1. TailScale

2. Server in cloud (free)

3. Can be installed on many clients sucks as Windows, RPi, MAC, IOS, Linux

4. Yes, but not for Flex products. Used to access Node Red dashboard without opening port in firewall. 

5. Latency for use is acceptable. 

6. Not good to solve SmartLink CG-NAT

7. Novice who can follow well written directions can install it. Create account. Install clients on every device you want other devices to access and access from. Maybe a little of knowledge or ability to read. 

8. Yes. Used to access Node Red on Pi at two locations (home and Hawaii). 

9. No. Does not work to access Flex radio circumnavigating firewall or CG-NAT

Mike-VA3MW

Hi Mike,
>> Feel free to respond here or in the Community and I will work to summarize the answer and then share it with everyone.  

1. Name of VPN: OpenVPN
2. Server (radio end) requirements: Runs natively on MicroTik routers, no server/computer required radio-end. I didn't check with other routers brands and models.
3. Client requires: OS specific (Mac, Win, Linux) OpenVPN client running on station PC
4. Solves CGNAT issues: I haven't tested in a CGNAT environment, but there are workarounds if standard implementation doesn't work.
5. Low Latency: assuming the carrier has low latency on the specific route, the protocol itself doesn't add much latency.
6. Eliminates SmartLink
7. What skills are required: geek level should be enough if it works. CCNA is probably required for debugging issues.
8. Is your solution in use today and would you recommend it: I use SmartLINK for daily use and if available, but this is my preferred solution if I need to by-pass it.
9. Have you tested it using SmartSDR?: Yes, works like a charm.

73, Max N5NHJ

Mike-VA3MW

2023 Flex Banquet @ Dayton… I asked Steve why we do not have direct IP access to OUR Radios. He said there was no reason and he thought we already did…

Having to use VPN's and the extra issues / potential latency increases they add should NOT be a thing. We should have had direct access years ago and there is NO excuse not to. Flex Engineers need to get with the program. Not a week goes by that there is not a discussion about VPN's and many many users now rely on them. They add a complexity that should NOT be needed.

EVERY other device at my station has direct access. Flex is the Only device that you must jump through hoops and use 3rd party software to make work. How did Every other manufacturer realize this was important ?

Hi Ron (I am just the messenger)

I wanted to update you on the discussions about enabling direct IP addressing. Currently, there are no plans to implement this feature in the near term. This decision is primarily due to several higher-priority projects that are currently consuming our available resources. And, it is never 'that simple' and always breaks something else when you start these projects.

Additionally, there are significant concerns related to post-sales support costs and security risks. Enabling direct IP addressing could lead to increased customer support calls to help set up these connections, and it might expose users to security risks by requiring them to open unprotected ports on their firewalls.

FRS continues to recommend using SmartLink, as it provides a secure and reliable peer-to-peer connection that has served our users well. We acknowledge the interest in direct IP addressing and have scheduled a review of this matter for a future date when we can give it the appropriate focus it deserves.

Thank you for your understanding.

Gord-VA7GP

"there are significant concerns related to post-sales support costs and security risks. Enabling direct IP addressing could lead to increased customer support calls to help set up these connections, and it might expose users to security risks by requiring them to open unprotected ports on their firewalls."

I am with @Ron Koenig here: this lack of direct-IP should not even be a 2024 problem!!

John Warburton G4IRN

From John G4IRN:

Name of VPN - ZeroTier

Server (radio end) requirements - RPI running LAN <> ZeroTier bridge.

Client requires - ZT client software runs on PC. I also have ZT running on my home router (GL-iNet GL-MT6000) so the client install isn't strictly necessary for home use.

Solves CGNAT issues - yes - the radio end is on a 4G network with CGNAT.

Low Latency - I have a LAN to LAN VPN from the remote site to home as a comparison. ZT times are comparable/more or less the same.

Eliminates SmartLink - yes, I never use SmartLink.

What skills are required - some IT skills are required if using a RPi network bridge at the remote site - the RPi needs to be built from scratch, ZT installed and the bridge defined (all documented on the Net) . However if the remote site has a router with ZT capability then it gets much easier.

Is your solution in use today and would you recommend it - Yes and Yes.

Have you tested it using SmartSDR? Yes. In daily use.

Ron Koenig

Michael,

That story sounded cool for a few years but now we ALL know it's 100% Total BS, Steve confirmed it in front of a crowd…
There is No Security Risk,

FRS does not have to support it in ANY way.. Enable this at your own risk.

It's been that way for YEARS on the Mac Version. If one guy in his spare time can do it, what does that say for an entire Team of Engineers @ Flex ?? Pretty scary.

Yes, we know it's not in the works, NONE of the stuff we were promised is in the works. Never will be. We get it.

Yes, I know I am just wasting bandwidth… Same ol Same ol,

Mike-VA3MW

Thank you both (Ron and Gord) for sharing your thoughts. I'll make sure to pass them along. Feel free to forward your ideas directly since you have access to the same email contacts as I do.

Remember, I'm just the messenger here.

By the way, if anyone is interested in creating a simple Python script that makes it emulate a radio on a local network and then connects it to a remote radio, that would be great. It sounds like a straightforward task, and perhaps using ChatGPT could help simplify the process. That might even get resolved quicker than waiting for this topic to move up on the priority list.

Thanks for your understanding. See you in Dayton.

WX7Y

1. Name of VPN (SoftEther, WireGuard, OpenVPN, TailScale, ZeroTier, Ubiquity, etc): SoftEther
2. Server (radio end) requirements (RPI, runs on a Router, etc): PC and RaspPI
3. Client requires (runs on PC, MAC or external hardware): PC, IOS devices, and MAC. (wish it ran on the Maestro).
4. Solves CGNAT issues (yes/no) - look at this as accessing your FLEX-6000 radio installed on a CGNAT ISP such as StarLink, etc.: YES SoftEther worked great through T-Mobile's CGNAT
5. Low Latency (or long latency) at least as low as SmartLink if not faster using SoftEther and stays connected much better than SmartLink.
6. Eliminates SmartLink (or a SmartLink workaround) YES
7. What skills are required (Newbie can install, a typical geek can figure it out, or you need to have a CCNA certification). For reference, a Newbie may not even know how IP addresses are used or understand the numbering: It helps to watch a few videos, I figured it out after a fashion back when I got my first Flex Radio about 2013, The Pi configuration can also be imported to the Windows version with minimal modifications.
8. Is your solution in use today and would you recommend it: YES and YES
9. Have you tested it using SmartSDR? : YES every day on my IOS device

HB9HJQ

1. ZeroTier
2. Runs on a Mikrotik Router
3. ZeroTier Client required or a network setup with bridging over ZeroTier implemented
4. Solves CGNAT and even runs pure IPv6 connections
5. Low Latency, almost the same as in the local network
6. Eliminates SmartLink
7. A typical geek can figure it out or follow a tutorial
8. It is my favorite solution and I definitely would recommend it
9. Tested and in use with SmartSDR for MacOS/iOS and Windows

73 de Christian, HB9HJQ

Unbalanced

1. Name of VPN (SoftEther, WireGuard, OpenVPN, TailScale, ZeroTier, Ubiquity, etc)
ZeroTier
2. Server (radio end) requirements (RPI, runs on a Router, etc)
Raspberry Pi Bridge
3. Client requires (runs on PC, MAC or external hardware)
ZeroTier Client install when available
GL.iNet Router Bridged to ZeroTier when Client SW unavailable
This solution works with Maestro
4. Solves CGNAT issues (yes/no) - look at this as accessing your FLEX-6000 radio installed on a CGNAT ISP such as StarLink, etc.
Yes
5. Low Latency (or long latency)
Avg 80-100ms - This is on a std resi Starlink CGNAT Network - Packet loss less than 0.4%
6. Eliminates SmartLink (or a SmartLink workaround)
Yes - operates as if you're local to the radio
7. What skills are required (Newbie can install, a typical geek can figure it out, or you need to have a CCNA certification). For reference, a Newbie may not even know how IP addresses are used or understand the numbering
Typical geek level
8. Is your solution in use today and would you recommend it
Yes, and Yes
9. Have you tested it using SmartSDR?
Yes, radio comes up in chooser menu

My primary goal was to operate a rig behind CGNAT remote CW using a Maestro. This solves the remote sidetone issue.