You are here

Tunnel acces from hotel

22 posts / 0 new
Last post
WK7G
WK7G's picture
Tunnel acces from hotel
I travel frequently for work and would like to access my mesh from a hotel or remote location.
I have a MikroTik hAP AC 2 connected to my home WAN and a MikroTIk hAP lite for the travel node.
I did the following:
- setup a static IP Reservation for the hAP AC2 as 192.168.1.xxx
- setup Port forwarding for that same IP address on ports 5525 thru 5534 with TCP/UDP access
- obtained the WAN IP address from my ISP 217.xxx.xxx.xxx
- created a NO-IP DNS name with the ISP IP address 217.xxx.xxx.xxx

In the AREDN hAP AC 2 server Node GUI:
- entered the NO-IP DNS name in the Tunnel Server box
- created a WireGuard Server entry

My question is: what goes in the Remote Node Name box and do I just leave the generated codes in the other boxes?

On the remote node hAP Lite, when I create the WireGuard client. What goes in those entries?

It would be very helpful if someone did a step by step video or post with the new web interface! I see a few with the old interface

Thanks in advance?
Scott WK7G



   - 


 
nc8q
nc8q's picture
Remote access via tunnel
Hi, Scott:

I assume:
your "Home WAN" is 217.x.x.x from your ISP.
your 'Home LAN' is 192.168.1.x .
your 'Home router' port forwards 5525 through 5534 TCP/UDP to your hAP-ac2. (*)
your home hap-ac2's WAN has a 'DHCP reservation' from your home router of '192.168.1.x' .
you have a 'wk7g.ddns.net' (or similar) that resolves to 217.x.x.x .
you have configured a tunnel server entry on your hAP-ac2 for your hAP-ac-lite.

I assume:
your hAP-ac-lite WAN connects via Wi-Fi or ethernet to a remote internet service and obtains a dynamic IP address.
your hAP-ac-lite has a tunnel client entry for 'wk7g.ddns.net' (which routes to your home hAP-ac2).

How did I do?

(*)
You need one port for each remote AREDN node.
I highly recommend wireguard tunnels instead of legacy.
You would then port forward 5525 (or a range 5525-55xx).
(edit: Strike 6525-65xx)

Semantics:
A 'static' IP address is similar to a 'dynamically assigned DHCP' IP address.
They each appear to do the same thing, however if both are used together,
it may be somewhat errant and/or redundant.

73, Chuck
 
WK7G
WK7G's picture
Chuck Good morning, 
Chuck Good morning, 
You have that all correct!
Do I need to change the port forwarding range on my home  to 6525-65xx?

Wireguard Server setup:
Tunnel Server(DNS Name of this Tunnel Server) = wk7g.ddns.net
Remote Node Name ="WK7G-hAPAC2"
Wireguard key = "auto generated"
Network:Port = "217.XXX.XXX.XXX:5525" ??? do you leave this autogenerated as well?
Wgt = ???

Assuming this is all ok then on the hAP-AC-Lite the Wireguard client setup:
Tunnel Server(DNS Name of this Tunnel Server) = not required
   Remote Server Name = WK7G-hAPAC2
   Wireguard Key = "copy from server entry"
   Network:Port = 217.XXX.XXX.XXX:5525

Hopefully I have this correct now. 
Thanks for helping out a newbie?

Scott(WK7G)
nc8q
nc8q's picture
Remote Server Name = wg7karedn.net
"Assuming this is all ok then on the hAP-AC-Lite the Wireguard client setup:
Tunnel Server(DNS Name of this Tunnel Server) = not required
   Remote Server Name = WK7G-hAPAC2"


Hi, Scott:

No, in your tunnel client configuration, I think:
remote server name = wk7garedn.ddns.net

gelmce@nc8q-desktop:~$ nmap -Pn 217.147.189.141
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-17 22:10 EDT
Nmap scan report for 217-147-189-141.silverstar.com (217.147.189.141)
Host is up (0.068s latency).
Not shown: 999 filtered ports
PORT     STATE  SERVICE
5060/tcp closed sip

Nmap done: 1 IP address (1 host up) scanned in 63.87 seconds

So, it looks like you have 1 SIP port open.
Do you have a VoIP device?
-----

gelmce@nc8q-desktop:~$ ping -c 1 wk7garedn.ddns.net
PING wk7garedn.ddns.net (217.147.189.141) 56(84) bytes of data.
64 bytes from 217-147-189-141.silverstar.com (217.147.189.141): icmp_seq=1 ttl=52 time=74.6 ms

--- wk7garedn.ddns.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 74.557/74.557/74.557/0.000 ms
gelmce@nc8q-desktop:~$ ping -c 1 WK7G-hAPAC2
ping: WK7G-hAPAC2: Name or service not known
gelmce@nc8q-desktop:~$

 
nc8q
nc8q's picture
My bad. I will fix.
Hi, Scott:

Sorry, fixed.

Supernode tunnels use 6525-xxxx.
Regular node tunnels use 5525-xxxx.
Wireguard tunnels use UDP.
Legacy tunnels use TCP.

"Do I need to change the port forwarding range on my home  to 6525-65xx?"
No, 5525 (or 5525-55xx). Do not adjust your set.

Wireguard Server setup:
Tunnel Server(DNS Name of this Tunnel Server) = wk7g.ddns.net
Yes, but use the real dynamic domain name.
wk7g.ddns.net did not resolve for me.

Remote Node Name ="WK7G-hAPAC2"
Fine.

Wireguard key = "auto generated"
Yes.

Network:Port = "217.XXX.XXX.XXX:5525" ??? do you leave this autogenerated as well?
Yes, autogenerated. Should look like this format: 172.31.87.180:5525

Network:Port = Wgt = ???
If left blank...defaults to integer 1.
-----

Wireguard client setup:
Tunnel Server(DNS Name of this Tunnel Server) = not required

   Remote Server Name = WK7G-hAPAC2
No, this should be the real .ddns.net domain name or the IP address of your home router's ISP address.

   Wireguard Key = "copy from server entry"
   Network:Port = 217.XXX.XXX.XXX:5525
No, this will be formatted like: 172.31.244.96:5527 and
copied from your home tunnel server.

73, Chuck

 
WK7G
WK7G's picture
Chuck
Chuck
Thanks for your patience and time!
Scott WK7G
w6bi
w6bi's picture
In the docs
Guys, all this info is in the excellent AREDN docs (https://docs.arednmesh.org/en/latest/) maintained by Steve, AB7PA.
I recommend you look the docs over if you have an issue before posting here.

73
Orv W6BI
WK7G
WK7G's picture
Orv, with all due respect. If
Orv, with all due respect. If it was clear in the documentation I wouldn't be asking questions. Not everyone has experience with network administration. Thanks for your concern though.
Scott WK7G
w6bi
w6bi's picture
Feedback needed!
Scott, if something's not quite clear in the documentation, please let us know.  Steve AB7PA, our "documentarian" would be happy for feedback.  

73
Orv W6BI
WK7G
WK7G's picture
port forwarding??
If the tunnel connection is successful will the small box  to the right of  the remote server name turn from a white box to a green box?
I think I'm having problems with my ISP not allowing port forwarding. I go to www.canyouseeme.org and put in my external ip address and port 5525 and it shows the request failed.
w6bi
w6bi's picture
Port Forwarding
Scott, port forwarding is only needed if your node is the tunnel server.  It's not needed if your end is the client.

Orv W6BI
WK7G
WK7G's picture
I have a MikroTik hAPac2 in
I have a MikroTik hAPac2 in my shack connected to 2 Ubiquiti LAP120 sector nodes on my tower. I have set up a Tunnel server on the hAPac2.  I have also setup a GL-AR300M16 with a tunnel client per the documentation. As far as I know I have setup the tunnel server and the client correctly but I dont get a green square on either. When I check if port: 5525 is accessable  with www.canyouseeme.org, it says the connection was refused. I can ping my ISP external address with success. I contacted my ISP tech support and he had to pass it up to a super tech.
WK7G
WK7G's picture
all the data
Hi Chuck, 
The WAN IP Address: = 217.147.189.141 (this is my IP address in my ISP Router)
Router node name:=WK7G-MT-hAPAC2-QTH
10.194.133.131 / 8
mesh address
10.20.44.25 / 29
lan address
192.168.1.241 / 24
wan address (dhcp)
192.168.1.1
wan gateway
8.8.8.8   8.8.4.4
wan dns
Remote Node:=WK7G-GL-AR300
10.145.15.13 / 32
mesh address
10.136.120.105 / 29
lan address
Right now both nodes are at my QTH
The hAPac2 is connected to an ethernet switch.
The GL-AR300M15 is connected to my laptop that is connected to the WAN via Wifi and the node is on ethernet to my laptop.
I was pinging the 217.147.189.141 via my laptop in a cmd shell from my laptop.
I included 2 screenshots of the Tunnel server setup as well as the Client setup.

Thanks

 
Image Attachments: 
nc8q
nc8q's picture
No 'U' turns allowed on the home router's WAN
Instead, try to use your mobile phone's hotspot on the AR300M16 in client mode.
WK7G
WK7G's picture
Chuck
Good morning, I tried using my phone hotspot with the same results. What turns the switch box from white to green in either the server or client setup?
 
K9LMR
Port forwarding
I struggled with a similar setup this evening which brought me to this forum for clarification.  I re-read the Latest Docs Tunnel section several times during the process.  I am using a pair of GL-iNet GL-AR300M16-ext's with 3.25.5.1 AREDN firmware.  One as "Server", the other as "Client".

When I configured my office router to forward traffic from the internet (Port 5525) to "Server" I failed to "Save" the settings in the office router.  It's a Verizon "Home Internet" device and I missed the "Save" button at the top of the screen after entering my settings.  DOH!

What worked for me:
1 In your router, assign a reserved LAN IP address for your AREDN Server device.
2 Create a Port Forwarding rule sending internet Port 5525 data to your AREDN Server reserved IP address.
3. *SAVE* the Port Forwarding rule.

The AREDN User Interface top to bottom:
Server Settings
   Tunnel Server:  The current internet (WAN) IP address of your home/office router.  (Or appropriate Dynamic DNS statement.  I'm not using one)
   Add tunnel:   "Wireguard Server".
   Enter the device name of the authorized tunnel CLIENT node.
   Note the Wireguard key and network IP address generated automatically
   Click Done
   "Commit" the changes on the main screen.

 Client Settings
   Tunnel Server:  Blank, does not apply.
   Add tunnel:   "Wireguard Client".
   Add the current internet (WAN) IP address of your home/office router where the "Server" node is located.  (Or appropriate Dynamic DNS statement.  I'm not using one)
      Enter the identical Wireguard key and network IP address that were generated for the "Server" node.
      Click Done
​      "Commit" the changes on the main screen.

      I set the "Client" node Radio to "WAN Client" mode and connected it to "Hotspot" service from my cellphone.
      My "Server" node Radio is "Off" and its WAN port is cabled to my office LAN.
WK7G
WK7G's picture
Struggles
Thanks for the response. 
I have read through the documentation so many times now. I have watched video after video and I seem to be missing something. 
I have created the server entries exactly as they should be. 
Trouble shooting Questions:
1. When yoiu create the server entry, when does the box to the right of the [remote node name] turn from white to solid green. I assume if you click on it and it turns to red that it is disabled.
2. When you create the Client entry on the remote node when does the box turn to green?
I am trying to troubleshoot why I can't get it active. Is it my ISP port forwarding not working? Is it a setting for my server node or is it on my client node?
w6bi
w6bi's picture
Tunnel stuff
The squares turn green (on both ends) when the tunnel comes up.   Do you have your home router's port forwarding set to forward port 5525 to the IP address of your tunnel server?  That's all that needs to be done on the server end.   The client end doesn't need anything beyond configuring the tunnel.

Orv W6BI
WK7G
WK7G's picture
port forwarding??
I think Ive narrowed it down to my port forwarding is not working or being blocked by my ISP.  I spent an hour on the phone with the tech from my ISP and all he ended up doing is reseting my router remotely and telling me port forwarding was ok and it was something internal that wasn't available.

I used opened a windows powershell and used the test-netconnection command. Something must be blocking access.I know it was testing TCP and not UDP but either way it failed. I'm learning, but it's quickly going beyond my network experience.
 
PS C:\WINDOWS\system32> test-netconnection wk7garedn.ddns.net -port 5525                                                WARNING: TCP connect to (217.147.189.141 : 5525) failed                                                                                                                                                                                                                                                                                                                 ComputerName           : wk7garedn.ddns.net                                                                             RemoteAddress          : 217.147.189.141                                                                                RemotePort             : 5525                                                                                           InterfaceAlias         : Wi-Fi
SourceAddress          : 192.168.1.171
PingSucceeded          : True
PingReplyDetails (RTT) : 1 ms
TcpTestSucceeded       : False
 
 
 
PS C:\WINDOWS\system32>
WK7G
WK7G's picture
Success finally
Update:
I finally got my tunnel to work! Thanks to K9LMR!!!
What I changed to make it work was in the CLIENT setup
The key was not using the actual name of the SERVER Node and instead putting in the actual ISP WAN IP address in the Remote Server Name box.

I appreciate all the constructive help from everyone. I hope this helps someone else in the future!

Scott
 
K9LMR
Junior Gophers Meet Up in the (G)AREDN
I am quite pleased my post nudged you in the right direction.  I am only a few hours ahead of you as a first time tunnel configurator.
I love this hobby because folks behind and within projects like AREDN not only create amazing firmware/software but offer all levels of support to anyone who asks.
Offering little more than my amateur callsign, I've enjoyed conversations on countless radio and non-radio subjects.
73,  David
WK7G
WK7G's picture
I totally agree! It's what
I totally agree! It's what Amateur Radio is all about. I had a an Elmer N2AM that took me under his wing and explained things without talking down to me. I've tried to pay that back to others. It's the only way this hobby will survive and grow! Thanks again!

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer