Using OpenVPN for Non-Emergency AREDN Access

The normal (and preferred) way to access AREDN is via one of the City nodes that is designed to work when the internet is out or via your own AREDN node. But for training and other non-emergency purposes, it is convenient to be able to access AREDN from your smartphone or laptop when you are out-of-reach of an AREDN access point. This is possible using an OpenVPN tunnel. Tunnel access is straightforward. You install an OpenVPN app on your phone (iOS or Android) or laptop, you request a private key, and you install it. Then, you enable the tunnel when you want to reach AREDN nodes or services. If you have used NordVPN or something similar, the process should be somewhat familiar.

When you install a tunnel, your networking environment changes. In order for your device to look up the IP addresses of AREDN nodes by name, your device needs to use AREDN DNS servers instead of the ones you normally use. Non-AREDN traffic will also be routed over the tunnel (yeah, all of those cat videos...). Both of these may have adverse impacts for you when accessing non-AREDN nodes while the tunnel is up, and sending lots of non-AREDN traffic over the VPN taxes our AREDN networking gear and connections. So, remember to turn the tunnel off to restore your normal networking environment and to keep your normal internet traffic off of the AREDN system.

Usage Guidelines

1. Resources consumed: As said, AREDN access using Open VPN is a limited resource that should be used only sparingly. Taking advantage of it when you are traveling in order to check into the AREDN Mattermost net or to check for AREDN chat and email messages are good and proper uses. But leaving the tunnel always connected is not a proper use of the AREDN mesh network and is therefore discouraged.
2. No privacy guarantees / access at your own risk: Occasional light use of non-AREDN websites while the tunnel is up is fine. Even if your traffic is encrypted (https), we shunt internet traffic at the VPN server over to OESNet so that your https stuff does not transit any Part 97 network. But at the same time, we make no guarantees of privacy when you use AREDN generally or OpenVPN specifically. You are connecting to a system designed and run by amateur radio operators who make no guarantees of anything. Your traffic is handled by devices running open source firmware that has not been vetted for privacy. So disconnect from the VPN when you aren't really using AREDN.
3. Does not solve the real problem: You may be using a hAP for AREDN access. In the short term, this is fine because it enables access AREDN from the comfort of home. Using a hAP makes training faster, easier, and more convenient than heading over to a public node. AREDN OpenVPN is similarly convenient. But using either a hAP or AREDN OpenVPN is a kind of crutch. It helps for a while, but it is not a permanent solution. Plan to set up your own AREDN node on backup power. This will give you access to AREDN resources even when your OpenVPN and hAP connections are down because the internet is unavailable.
4. Double VPN: It is not recommended to run OpenVPN over some other VPN (e.g., NordVPN) nor is it recommended to run another VPN over AREDN.

Setting up your OpenVPN Connection

The following procedure is platform-agnostic and should provide enough detail to get many folks connected. Tammy KG6DQW has created a detailed procedure for iOS -- you will find it below.

Install the Client Software

The first step is to download and install an OpenVPN client for your device. OpenVPN is recommeded and is available for iOS, Android, MacOS, and Windows.

• OpenVPN Connect for iPhone / iPad
• OpenVPN Connect for MacOS
• OpenVPN Connect for Android
• OpenVPN Connect for Windows
• Linux: try "sudo apt install openvpn"

Request and Install Your OpenVPN Credentials

Once you have your software installed, send an email to W6EI to request credentials. In your email, include the device type you will be using (iOS, Android, Mac, Windows, LInux) along with your full name and callsign. You will receive a file in response that is your private access key that is not to be shared with anyone.

Save the key file to a secure location. Then, follow the instructions for your version of OpenVPN to install the key file.

Fire up OpenVPN and test it

Once your key is installed, you can test it out. Remember that OpenVPN is a tunnel over the public internet, so you will need solid connectivity to the internet for this to work. Cellular, WiFi, and wired ethernet should all work as long as you have access to the internet.

Launch OpenVPN and issue the command appropriate for your version to establish the connection.

Once the connection is up, try accessing Mattermost. If you can connect, you are good to go!

Support

AREDN OpenVPN for Palo Alto is a "community supported" effort that comes with a number of guarantees... unfortunately, the number is zero. Head on over to Mattermost (this channel) to discuss problems you may be having. The community will do what it can to help out!

Common Connection Problems

• Can't ping: with the tunnel disconnected, try pinging the IP address 206.197.44.36. If you can't ping, you won't be able to connect.
• Can ping, can't connect: even if ping works, your ISP may be blocking the port used by your assigned OpenVPN server (119x). This has been observed sporadically on cellular networks, on enterprise networks and on hotel networks. If you run into such a situation, post a message on Mattermost with the details. In the future, we may establish OpenVPN server endpoints on more innocuous ports that are less likely to be blocked.

iOS-Specific Setup Instructions

Courtesy of KG6DQW

• OpenVPN seems to work best using cellular service (Wi-Fi turned off; Airplane mode not turned on). Change your Settings whenever it works best for you; just know that you will probably need to do this or you may find yourself getting disconnected a lot.
• Be aware that while the tunnel is connected, ALL of your data traffic will go through the tunnel. So when you are finished with AREDN, disconnecting the tunnel is highly recommended.

1. Go to the App Store and find the OpenVPN Connect app.
2. Install it on your phone. It is free.
3. OpenVPN is going to give you the option of entering a URL or uploading a file. (I chose the Upload option.)
4. On your phone, find the text or email containing the profile information that was sent to you from the node operator. Press and hold the attachment icon.
5. That will bring up a menu. Select “Share”.
6. That brings up another menu. OpenVPN should be one of the choices. Tap the OpenVPN icon.
7. Click “Add” to import the profile that was sent to you by the node operator.
8. The profile name and server hostname will be displayed. Click “Connect”.
9. Next, a warning that data traffic can be monitored while using OpenVPN. Click “Allow”.
10. Enter the phone’s passcode for authorization.
11. OpenVPN status should say Connected.
12. Swipe up to exit OpenVPN.
13. Bring up your browser and enter the URL for Mattermost: http://pa-chat.local.mesh
14. Choose whether you want to View in App or View in Browser. If you do not already have the Mattermost app, click the “Download the App” button to download it
15. Click the “Open” button to start up the app.
16. Enter the server name (http://pa-chat.local.mesh) and a server display name (whatever you want… Bob and I used Palo Alto Mattermost). Click “Connect”.
17. Log in with the same login that you used when you originally set up a Mattermost account (i.e., lower case call sign plus password).
18. When you have finished with AREDN, remember to disconnect the tunnel. Go back to the OpenVPN app and move the slider from right to left. The status display should change from Connected to Disconnected.