HamSCI RAC Network Architecture
Overview
The HamSCI Remote Access Channel (RAC) network enables administrators to securely access distributed radio monitoring stations deployed at the homes of citizen scientist volunteers. This document describes how administrators connect through the HamSCI WireGuard VPN and use the Fast Reverse Proxy (FRP) service to reach clients behind NAT firewalls.
1. Network Topology
1.1 The Access Problem
HamSCI monitoring stations are deployed on home networks where:
- Clients have private IP addresses behind consumer NAT routers
- Inbound SSH connections from the internet are blocked by default
- Volunteers may not have the technical expertise to configure port forwarding
- Dynamic IP addresses from ISPs make direct connections unreliable
- Administrators need reliable remote access for maintenance and support
1.2 Architecture Diagram
┌─────────────────────────────────────┐
│ HamSCI VPN Server │
│ vpn.hamsci.org │
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ WireGuard │ │ FRP Server │ │
│ │ Server │ │ (FRPS) │ │
│ │ 10.3.2.1 │ │ Ports 36000+│ │
│ └─────────────┘ └─────────────┘ │
└──────────┬────────────────┬─────────┘
│ │
───────────────┴────────────────┴───────────────
HamSCI WireGuard VPN (10.3.2.0/24)
────────────────────────────────────────────────
│ │ │
│ │ │
┌────┴────┐ ┌────┴────┐ ┌────┴────┐
│ Admin │ │ RAC 247 │ │ RAC 251 │
│Workstation│ │ W3ABC │ │ K4XYZ │
│ 10.3.2.50│ │ FRPC │ │ FRPC │
└─────────┘ └────┬────┘ └────┬────┘
│ │
Behind NAT Behind NAT
(Home LAN) (Home LAN)
1.3 Key Components
| Component |
Location |
Purpose |
| WireGuard Server |
vpn.hamsci.org (10.3.2.1) |
VPN endpoint for admins and clients |
| FRP Server (FRPS) |
vpn.hamsci.org |
Accepts reverse tunnels from RAC clients |
| FRP Client (FRPC) |
Each volunteer's station |
Maintains outbound tunnel to FRPS |
| Admin Workstation |
Any location with internet |
Connects via WireGuard to manage stations |
2. How Connections Work
2.1 RAC Client Registration
Each volunteer's monitoring station runs an FRP client (FRPC) that establishes an outbound connection to the FRP server:
┌──────────────────────┐ ┌──────────────────────┐
│ RAC Client 247 │ │ HamSCI VPN Server │
│ (Volunteer Home) │ │ │
│ │ │ │
│ ┌────────────────┐ │ Outbound Tunnel │ ┌────────────────┐ │
│ │ FRPC │──┼────────────────────┼─▶│ FRPS │ │
│ │ (initiates) │ │ │ │ Port 36047 │ │
│ └───────┬────────┘ │ │ └───────┬────────┘ │
│ │ │ │ │ │
│ ┌───────┴────────┐ │ │ │ │
│ │ SSH Daemon │◀─┼────────────────────┼──────────┘ │
│ │ (Port 22) │ │ Tunneled Traffic │ │
│ └────────────────┘ │ │ │
└──────────────────────┘ └──────────────────────┘
The client initiates the connection OUTBOUND, which home routers
allow by default. The tunnel then carries inbound SSH traffic.
2.2 RAC ID to Port Mapping
HamSCI RAC clients use IDs in the 200-299 range, mapped to ports 36000-36099:
Port = 35800 + RAC_ID
Examples:
RAC 247 → Port 36047
RAC 251 → Port 36051
RAC 263 → Port 36063
2.3 Administrator Connection Flow
When an administrator needs to access a volunteer's station:
Step 1: Establish WireGuard VPN Connection
─────────────────────────────────────────────
┌─────────────┐ ┌─────────────────────┐
│ Admin │ WG VPN │ vpn.hamsci.org │
│ Workstation │─────────│ 10.3.2.1 │
│ 10.3.2.50 │ │ │
└─────────────┘ └─────────────────────┘
Step 2: SSH to FRP Port for Target RAC
─────────────────────────────────────────────
┌─────────────┐ ┌─────────────────────┐ ┌─────────────┐
│ Admin │ SSH │ FRPS │ Tunnel │ RAC 247 │
│ 10.3.2.50 │────────▶│ Port 36047 │────────▶│ SSH Daemon │
└─────────────┘ └─────────────────────┘ └─────────────┘
Command: ssh -p 36047 wsprdaemon@10.3.2.1
3. Administrator Quick Start
3.1 Prerequisites
- WireGuard installed on your workstation
- WireGuard configuration from HamSCI administrator
- Configuration file (
~/.ssr.conf.hamsci) with RAC client list
3.2 Connecting to a RAC Client
Step 1: Activate WireGuard VPN
# macOS
sudo wg-quick up hamsci
# Linux
sudo systemctl start wg-quick@hamsci
# Verify connection
ping -c 1 10.3.2.1
Step 2: Use ssr to connect
# List available RAC clients
ssr
# Connect by RAC ID
ssr 247
# Connect by callsign or site name (partial match)
ssr w3abc
Step 3: Direct SSH (alternative)
# If you know the RAC ID, calculate the port and connect directly
ssh -p 36047 wsprdaemon@10.3.2.1
3.3 First-Time Connection
On first connection to a new RAC client, ssr will:
- Detect that SSH key authentication is not configured
- Prompt you to enter the client's password (from your config file)
- Run
ssh-copy-id to install your public key
- Future connections will use key-based authentication
$ ssr 247
Channel name '247' matches channel number 247
Setup autologin to client 'wsprdaemon' by entering the password 'secret123' when prompted
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s)
wsprdaemon@10.3.2.1's password: ********
Number of key(s) added: 1
Connecting to client site 'W3ABC'='W3ABC Springfield IL' ...
wsprdaemon@raspberrypi:~ $
4. Security Model
4.1 Layered Security
The HamSCI RAC network implements defense in depth:
┌─────────────────────────────────────────────────────────┐
│ Layer 4: SSH Authentication │
│ Key-based auth required, passwords disabled after setup│
├─────────────────────────────────────────────────────────┤
│ Layer 3: FRP Token Authentication │
│ Each FRPC authenticates to FRPS with pre-shared token │
├─────────────────────────────────────────────────────────┤
│ Layer 2: WireGuard VPN Access │
│ Only authorized peers can reach the FRP server ports │
├─────────────────────────────────────────────────────────┤
│ Layer 1: WireGuard Encryption │
│ All traffic encrypted with ChaCha20-Poly1305 │
└─────────────────────────────────────────────────────────┘
4.2 Protecting the FRP Server from Clients
Threat: A compromised volunteer station attempts to attack the server or other clients.
Protections:
| Protection |
How It Works |
| Port Isolation |
Each client tunnel terminates at a unique port; no cross-client access |
| No Server Shell |
FRP only forwards TCP to the client's SSH; no shell access to server |
| Token Auth |
Clients must authenticate with pre-shared token to register tunnels |
| VPN Identity |
WireGuard cryptographically identifies each peer |
4.3 Protecting Volunteer Stations from Unauthorized Access
Threat: Someone with access to the VPN attempts to access volunteer stations without authorization.
Protections:
| Protection |
How It Works |
| SSH Key Auth |
Even with tunnel access, valid SSH key required for login |
| Limited Exposure |
Only SSH port exposed; volunteer's home network not accessible |
| Audit Logging |
All SSH connections logged on the client |
| Per-Client Keys |
Compromise of one station's key doesn't affect others |
4.4 Protecting Volunteer Privacy
The RAC architecture ensures volunteer privacy:
- No inbound ports required on volunteer's home router
- Home IP address not exposed to administrators (traffic routes through VPN)
- Home network isolated — only the monitoring station is accessible, not other devices
- Volunteer controls physical access — can disconnect station at any time
4.5 WireGuard Security Properties
| Feature |
Benefit |
| Cryptokey Routing |
Peers identified by public key, not IP address |
| Perfect Forward Secrecy |
Session keys rotated; past traffic protected if key compromised |
| Silent to Scans |
Server doesn't respond to unauthenticated packets |
| Minimal Code |
~4,000 lines vs 100,000+ for OpenVPN reduces attack surface |
5. Configuration Reference
5.1 Configuration File Location
When connected to the HamSCI VPN, ssr automatically loads:
5.2 Configuration File Format
# FRPS_REMOTE_ACCESS_LIST array defines all RAC clients
# Format: RAC_ID,SITE_NAME,USER,FLAGS,CREDENTIALS,DESCRIPTION,PORT_FORWARDS
FRPS_REMOTE_ACCESS_LIST=(
"247,W3ABC,wsprdaemon,,pi raspberry,W3ABC Springfield IL,"
"251,K4XYZ,wsprdaemon,,wd secret123,K4XYZ Atlanta GA,-L 46051:localhost:8081"
"263,N5QWR,hamsci,,admin pass456,N5QWR Houston TX,"
)Field Descriptions:
| Index |
Field |
Description |
| 0 |
RAC_ID |
Unique identifier (200-299 for HamSCI) |
| 1 |
SITE_NAME |
Volunteer's callsign or short identifier |
| 2 |
USER |
SSH username on the RAC client |
| 3 |
FLAGS |
Reserved for future use |
| 4 |
CREDENTIALS |
"username password" for initial ssh-copy-id |
| 5 |
DESCRIPTION |
Callsign and location (city, state) |
| 6 |
PORT_FORWARDS |
Additional SSH -L port forwarding arguments |
5.3 Adding Local Overrides
Personal additions can be placed in ~/.ssr.conf.local:
# Add your test systems or personal RAC clients here
FRPS_REMOTE_ACCESS_LIST+=(
"299,TEST,pi,,pi raspberry,My Test Raspberry Pi,"
)
6. Troubleshooting
6.1 Cannot Reach VPN Server
$ ping 10.3.2.1
PING 10.3.2.1: 56 data bytes
Request timeout for icmp_seq 0
Solutions:
- Verify WireGuard is running:
sudo wg show
- Check your WireGuard configuration file
- Ensure your internet connection allows UDP port 51820
- Contact HamSCI administrator to verify your peer configuration
6.2 Connection Refused on RAC Port
$ ssh -p 36047 wsprdaemon@10.3.2.1
ssh: connect to host 10.3.2.1 port 36047: Connection refused
Meaning: The volunteer's station is not connected to the FRP server.
Possible causes:
- Station is powered off or rebooting
- Volunteer's internet connection is down
- FRPC service not running on the station
- Station's FRP token is invalid
Action: Contact the volunteer to verify their station is online.
6.3 SSH Key Authentication Fails
$ ssr 247
wsprdaemon@10.3.2.1's password:
Solutions:
- Let
ssr run ssh-copy-id with the password from config
- Manually run:
ssh-copy-id -p 36047 wsprdaemon@10.3.2.1
- Check that
~/.ssh/id_rsa.pub exists; generate with ssh-keygen if not
6.4 Host Key Verification Failed
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Meaning: The volunteer's station was reinstalled (e.g., new SD card) or a different station now uses that RAC ID.
Solution:
# Remove old host key
ssh-keygen -R "[10.3.2.1]:36047"
# Reconnect and accept new key
ssr 247
7. Command Reference
| Command |
Description |
ssr |
List all available RAC clients |
ssr 247 |
Connect to RAC ID 247 |
ssr w3abc |
Connect to RAC matching "w3abc" (partial match) |
ssr -V |
Display ssr version |
Direct SSH Equivalent
# What ssr does internally:
ssh -p 36047 wsprdaemon@10.3.2.1
# With Ka9q-web port forwarding:
ssh -L 46047:localhost:8081 -p 36047 wsprdaemon@10.3.2.1
# Then access http://localhost:46047/ in browser
Appendix: Network Reference
| Resource |
Value |
| HamSCI VPN Server |
vpn.hamsci.org |
| VPN Server WireGuard IP |
10.3.2.1 |
| VPN Subnet |
10.3.2.0/24 |
| HamSCI RAC ID Range |
200-299 |
| HamSCI FRP Port Range |
36000-36099 |
| Configuration File |
~/.ssr.conf.hamsci |
HamSCI Remote Access Channel Network Documentation
Enabling citizen scientists to contribute to ionospheric research
HamSCI RAC Network Architecture
Overview
The HamSCI Remote Access Channel (RAC) network enables administrators to securely access distributed radio monitoring stations deployed at the homes of citizen scientist volunteers. This document describes how administrators connect through the HamSCI WireGuard VPN and use the Fast Reverse Proxy (FRP) service to reach clients behind NAT firewalls.
1. Network Topology
1.1 The Access Problem
HamSCI monitoring stations are deployed on home networks where:
1.2 Architecture Diagram
1.3 Key Components
2. How Connections Work
2.1 RAC Client Registration
Each volunteer's monitoring station runs an FRP client (FRPC) that establishes an outbound connection to the FRP server:
2.2 RAC ID to Port Mapping
HamSCI RAC clients use IDs in the 200-299 range, mapped to ports 36000-36099:
2.3 Administrator Connection Flow
When an administrator needs to access a volunteer's station:
3. Administrator Quick Start
3.1 Prerequisites
~/.ssr.conf.hamsci) with RAC client list3.2 Connecting to a RAC Client
Step 1: Activate WireGuard VPN
Step 2: Use ssr to connect
Step 3: Direct SSH (alternative)
# If you know the RAC ID, calculate the port and connect directly ssh -p 36047 wsprdaemon@10.3.2.13.3 First-Time Connection
On first connection to a new RAC client,
ssrwill:ssh-copy-idto install your public key4. Security Model
4.1 Layered Security
The HamSCI RAC network implements defense in depth:
4.2 Protecting the FRP Server from Clients
Threat: A compromised volunteer station attempts to attack the server or other clients.
Protections:
4.3 Protecting Volunteer Stations from Unauthorized Access
Threat: Someone with access to the VPN attempts to access volunteer stations without authorization.
Protections:
4.4 Protecting Volunteer Privacy
The RAC architecture ensures volunteer privacy:
4.5 WireGuard Security Properties
5. Configuration Reference
5.1 Configuration File Location
When connected to the HamSCI VPN,
ssrautomatically loads:5.2 Configuration File Format
Field Descriptions:
5.3 Adding Local Overrides
Personal additions can be placed in
~/.ssr.conf.local:6. Troubleshooting
6.1 Cannot Reach VPN Server
$ ping 10.3.2.1 PING 10.3.2.1: 56 data bytes Request timeout for icmp_seq 0Solutions:
sudo wg show6.2 Connection Refused on RAC Port
Meaning: The volunteer's station is not connected to the FRP server.
Possible causes:
Action: Contact the volunteer to verify their station is online.
6.3 SSH Key Authentication Fails
$ ssr 247 wsprdaemon@10.3.2.1's password:Solutions:
ssrrunssh-copy-idwith the password from configssh-copy-id -p 36047 wsprdaemon@10.3.2.1~/.ssh/id_rsa.pubexists; generate withssh-keygenif not6.4 Host Key Verification Failed
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Meaning: The volunteer's station was reinstalled (e.g., new SD card) or a different station now uses that RAC ID.
Solution:
7. Command Reference
ssrssr 247ssr w3abcssr -VDirect SSH Equivalent
Appendix: Network Reference
HamSCI Remote Access Channel Network Documentation
Enabling citizen scientists to contribute to ionospheric research