Mike's Python script for non-SmartLink and simple VPN

Gord-VA7GP

OK -

I was intrigued by Mike's Python script, which holds hope for simple VPN (common Layer 3) and working without the need for (or availability of) SmartLink. Mike announced this script in this Zerotier thread:

https://community.flexradio.com/discussion/8029743/using-zerotier-one

https://community.flexradio.com/discussion/comment/20610964#Comment_20610964

To repeat Mike's warning: It comes with zero support

The config.ini requires adjusting to suit your environment; here is mine:

[DEFAULT]
IP_Address = 192.168.0.222 ← your radio's IP-address
Callsign = VA7GP
Nickname = Flex6400
Version = 3.7.4.29165 ← your SmartSDR version number
Serial = 1320-5691-6400-6874 ← your radio's serial number
Model = FLEX-6400
Radio_License = 00:1c:2d:05:16:e2 ← your radio's MAC addrss

Since I am using a Flex 6400 with a single SCU and two slices, I also adjusted his code slightly (it seemed a reasonble thing to do, but didn't change result, below):

From:

message_text = f'discovery_protocol_version=3.0.0.2 model={model} serial={serial} version={version} nickname={nickname} callsign={callsign} ip={ip_address} port=4992 status=Available inuse_ip= inuse_host= max_licensed_version=v3 radio_license_id={radio_license} requires_additional_license=0 fpc_mac= wan_connected=1 licensed_clients=2 available_clients=2 max_panadapters=4 available_panadapters=4 max_slices=4 available_slices=4 gui_client_ips= gui_client_hosts= gui_client_programs= gui_client_stations= gui_client_handles= \x00\x00\x00'

To:

message_text = f'discovery_protocol_version=3.0.0.2 model={model} serial={serial} version={version} nickname={nickname} callsign={callsign} ip={ip_address} port=4992 status=Available inuse_ip= inuse_host= max_licensed_version=v3 radio_license_id={radio_license} requires_additional_license=0 fpc_mac= wan_connected=1 licensed_clients=2 available_clients=2 max_panadapters=2 available_panadapters=2 max_slices=2 available_slices=2 gui_client_ips= gui_client_hosts= gui_client_programs= gui_client_stations= gui_client_handles= \x00\x00\x00'

I can successfully establish two different VPNs from my work-office (where I want to operate, remote from my '6400 and antennas) to my home (where '6400 + antennas are located). Neither L2TP nor WireGuard can see the VITA49 discovery packets sent by the Flex 6400, but I can ping, browse, and "see" everything on my home-network. I can manually ping my '6400 by it's IP-address. I did try each VPN (individually) and rebooted between each test.

Mike's script runs for me, under both (Gentoo, 64-bit) Linux and Windows 11 Pro (Intel, 64-bit). You run this script at the work-office / Remote location, where your VPN client is located; you DO NOT run this on the LAN where your Flex radio is physically located! On Windows (and also Linux), invoked from the command line, I see:

User Settings

Radio IP Address: 192.168.0.222
Call Sign: VA7GP
Nickname: Flex6400
Version: 3.7.4.29165
Serial Number: 1320-5691-6400-6874
Model: FLEX-6400
Radio License: 00:1c:2d:05:16:e2

10:08:52 - Ping successful and Radio Broadcast message sent.
10:09:03 - Ping successful and Radio Broadcast message sent.

So, this part is fantastic! Mike's script pings my radio, and emits a discovery packet! Congratulations are due Mike - thank you!

However, SmartSDR (along with CAT and DAX, also) produce an error and do not connect:

Request for Help

I wonder if anyone may have any insights as to what is heppening here, and how I may adjust something to achieve connection?

N5YT

I was getting this same error message. I captured some actual packets from my rig with wireshark and I modified the beginning of line 84 of Mike's script. x8a changed to x89. After making the change it worked for me. Let me know if it works for you.

Original:

message = b'8T\x00\x8a\

Modified:

message = b'8T\x00\x89\

Gord-VA7GP

Thank you for your suggestion! I'll make that change and check the results after our Canadian long-weekend (Victoria Day).

I did perform Wireshark captures at both my home and away locations, to see what differences there may be. From my home-LAN, next to my Flex6400, I captured this working discovery packet:

0000   ff ff ff ff ff ff 00 1c 2d 05 16 e2 08 00 45 00   ........-.....E.<br>
0010   02 38 00 00 40 00 40 11 77 2f c0 a8 00 de ff ff   .8..@.@.w/......<br>
0020   ff ff 13 80 13 80 02 24 94 08 38 55 00 87 00 00   .......$..8U....<br>
0030   08 00 00 00 1c 2d 53 4c ff ff 66 47 a0 72 00 00   .....-SL..fG.r..<br>
0040   00 00 00 00 00 00 64 69 73 63 6f 76 65 72 79 5f   ......discovery_<br>
0050   70 72 6f 74 6f 63 6f 6c 5f 76 65 72 73 69 6f 6e   protocol_version<br>
0060   3d 33 2e 30 2e 30 2e 32 20 6d 6f 64 65 6c 3d 46   =3.0.0.2 model=F<br>
0070   4c 45 58 2d 36 34 30 30 20 73 65 72 69 61 6c 3d   LEX-6400 serial=<br>
0080   31 33 32 30 2d 35 36 39 31 2d 36 34 30 30 2d 36   1320-5691-6400-6<br>
0090   38 37 34 20 76 65 72 73 69 6f 6e 3d 33 2e 37 2e   874 version=3.7.<br>
00a0   34 2e 32 39 31 36 35 20 6e 69 63 6b 6e 61 6d 65   4.29165 nickname<br>
00b0   3d 20 63 61 6c 6c 73 69 67 6e 3d 56 41 37 47 50   = callsign=VA7GP<br>
00c0   20 69 70 3d 31 39 32 2e 31 36 38 2e 30 2e 32 32    ip=192.168.0.22<br>
00d0   32 20 70 6f 72 74 3d 34 39 39 32 20 73 74 61 74   2 port=4992 stat<br>
00e0   75 73 3d 41 76 61 69 6c 61 62 6c 65 20 69 6e 75   us=Available inu<br>
00f0   73 65 5f 69 70 3d 20 69 6e 75 73 65 5f 68 6f 73   se_ip= inuse_hos<br>
0100   74 3d 20 6d 61 78 5f 6c 69 63 65 6e 73 65 64 5f   t= max_licensed_<br>
0110   76 65 72 73 69 6f 6e 3d 76 33 20 72 61 64 69 6f   version=v3 radio<br>
0120   5f 6c 69 63 65 6e 73 65 5f 69 64 3d 30 30 2d 31   _license_id=00-1<br>
0130   43 2d 32 44 2d 30 35 2d 31 36 2d 45 32 20 72 65   C-2D-05-16-E2 re<br>
0140   71 75 69 72 65 73 5f 61 64 64 69 74 69 6f 6e 61   quires_additiona<br>
0150   6c 5f 6c 69 63 65 6e 73 65 3d 30 20 66 70 63 5f   l_license=0 fpc_<br>
0160   6d 61 63 3d 20 77 61 6e 5f 63 6f 6e 6e 65 63 74   mac= wan_connect<br>
0170   65 64 3d 31 20 6c 69 63 65 6e 73 65 64 5f 63 6c   ed=1 licensed_cl<br>
0180   69 65 6e 74 73 3d 32 20 61 76 61 69 6c 61 62 6c   ients=2 availabl<br>
0190   65 5f 63 6c 69 65 6e 74 73 3d 32 20 6d 61 78 5f   e_clients=2 max_<br>
01a0   70 61 6e 61 64 61 70 74 65 72 73 3d 32 20 61 76   panadapters=2 av<br>
01b0   61 69 6c 61 62 6c 65 5f 70 61 6e 61 64 61 70 74   ailable_panadapt<br>
01c0   65 72 73 3d 32 20 6d 61 78 5f 73 6c 69 63 65 73   ers=2 max_slices<br>
01d0   3d 32 20 61 76 61 69 6c 61 62 6c 65 5f 73 6c 69   =2 available_sli<br>
01e0   63 65 73 3d 32 20 67 75 69 5f 63 6c 69 65 6e 74   ces=2 gui_client<br>
01f0   5f 69 70 73 3d 20 67 75 69 5f 63 6c 69 65 6e 74   _ips= gui_client<br>
0200   5f 68 6f 73 74 73 3d 20 67 75 69 5f 63 6c 69 65   _hosts= gui_clie<br>
0210   6e 74 5f 70 72 6f 67 72 61 6d 73 3d 20 67 75 69   nt_programs= gui<br>
0220   5f 63 6c 69 65 6e 74 5f 73 74 61 74 69 6f 6e 73   _client_stations<br>
0230   3d 20 67 75 69 5f 63 6c 69 65 6e 74 5f 68 61 6e   = gui_client_han<br>
0240   64 6c 65 73 3d 20                                 dles= <br>

Then from my workplace with VPN (trying both Wireguard and L2TP), I captured this non-working discovery packet emitted by the Python script:

0000   02 00 00 00 45 00 02 43 2e 9a 00 00 80 11 00 00   ....E..C........
0010   0a 0a 0a 06 ff ff ff ff e4 f8 13 80 02 2f 37 a2   ............./7.
0020   38 54 00 8a 00 00 08 00 00 00 1c 2d 53 4c ff ff   8T.........-SL..
0030   66 21 48 78 00 00 00 00 00 00 00 00 64 69 73 63   f!Hx........disc
0040   6f 76 65 72 79 5f 70 72 6f 74 6f 63 6f 6c 5f 76   overy_protocol_v
0050   65 72 73 69 6f 6e 3d 33 2e 30 2e 30 2e 32 20 6d   ersion=3.0.0.2 m
0060   6f 64 65 6c 3d 46 4c 45 58 2d 36 34 30 30 20 73   odel=FLEX-6400 s
0070   65 72 69 61 6c 3d 31 33 32 30 2d 35 36 39 31 2d   erial=1320-5691-
0080   36 34 30 30 2d 36 38 37 34 20 76 65 72 73 69 6f   6400-6874 versio
0090   6e 3d 33 2e 37 2e 34 2e 32 39 31 36 35 20 6e 69   n=3.7.4.29165 ni
00a0   63 6b 6e 61 6d 65 3d 46 6c 65 78 36 34 30 30 20   ckname=Flex6400 
00b0   63 61 6c 6c 73 69 67 6e 3d 56 41 37 47 50 20 69   callsign=VA7GP i
00c0   70 3d 31 39 32 2e 31 36 38 2e 30 2e 32 32 32 20   p=192.168.0.222 
00d0   70 6f 72 74 3d 34 39 39 32 20 73 74 61 74 75 73   port=4992 status
00e0   3d 41 76 61 69 6c 61 62 6c 65 20 69 6e 75 73 65   =Available inuse
00f0   5f 69 70 3d 20 69 6e 75 73 65 5f 68 6f 73 74 3d   ip= inuse_host=
0100   20 6d 61 78 5f 6c 69 63 65 6e 73 65 64 5f 76 65    max_licensed_ve
0110   72 73 69 6f 6e 3d 76 33 20 72 61 64 69 6f 5f 6c   rsion=v3 radio_l
0120   69 63 65 6e 73 65 5f 69 64 3d 30 30 3a 31 63 3a   icense_id=00:1c:
0130   32 64 3a 30 35 3a 31 36 3a 65 32 20 72 65 71 75   2d:05:16:e2 requ
0140   69 72 65 73 5f 61 64 64 69 74 69 6f 6e 61 6c 5f   ires_additional
0150   6c 69 63 65 6e 73 65 3d 30 20 66 70 63 5f 6d 61   license=0 fpc_ma
0160   63 3d 20 77 61 6e 5f 63 6f 6e 6e 65 63 74 65 64   c= wan_connected
0170   3d 31 20 6c 69 63 65 6e 73 65 64 5f 63 6c 69 65   =1 licensed_clie
0180   6e 74 73 3d 32 20 61 76 61 69 6c 61 62 6c 65 5f   nts=2 available_
0190   63 6c 69 65 6e 74 73 3d 32 20 6d 61 78 5f 70 61   clients=2 max_pa
01a0   6e 61 64 61 70 74 65 72 73 3d 32 20 61 76 61 69   nadapters=2 avai
01b0   6c 61 62 6c 65 5f 70 61 6e 61 64 61 70 74 65 72   lable_panadapter
01c0   73 3d 32 20 6d 61 78 5f 73 6c 69 63 65 73 3d 32   s=2 max_slices=2
01d0   20 61 76 61 69 6c 61 62 6c 65 5f 73 6c 69 63 65    available_slice
01e0   73 3d 32 20 67 75 69 5f 63 6c 69 65 6e 74 5f 69   s=2 gui_client_i
01f0   70 73 3d 20 67 75 69 5f 63 6c 69 65 6e 74 5f 68   ps= gui_client_h
0200   6f 73 74 73 3d 20 67 75 69 5f 63 6c 69 65 6e 74   osts= gui_client
0210   5f 70 72 6f 67 72 61 6d 73 3d 20 67 75 69 5f 63   _programs= gui_c
0220   6c 69 65 6e 74 5f 73 74 61 74 69 6f 6e 73 3d 20   lient_stations= 
0230   67 75 69 5f 63 6c 69 65 6e 74 5f 68 61 6e 64 6c   gui_client_handl
0240   65 73 3d 20 00 00 00                              es= ...

I could see that the payloads were the same (this is one of many captures, others had subtle adjustments to the config.ini to exactly duplicate home/away), so I surmised that the problem lay with the preceeding portion. Exactly in the area you adjusted. However I had no idea what that preamble was doing. Also, that error was emitted by DAX / CAT / SmartSDR, adding to the opacity. I'll be just a tiny bit smarter if you can share the reasoning behind your adjustment…

I am eager to try your suggestion, @N5YT

N5YT

It was nothing super scientific….I just did a stare and compare of the two packets to find what was different. I used wireshark to figure out the actual payload and then compared byte by byte to find the differences. I did find one or two other differences but changing them didn't prevent the error message, so I changed them back. I wish that I knew the details of the packet, but I don't. From your first packet capture, you may need to use x87 instead. Your payload begins with 38 55 00 87 on line 20. Try both and let us know which worked.

One other change that I made to the script was setting the script to bind to a specific network card in the machine that I am running it from. I inserted the line below after line 68 in the script. Just change the IP to the IP of the machine running the script. I had to do this because I was only seeing the packet created by the script on the loopback port. I assume this is because the computer has multiple nics. I'll have to test on a machine with a single nic to be sure. Making this change, I can connect from any client on this lan.

sock.bind(('192.168.X.X', 0))

Gord-VA7GP

Thank-you; progress!

I did need to adjust and use x87 in the Python script. This eliminates the error I saw previously.

I did try, but don't appear to need, your sock.bind I had to place that after the socket was defined with sock = socket.socket …

Now, on to the Q: How Does It Work?

Wireguard

I cannot get SmartSDR to "see" the Discovery packet. Thus, SmartSDR is only usable with SmartLink. I wonder if this has to do with my own PC / Wireguard configuration, though. I'll look at this more, later.

L2TP

This VPN is built into Windows 11, so I configured my UDM-Pro (Ubiquiti router/firewall) to serve this VPN also. In this case, SmartSDR does see the radio without SmartLink (YAY! That was the goal!).

SmartLink shows high packet-loss depending on time-of-day, load, etc. Between 2% and 16%. But in all cases I have to resize SmartSDR quite a lot smaller before I see the Panadapter, and I can never see the Waterfall. However, all other features appear to work OK (sound, TX, etc).

Two steps forward!

Gord-VA7GP

Not "SmartLink shows high packet-loss" but I should have typed "SmartSDR shows high packet-loss". There is no SmartLink involved at this moment (that is the ultimate goal).

From the fact that the panadapter appears and works at smaller sizes, I don't think I'm blocking UDP traffic at all … it's just not performing very well.

(the machine is a 6-month-old dell i7-13. My workplace-network-connection is 6Gb/s fiber. my UDM-Pro suggests my home-internet is feeding about 1.5Mb/s upstream from my home-based Flex 6400).

Gord-VA7GP

So…. Wireguard VPN!

In the Win11 client configuration, I left a default feature enabled: Block untunnelled traffic. After de-selecting this, SmartSDR over Wireguard works, and it works very nicely!

I had high hopes that WireGuard's known performance would outstrip Windows own L2TP and this appears to be the case. Using WireGuard VPN, SmartSDR is telling me I have 0.01% packet-loss, which is seemingly better than I get with SmartLink! Perhaps due to No Compression???

My home-router is telling me I'm uploading ~4Mb/s from my Flex (with home-cable-max of 5Mb/s), with lots of spectrum FPS (30) and fast(100)/large waterfall display!

Setting FPS=5, Rate=0 and drag-minimizing Waterfall, i cut traffic by 75% (about 1Mb/s) and continue with fantastic-low packet-loss (0 dropped in 5min!) from my workplace-office, Remote.

I'm now a Very Happy Camper!!

N5YT

Glad to hear.

Using my wireguard site-to-site vpn between the radio site and my home network, I usually see about 0.29% packet loss after about an hour of use with two panadapters running about 25 FPS and 80 for the waterfall on each. Definitely useable!

carsco

Hello This script work also at Level3 instead of Level2?
Thanks

Gord-VA7GP

Yes, this script works with a typicai Layer 3 connection (no need for Layer 2 fanciness)