On May 25, 2025, at 12:56?PM, Alan Blind, WA9WUD via groups.io <a.alan.blind@...> wrote:

?

I know the question was about soft ether VPN, to enable to Maestro to call home, to the LAN, with level 2 bridge.

May I suggest using a pepwave SD WAN tunnel, hardware based on both ends.

If one end needs a mobile router, with cellular connection use this product:

On the Shack side, and the remote?side if there is an existing ISP connection?use this:

Each is at the very low end of the product range and has limited features.? Check out the PepLink web site for the full range of products.? All the routers include the ability to set up a WAN tunnel with level 2 bridge.

Alan. WA9WUD

On Sun, May 25, 2025 at 12:03?PM Mike / K5JR via <k5jr.flex=[email protected]> wrote:

Marty, I run separate RPi's for a Softether server and a node-red server, mainly because my Softether VPN has been in service since 2016, following K6OZY's two part video tutorial. This predates Flex's SmartLink deployment. I use my SE VPN often when out and about to reach my Flex radios without going through SmartLink. My node-red server is not open to the internet, so I VPN in to reach it. The built in Windows and iOS VPN clients natively support the protocol needed.?

If I understand your needs, getting a Maestro connected remotely and not via SmartLink, then yes, you will need some tunneling process - Softether, Wireguard, ZeroTier, Tailscale, etc. The important deployment requirement is that it will need to be a Layer 2 connection for the Flex broadcast messages to be heard at the Maestro. A Layer 3 connection, typical with many VPN's, like OpenVPN, will not pass the UDP broadcasts to the Maestro.?

There's numerous physical ways to achieve getting the Maestro to appear on the same LAN as a radio.?

BTW, the version "upgrade" process for a Softether server on a RPi is to essentially build a new one. Because of this, I've kept my RPi SE server standalone.?

tnx

Mike / K5JR

Alpharetta GA

On May 25, 2025, at 10:36?AM, Marty Boroff via <m_boroff=[email protected]> wrote:

?

Thanks for the reply Mick

We currently have four owners/QTHs sharing the credentials of six radios. I currently have five Pis running dashboards and tailscale. One location the owner is always around to handle any lightning potential but the others are not and depend on the lightning monitoring as one of the tools they use. Tailscale does not require any port forwarding and I think the other owners are just operators who do not actually look at the dashboards.

The sites all use Xfinity and modem/router is leased. Although I could place the gateways in bridge mode I would have to purchase two of the routers and convince two others to do the same.?

Softether requires three ports to be opened.

During my testing of the Softether I found it pretty snappy when used as a stndalone server running on a Pi 5. I attempted to put the bridge Softether on another location. The goal qwas to get to a user administered solution and eliminate Smartlink.?

Strange things happened when I added the bridge and my ability to get to unregistered radios was inconsistent.?

The killer was I would need another Pi for each Maestro that would run Softether and provide a LAN for the Maestro. At least I haven't come across a way for a Maestro to open a VPN connection.

In the meantime thanks Mick for the info on Ubiquity. And it seems Alan Gordan N7AKG, creater of the control system, is working on a cloud based system that may provide a solution for us.

73, Marty

On Sunday, May 25, 2025 at 08:14:44 AM CDT, Mick , W8BE via <w8bea2b2c2=[email protected]> wrote:

Marty,

?

I briefly perused the documentation and I assume you would run the server on the pi and then the client software on your laptop, etc. ? I think from a process standpoint running the vpn server on the pi should not be an issue at all as long as you run it on a pi4/5. I wonder if running on a device inside your network would expose other devices to potential threats. Do you just use a port forward to the Pi VPN server for the tunnel to work?

?

?I just recently cutover to a Ubiquity gateway and it has a built in vpn (Wireguard, OpenVPN , and L2TP).? I use the Wireguard and I have been impressed with how easy it is to setup and I like the fact that the gateway runs the vpn server so no port forwarding to a device inside my network.? ?

?

Regards

?

?

On May 25, 2025, at 3:30?PM, Mike / K5JR via groups.io <k5jr.flex@...> wrote:

?Hey, Bob. The best workaround that I've found for the UDP blocking has been a small travel router. Mine supports a Wireguard client to automatically connect to the Wireguard server built into my Firewalla Purple router sitting behind my AT&T fiber Residential Gateway in "passthrough" mode.?

I was just at a timeshare last week that blocked UDP on their wifi. The laptop connecting to the wifi and SmartLink resulted in the typical "down ramp" display. Connecting to my Softether VPN allowed audio to pass, but no pan/wf.

I had my travel router with me (used it in the vehicle down and back) and set it up to connect to the wifi, auto connecting to my home LAN via the Wireguard client. Connecting the laptop to the travel router wifi allowed me to connect to the Softether server and run the Flex radio as if on my local LAN. Ability to upgrade/downgrade software and all.?

Laptop WiFi (w/Softether client) > TrvlRtr (w/Wireguard client) > Timeshare WiFi > Wireguard server > Softether server >Flex Radio.?

I'm using a GL-iNet AX 1800.?

tnx

Mike / K5JR

Alpharetta GA

On May 25, 2025, at 1:26?PM, Bob Watson via groups.io <kn4hhptc@...> wrote:

?Alan, I have read your discussion with Mike regarding VPN. I am a maestro user. ?However, ?my cell provider (T-Mobile) blocks UDP traffic. ?Would your recommendation to Mike apply to my dilemma as well.

Bob, KN4HH?

On May 25, 2025, at 12:56?PM, Alan Blind, WA9WUD via groups.io <a.alan.blind@...> wrote:

?

I know the question was about soft ether VPN, to enable to Maestro to call home, to the LAN, with level 2 bridge.

May I suggest using a pepwave SD WAN tunnel, hardware based on both ends.

If one end needs a mobile router, with cellular connection use this product:

On the Shack side, and the remote?side if there is an existing ISP connection?use this:

Each is at the very low end of the product range and has limited features.? Check out the PepLink web site for the full range of products.? All the routers include the ability to set up a WAN tunnel with level 2 bridge.

Alan. WA9WUD

On Sun, May 25, 2025 at 12:03?PM Mike / K5JR via <k5jr.flex=[email protected]> wrote:

Marty, I run separate RPi's for a Softether server and a node-red server, mainly because my Softether VPN has been in service since 2016, following K6OZY's two part video tutorial. This predates Flex's SmartLink deployment. I use my SE VPN often when out and about to reach my Flex radios without going through SmartLink. My node-red server is not open to the internet, so I VPN in to reach it. The built in Windows and iOS VPN clients natively support the protocol needed.?

If I understand your needs, getting a Maestro connected remotely and not via SmartLink, then yes, you will need some tunneling process - Softether, Wireguard, ZeroTier, Tailscale, etc. The important deployment requirement is that it will need to be a Layer 2 connection for the Flex broadcast messages to be heard at the Maestro. A Layer 3 connection, typical with many VPN's, like OpenVPN, will not pass the UDP broadcasts to the Maestro.?

There's numerous physical ways to achieve getting the Maestro to appear on the same LAN as a radio.?

BTW, the version "upgrade" process for a Softether server on a RPi is to essentially build a new one. Because of this, I've kept my RPi SE server standalone.?

tnx

Mike / K5JR

Alpharetta GA

On May 25, 2025, at 10:36?AM, Marty Boroff via <m_boroff=[email protected]> wrote:

?

Thanks for the reply Mick

We currently have four owners/QTHs sharing the credentials of six radios. I currently have five Pis running dashboards and tailscale. One location the owner is always around to handle any lightning potential but the others are not and depend on the lightning monitoring as one of the tools they use. Tailscale does not require any port forwarding and I think the other owners are just operators who do not actually look at the dashboards.

The sites all use Xfinity and modem/router is leased. Although I could place the gateways in bridge mode I would have to purchase two of the routers and convince two others to do the same.?

Softether requires three ports to be opened.

During my testing of the Softether I found it pretty snappy when used as a stndalone server running on a Pi 5. I attempted to put the bridge Softether on another location. The goal qwas to get to a user administered solution and eliminate Smartlink.?

Strange things happened when I added the bridge and my ability to get to unregistered radios was inconsistent.?

The killer was I would need another Pi for each Maestro that would run Softether and provide a LAN for the Maestro. At least I haven't come across a way for a Maestro to open a VPN connection.

In the meantime thanks Mick for the info on Ubiquity. And it seems Alan Gordan N7AKG, creater of the control system, is working on a cloud based system that may provide a solution for us.

73, Marty

On Sunday, May 25, 2025 at 08:14:44 AM CDT, Mick , W8BE via <w8bea2b2c2=[email protected]> wrote:

Marty,

?

I briefly perused the documentation and I assume you would run the server on the pi and then the client software on your laptop, etc. ? I think from a process standpoint running the vpn server on the pi should not be an issue at all as long as you run it on a pi4/5. I wonder if running on a device inside your network would expose other devices to potential threats. Do you just use a port forward to the Pi VPN server for the tunnel to work?

?

?I just recently cutover to a Ubiquity gateway and it has a built in vpn (Wireguard, OpenVPN , and L2TP).? I use the Wireguard and I have been impressed with how easy it is to setup and I like the fact that the gateway runs the vpn server so no port forwarding to a device inside my network.? ?

?

Regards

?

?

On May 26, 2025, at 10:26?AM, Marty Boroff via groups.io <m_boroff@...> wrote:

?

Thanks all for the great responses.

One of my cohorts in this project has a GL travel router on Beryl AX. I think it is the GL-MT300. He purchased it because someone on another Flex group recommended it for use with his Maestro. Of course it is still in the box as it arrived from Amazon. I intend to borrow it as a part of my project.

I started with Softether because it provides a bridging capability for the five locations hosting radios for my group. I have eliminated the bridging due to some inconsistencies connecting to a radio.?

I currently have one server defined in each of three locations. One running on a Pi 5 4gb in my location. One running on a Pi3b shared with a Node-red dashboard. And one I am unable to connect with a Pi 3b shared with Node-red.?

This last one gets an error of the server not responding to the connection request. I am able to connect to it with the management software. I will attempt to install a stand alone Pi 4 in this location.

Again thanks for all the great responses.

73, Marty WD9GYM

On Sunday, May 25, 2025 at 05:25:17 PM CDT, Mike / K5JR via groups.io <k5jr.flex@...> wrote:

Thanks, Bret. I'm overdue for an update. Same with node-red.?

tnx

Mike / K5JR

Alpharetta GA

On May 25, 2025, at 4:47?PM, Bret Mills via groups.io <bret.wx7y@...> wrote:

?

Hello to the Group, you can export your Softether settings then do the Linux Upgrades and Updates to all the files and re-install Softether then import your settings. Do this in the "Edit Config" (Gear ICON) with the "Save to File" Tab and "Import File and Apply" Tabs at the bottom of the "Edit Config" window.
I have moved from a Raspberry Pi to a Windows machine and Back using this method in the past almost 10 years. Actually it's easier I think then NODE-RED is to update or Move because you don't have to load all the Pallets, Wish Node_Red would build a way to backup for reinstall but that's another topic.?

But Back to the topic of this message I personally would NOT run them on the same Computer / Pi, I have had a Pi 4 8Gig on it's knees when I had a bunch of quick moving meters like for Modulation and a bunch of stream deck screens having to be drawn and you really don't want to have your VPN traffic slowing down to a unusable state because Node-Red is to busy.

This Email is ONLY for the Person or entity it was addressed to Have a great day Bret WX7Y

--

YMMV
73
Bret
WX7Y

<OpenPGP_0x0B4B9F1DAF6C9D40.asc>