Split Tunnel VPN Set up for Remote Ham Radio Operations

-

 

Technical Notes: Secure Remote Station Integration via WireGuard

Today we (Gemini, and I) implemented a new VPN configuration to establish a secure, low-latency "network pipe" between my remote operating location in Dallas and the station hardware at the lake.  

We converted my existing WireGuard VPN into a split-tunnel configuration, creating a virtual LAN environment where remote software behaves as if it were locally connected.  This avoids opening ports and exposing the internal network to the public internet

Optimization: Moving from Full Tunnel to Split Tunnel

Initially, the WireGuard configuration was set for a "Full Tunnel" (AllowedIPs = 0.0.0.0/0). While secure, this forced every bit of Dallas internet traffic—including web browsing and 4K video streaming—to travel to the Lakehouse before heading out to the internet. This created unnecessary latency and consumed the Lakehouse's limited upload bandwidth.

The Logic: By switching to a Split Tunnel, we modified the Dallas configuration to only route traffic destined for the 192.168.x.x and 10.x.x.x subnets.
  • The Result: The PC in Dallas now talks to the rotator and amplifier over the secure tunnel, but uses its own high-speed local internet for everything else. This ensures that a heavy download in Dallas won't "choke" the vital control data needed to operate the station.

1. The Infrastructure: WireGuard & Firewall

To avoid the security risks of port forwarding, we utilized a WireGuard tunnel. The key challenge was ensuring the Windows Firewall at the Lakehouse allowed traffic from the VPN subnet while remaining "stealth" to the public web.

  • Subnet Logic: The VPN was configured on a 10.x.x.x subnet, while the Lakehouse LAN operates on 192.168.x.x.
  • The "Trust" Rule: Rather than opening individual ports, we used PowerShell to create a scoped firewall rule that trusts the entire VPN subnet.
  • Once the rules are implemented, toggle the VPN up and down and use ping to confirm the "network pipe" is officially secure and open.
# PowerShell (Admin): Trust the Dallas VPN Subnet
New-NetFirewallRule -DisplayName "Allow WireGuard Subnet" `
    -Direction Inbound `
    -Action Allow `
    -Protocol Any `
    -LocalAddress Any `
    -RemoteAddress 10.x.x.0/24 `
    -EdgeTraversalPolicy Allow


2. Rotator Control: PstRotatorAz

The station uses a Host/Client software architecture. The Lakehouse instance communicates with physical hardware, while Dallas acts as the remote UI.

Syncing the Needles: Dallas was displaying "needle soup" (multiple indicators for local and remote data). To fix this:
1. Mode: Set Dallas to Tracking mode.
2. Display Cleanup: Navigated to View -> Show Rotor Position and unchecked it. This hides the non-existent local hardware needle.
3. Calibration: Verified both instances used the North Stop to align the digital readout with the graphic compass.

3. Amplifier Integration: Elecraft KPA-500

The KPA-500 Remote software was linked via TCP over the tunnel. Because the firewall trusts the VPN subnet, the Dallas client connected instantly to the Lakehouse internal IP.

  • Host (Lakehouse): Listening on port 12050.
  • Client (Dallas): Pointed to 192.168.x.x:12050.
  • Result: Real-time monitoring of power, band, and amp status is now functional in Dallas.

Summary Takeaways

Safety First: By scoping firewall rules to the RemoteAddress of the VPN subnet, we enabled all necessary ham radio ports without exposing the Lakehouse PC to the open internet. Split-tunneling ensures that high-bandwidth activities (like 4K video) stay local to Dallas, keeping the radio control pipe clear.

 






Comments

chris said…
A Quick "Heads Up" for the FlexRadio Step
FlexRadio discovery (the "Radio Chooser") uses Layer 2 UDP broadcasts. Standard WireGuard tunnels are Layer 3 (IP-based), which means the Flex won't automatically "show up" in your list in Dallas like it does at the lake.

There are two options to tackle this:

The "Official" way: Use SmartLink. It’s designed to punch through these exact tunnel limitations.

The "Tunnel" way: If you want to keep it strictly inside WireGuard (no SmartLink), we’ll use a tiny "helper" app in Dallas (like SmartUnlink) that effectively tells SmartSDR: "Hey, the radio is at 192.168.X.X, stop looking for broadcasts and just connect."

For now we'll use Smartlink. But explore the tunnel option another day.

Whenever you're ready to dive into the SmartSDR or DAX setup, just let me know.
4:02 PM
Post a Comment

Popular posts from this blog

Hamclock 4.10 Up and Running WSL

-
Image
I was able to get Hamclock up and running in Christmas Eve just in time to see the Santa tracker.   Very nice edition to the shack — its a fully configurable kiosk-style application that provides real time space weather, radio propagation models, operating events and other information particularly useful to the radio amateur. I’ve been running Hamclock in a full screen in a Chrome browser window (F11 toggles full screen).  Its  FB to access from my tablet in addition to the host PC on my local private network. With a few commands provided in the step by step guide by W4CAE you can run HAMCLOCK on Windows 10 / 11 using the Ubuntu  WSL. To learn more about Windows Linux Subsystem (WSL), click https://learn.microsoft.com/en-us/windows/wsl/about . My version is compiled and installed using the hamclock-web-1600x960 web server only parameters.  For reference  http://127.0.0.1:8081/live.html .   Use port 8082 for RO interface if you should want to make ...
Read more

EdgeOS SQM Smart Queue Management Configuration

-
Image
Network quality is the biggest issue I’ve had when accessing the Flexradio remotely - via hotel WiFi or the LTE connection on my tablet hotspot.  I see a lot of dropped packets, especially in the RX audio, which causes the audio to become scrambled from the radio,  and generates a lot of snap-crackle-pop in the audio on the tablet.  Performance can be improved by reducing bufferbloat in the router (latency and jitter) and by eliminating network packet fragmentation because of the MTU. I've gotten rid of bufferbloat on my remote network by enabling the Smart Queue Management function in my Ubiquiti Networks EdgeRouter X, 4-Port Gigabit Router.  The ER-X runs EdgeOS and is easy to enable with the basic functions, but with some testing and tweaking of  the additional parameters I've found these settings work best for my network.   Nextlink is my Wireless ISP, and I have a static IP set up. Per the waveforms website, with SQM enabled an EdgeRouter 4 can su...
Read more

Field Day 2025 Results

-
Image
ARRL Field Day is in the logs! Temp outside was in the low 90s but felt like 100 here in North Texas . Outside I operated for 4 hours as 2B - 100W, though the first 12 Ah LiFePO4 battery only last about 2 hours. I swapped to my fully charged 15 Ah backup was able to continue without much of a delay. I had 3 portable antennas set up for field day: a Spark Plug EFHW antenna supported by a 19 ft spiderbeam push up mast ; a Chameleon Tactical Delta loop mounted on a ground stake, and the Wolf River Coil mounted on a tripod with telescoping vertical whip and 6 radials. I was able to get good SWR matches for 20 and 15M for all three antennas, but the sparkplug was easily the best field day performer in terms of contacts. The spark plug is rated for 100w but I noticed some of the hot glue was melted off the toroid when I was packing it up. For Sunday morning I switched to 1D -100W, so that I could work 80M and 40M before sunrise and get the 5 call area sections - I go them...
Read more