Setting up a WIRES-X room behind your own self-hosted VPN

Is your ISP using CGNAT? You can either pay for a commercial VPN service or set up your own server.

CGNAT — carrier-grade network address translation — is the bane of all internet users who want to maximize the use of our own networks. Around 10 years ago, I recall being able to access my home network via dynamic DNS, due to ISPs still providing a public IP for individual connections.

This all changed when IPv4 addresses were supposed to have been running out. So in the early to mid 2010s, it saw increased uptake from ISPs and carriers who adopted it rather than adopting IPv6 for their networks.

In short, we no longer have public IP addresses.

Some ISPs will provide you with a public IP, or even a static IP (especially for business accounts) for an additional subscription. But for the most part, we’re hidden behind their networks.

Of course, one side effect is the increased security from attackers directly accessing connected devices and ports. The biggest disadvantage, though, is that applications that needed diret access were not able to. This had an impact on use cases like gaming and app development. On amateur radio, this affected IP-based applications like Echolink.

WIRES-X is Yaesu’s own Wide-coverage Internet Repeater Enhancement System. The original WIRES was an internet-linked analog radio network. WIRES-X capitalizes on the benefits of digital-modulated radio, with Yaesu establishing its own “Fusion” as its brand of C4FM digital emission type.

As its own proprietary network, WIRES-X also utlizes Yaesu’s own linked node and repeater system. The network topography involves Yaesu’s own servers in Japan acting as the hub for all nodes around the world. Meanwhile, radio amateurs can also run their own “rooms” using another proprietary piece of hardware, the HRI-200 modem.

Unlike unofficial infrastructure, such as the decentralized YSF (“Yaesu System Fusion”) or the central server oriented FCS, WIRES-X relies on hardware connected on-premises. This means that users will require a public-facing IP in order to host a WIRES-X room.

Again, the difference here: YSF and FCS can be set up on a cloud server, which will have its own IP and can even run behind a domain instead of IP. Our DX1ARM digital assets, for example, run on DigitalOcean cloud servers (this is an affiliate link that can support us).

If you want to set up a WIRES-X deployment but your ISP uses CGNAT, you have two options:

1. Use a VPN to let the WIRES-X network and nodes tunnel into your WIRES-X room behind the CGNAT. Disadvantage: additional latency compared wtih a direct connection, with possible reliability issues.
2. Deploy your node and room separately. Your HRI-200 can be physically located anywhere in the world with a public IP. Disadvantages: increased latency, and the need for additional computer running WIRES-X.

How to set up your WIRES-X room behind a VPN

Rom DU1YQ has an excellent guide on how to set up your own WIRES-X room behind a VPN. Rom’s guide is pretty comprehensive, and it includes additional steps you will need to do for a successful WIRES-X room setup.

He recommends a service like PureVPN. It is somewhat economical with a promo. What’s supposedly around $12 per month for a VPN, public IP and port forwarding service will only cost around $85 for 24+3 months, or essentially $3.14 per month.

Not everyone wants to spend eighty-five bucks for a two-year lock-in however. And if you already run your cloud servers, might as well take advantage of them. For one, our DX1ARM servers cost $5 per month each, running YSF reflectors, Allstar Link nodes, DMR bridges, DVSwitch server accounts, etc., and we want to maximize our utilization.

Here are the steps:

1. Install OpenVPN Access Server. You can find the official resource here. There’s also a quick guide here.
2. Give OpenVPN AS some time to set up on your system. Then, setup a password for the user openvpn. You might want to set up certificates at this point.
3. Set up a DMZ (demilitarized zone) on your OpenVPN AS using the IP address of your server on the following UDP ports: 46100, 46110, 46112, 46114, 46120, 46122. This can be found under User Permissions.

3. Download the OpenVPN Connect user client for your computer running the WIRES-X software. This can be done from within your own OpenVPN AS, or from OpenVPN’s own website. Be sure to downoad the user-locked profile (from your own server) for use in your client.

4. Once you’ve setup your profile, login to the VPN using the computer running WIRES-X. Be sure to have the password for “openvpn” saved so it can automatically connect. You may want to eneable auto connect for seamless operation.

5. You will need to use the Port check utility of WIRES-X to make sure that traffic can properly be routed to the software from the VPN tunnel. Click on “Delete UPnP Entry” to refresh the routing behind your own network before starting port check.

That’s essentially it. Now, operating a WIRES-X room from behind a VPN can have its issues. For one, there is additional latency with traffic being routed from one physical location to another. Secondly, it could be a point of failure, resulting in occasional or even frequent disconnects. But it’s a limitation one would have to live with in order to run a WIRES-X room.

Tip: You don’t have to run the WIRES-X node and room from the same location. If you have a repeater, for example, in the NCR+ area in the Philippines like we do, you can have your WIRES-X room hosted even in another country or location that has a public IP. That might be better than running it at the same place behind a VPN. Your local node can simply connect to that room to link up your repeater to WIRES-X.

Are you on WIRES-X? DMR? YSF? Our links are connected to our repeaters in DU1, which has good coverage across NCR+ and surrounding provinces. You can also join our forum at https://dx1arm.net.