Turning Your Starlink Mini into a Real Telemetry Device - How to bridge Starlink Mini into MQTT and Node-RED for real-time monitoring and automation

-
Image
  If you’re running a remote station, digital voice system or any kind of modern connected ham infrastructure, your internet link is no longer “just internet” — it’s part of your station. Starlink Mini gives you portable, high-availability connectivity, but out of the box it’s still a black box. You can see “online/offline,” but you can’t easily observe performance, uptime, obstruction trends or state changes in a way that integrates with the rest of your telemetry systems. That’s exactly what the starlink-mini-mqtt-node-red-1 project solves. This project creates a bridge between Starlink Mini, MQTT and Node-RED, allowing you to treat your satellite link like any other piece of instrumented infrastructure in your shack. What It Does The system polls Starlink Mini status data and publishes it into MQTT topics that can be consumed by: - Node-RED - Home Assistant - Grafana - InfluxDB - Custom automation workflows Once it’s in MQTT, it becomes part of your normal telemetry pipeline. Ty...
Post a Comment

Building a Secure Web Portal on 44Net Without VPN Headaches

-











I've been running Node-RED on my home network for a while now, controlling various ham station functions and monitoring gear remotely. The problem? Accessing it from outside my network meant either opening it directly to the internet (yikes) or dealing with VPN clients on every device I wanted to use.

VPNs work, sure, but they're a pain. You need to install clients, manage configurations, deal with connection drops and if you want to give access to other hams in your club? Good luck walking everyone through VPN setup on their computers. Plus, most free VPN solutions limit you to a handful of users.

I wanted something better. A secure web portal that I could access from anywhere with just a browser. No client software, no complicated setup for users, but still locked down tight with proper authentication and encryption.

That's when I decided to build out a proper web portal on 44Net using Traefik and Authelia. After getting it working, I packaged the whole thing into an automated setup script so other hams could use it too.

Here's the project: https://github.com/n3bkv/44Net-Secure-Portal

What This Actually Does

The setup creates a reverse proxy on a Raspberry Pi that sits on your 44Net address (or any public IP). Here's the flow:

   1.  Someone hits https://portal.yourcall.org

   2. Traefik intercepts the request and redirects them to: https://auth.yourcall.org

    3. Authelia presents a login page

    4. Once authenticated, Traefik forwards the request to your internal service (like Node-RED at 192.168.1.100:1880)

Your internal services never touch the internet directly. Everything goes through the authenticated proxy. And it all happens over HTTPS with automatic Let's Encrypt certificates being generated and maintained.

Why This Works Great for Ham Applications

I'm using this to expose a Node-RED dashboard that controls our remote club station. Other hams in my club can log in and check station status and control various functions. No VPN required - just a bookmark and their credentials.

This same setup works perfectly for: - Grafana dashboards showing propagation data - Home Assistant instances for station automation - Custom web apps for contest logging - Club repeater monitoring dashboards - Really anything running on your local network

The key advantage over VPN is simplicity for users. I can give someone access by just creating them an Authelia account. They bookmark the URL, log in with their credentials, and they're in. No app installs, no configuration files, no troubleshooting why their VPN keeps dropping.

The One-Command Setup

I spent way too much time getting Traefik and Authelia configured correctly the first time. Docker networking, Let's Encrypt challenges, bcrypt password hashing - there are a lot of moving parts. So I automated the entire thing into a single setup script.

SSH into your Raspberry Pi (that already has a 44Net IP configured) and run:


curl -fsSL https://raw.githubusercontent.com/n3bkv/portal-docker/main/setup-portal-docker.sh -o setup-portal-docker.sh

chmod +x setup-portal-docker.sh

sudo ./setup-portal-docker.sh


The script walks you through a series of prompts:

Portal domain: This is where users will actually go. Example portal.yourcall.org

Auth domain: Where the login page lives. Example auth.yourcall.org

Let's Encrypt email: For certificate expiration notices (though Traefik auto-renews them)

Internal server URL: Where your actual service lives. For me that's http://192.168.1.100:1880 for Node-RED

Timezone: Important for Authelia's logs

Username/password/email: Your initial admin account

The script also asks about login lockout settings. I enabled this feature - it temporarily bans IPs after 5 failed login attempts within 10 minutes. The ban lasts an hour. This stops brute force attempts.

What Happens Behind the Scenes

The script handles everything:

    1. Installs Docker if it's not already present

    2. Generates secrets and hashes your password with bcrypt

    3. Creates the entire Docker Compose configuration under /opt/portal-docker

    4. Sets up Traefik with Let's Encrypt certificate resolvers

    5. Configures Authelia with your user database

    6. Launches both containers on an isolated Docker network

    7. Validates the Authelia configuration

Within a minute or two, you've got a production-ready secure portal.

The DNS Setup You Need

Before running the script, you need two DNS A records pointing to your 44Net IP:


portal.yourcall.org    A    44.xx.xxx.xxx

auth.yourcall.org      A    44.xx.xxx.xxx


Both point to the same IP - Traefik uses the hostname to route traffic internally.

You also need ports 80 and 443 open on your firewall. Port 80 is only used for Let's Encrypt's HTTP challenge, then Traefik redirects everything to HTTPS.

My Experience Running This

I set this up about two months ago and it has been rock solid in my testing. Let's Encrypt certificates renew automatically. The login page is fast and works perfectly on mobile. I've started giving access to other hams for testing and nobody has had any issues.

The login lockout feature has already blocked a few bots that found the portal and started trying default credentials. Check your Authelia logs sometime - it's educational how much garbage traffic hits any public-facing web service.

One thing I really appreciate is that my Node-RED instance stays on my internal network. It has no idea it's accessible from the internet. All the security happens at the Traefik/Authelia layer. If there's ever a Node-RED vulnerability, attackers still can't reach it without valid credentials.

Adding More Users

When you want to add users, you edit /opt/portal-docker/authelia/users_database.yml. The format is specific, so follow the example in the README carefully. The indentation matters in YAML files.

Generate a bcrypt hash for the new password:


docker run --rm authelia/authelia:latest authelia crypto hash generate bcrypt --password 'their-password'


Add their entry to the file, then restart Authelia:


docker compose -f /opt/portal-docker/docker-compose.yml restart authelia


The new user can log in immediately. No need to restart Traefik or anything else.

Some Gotchas I Learned

Certificate rate limiting: Let's Encrypt will rate limit you if you request too many certificates in a short time. During testing, I hit this a few times since I wanted to test with production certs. Just wait an hour and try again. Once it's working, Traefik handles renewals smoothly.

Internal URLs with paths: If your internal service needs a specific path (like http://192.168.1.100:1880/ui), you can't make Traefik auto-append that path. The workaround is to include it in your portal URL: portal.yourcall.org/ui

Formatting the users database: Be careful with YAML indentation when adding users. One misplaced space can break authentication for everyone. I keep a backup copy of the file just in case.

Why Not Just Use Cloudflare Zero Trust Access?

Some folks ask why not use Cloudflare Zero Trust Access for this. That works too, but:

You're dependent on Cloudflare's infrastructure

    a. You're routing all your traffic through their network

    b. Some hams prefer keeping things under their own control

    c. This solution teaches you about reverse proxies and authentication

    d. That said, Cloudflare Zero Trust Access is totally valid if you prefer that approach. I wanted something I fully controlled and understood but I am experimenting with it as well.

Security Reminders

Even though this setup is secure, remember you're putting services on the open internet. Some best practices:

    • Use strong, unique passwords for Authelia accounts

    • Enable the login lockout feature

    • Use SSH keys instead of password auth for the Pi itself

    • Run a proper firewall (I use my nftables-firewall-builder script for this - https://github.com/n3bkv)

    • Consider network segmentation - maybe your portal Pi is on a separate VLAN

    • Install fail2ban for additional SSH protection

    • Keep your Pi updated with security patches

The Bottom Line

This setup gives me secure, easy access to our club statioj setup. No VPN client needed, proper HTTPS with real certificates and user management is straightforward.

The automated setup script takes the pain out of configuration. What would have taken me several hours of reading Docker documentation and troubleshooting now takes about five minutes.

If you're running anything on your home network that you want to access remotely - especially if you want to share it with other hams - this is worth setting up. It's been a game-changer for our remote station operations.

The project is open source and available here: 

https://github.com/n3bkv/44Net-Secure-Portal

Big thanks to the developers of Traefik and Authelia for building such solid software. And if you use this setup, let me know how it goes!

73 and stay secure!


Note: If you don't have a 44Net IP yet but want to set one up, check out my other project for getting 44Net Cloud working with Wireguard on a Raspberry Pi: https://github.com/n3bkv/44net-cloud-wireguard-rpi

Comments

Post a Comment

Popular posts from this blog

How To Get Precise Time Outside Your Shack

-
Image
  Often when I decide to do Parks on the Air (POTA), I just grab my gear and go forgetting to sync my laptop’s time.  When I get to the park, sometimes my system clock is 5-30 seconds off which means I’m not able to do FT8. I have found some inexpensive solutions to help fix this issue.  First, you’ll need a GPS dongle to capture accurate time signals.  These dongles are great and can get time almost anywhere, if they have a good view of the sky.  Here is the one I like since I can move it around if I need to and can keep it away from my radio to reduce RFI. It is called the “VFAN USB GPS Receiver Antenna Gmouse for Laptop PC Car Marine Navigation Magnetic Base” and available on Amazon for $20.  If you want something less expensive ($12) and smaller, I’ve heard good things about this unit (although I have never used it) – “HiLetgo VK172 G-Mouse USB GPS/GLONASS USB GPS Receiver for Windows 10/8/7/VISTA/XP”. Next, you’ll need software to allow your computer...
Read more

How To Set Up Your Own Remote Station

-
Image
  I’m going to share with you an inexpensive way you can control your station from a web browser on your home network.  This is the first step in setting up a remote station for yourself.  Once you have the radio  working locally, you can explore more advanced access solutions like Tailscale or Zerotier VPNs for operation outside of your home network. I found a great free program to remote control radios from F4HTB called “Universal_HamRadio_Remote_HTML5”.  Here is a link to his Github with more information - https://github.com/F4HTB/Universal_HamRadio_Remote_HTML5. Since there are a lot of steps to setting it up manually, I have put together a script that will do a large portion of the work for you.  I have tested the script with an Icom IC-705 and Yaesu FTDX10 utilizing both radio soundcards so there is no need to construct the hardware interface for these radios that he mentions.  The difference between the two radios is which version of Hamlib is...
Read more

How to Put Your AllStar Node on 44Net Connect

-
Image
  Recently a blog reader, Will WY7WL reached out about putting his Allstar node on to 44Net.  He was running into issues with connectivity to his node since it was behind CGNAT and wanted to see if he could adapt the 44net-cloud-wireguard-rpi script I had on Github for his application.  As I began testing it for him, I saw several things that needed to be customized to make the script work with the HamVoIP software, including making sure the software was at a current version, employing iptables for better compatibility and tweaking firewall settings to support Supermon.  So, I have created a special script to support this Allstar HamVoIP that handles everything soup to nuts and it is located at https://github.com/n3bkv/hamvoip-wireguard/blob/main/setup_hamvoip_wireguard.sh I also have an ASL3 version that Will help me test (since I do not run ASL on any of my own nodes).  That is available at - https://github.com/n3bkv/asl3-wireguard/blob/main/asl3-wg-setup.sh W...
Read more

Why You Might Want To Set Up Your Raspberry Pi Internet Web Server on 44Net

-
Image
  I had a big problem with my blog. Since it’s hosted on Blogger, there were issues with Google and Bing indexing it. I must have spent nearly two weeks trying to figure out why search engines were having trouble with redirects and couldn’t index the site. After some research, I found out this is a common problem with Blogger. So, I decided it was time to set up my own web server. That way, I’d have full control over everything—from which content management system and plug-ins I use to how the site is hosted. I had a spare Raspberry Pi sitting around that I could use, since my site doesn’t get a lot of traffic. All I needed was a static, internet-addressable IP address. But those are generally hard to come by without an expensive business-class internet connection. As hams, we have access to millions of IPs for free, thanks to some forward-thinking operators from the 1980s via 44Net. Here’s a link to an article and a short video on the history of 44Net: https://www.ardc.net/ardc-ki...
Read more

A Non-Programmers Guide on How To Use AI to Write Your Own Custom Ham Radio Computer Applications

-
Image
  These days you can’t get away from the Artificial Intelligence (AI) hype, it is unavoidable.  Supposedly it can do anything and everything with no limitations. But beyond the marketing, there is a lot that AI can do to help make your life easier. I’m going to walk you through how you can utilize AI for ham radio applications.  It is a great way to solve problems and create software for your projects, even if you are not a programmer.  I think the best way to show you how to use an AI Large Language Model (LLM) is to run through the prompts I used on a project for remote station temperature monitoring. I needed a way to get sensor readings from an external sensing board on a Raspberry Pi for display on a computer data dashboard.  I decided I wanted a script that could collect the readings every few minutes and transmit them to a second computer that served up all the dashboards for the station.  Some call this a “single pane of glass” since you can go to...
Read more

Why You Should Use SSH Keys Instead of Passwords on Your Raspberry Pi

-
Image
  If you’re running a Raspberry Pi that’s reachable from the Internet — such as through 44Net, or any public-facing IP — security should be your top priority. One of the most important steps you can take is to disable password logins and use SSH keys instead. Why Passwords Are a Problem Password authentication over SSH might feel convenient, but it’s one of the biggest security weaknesses for exposed systems:      • Brute-force attacks — Bots continuously scan IPv4 and IPv6 ranges trying common usernames like pi, admin, or ubuntu.      • Leaked credentials — If you’ve reused a password elsewhere and that service gets breached,             attackers can easily try it against your Pi.      • Keylogging and phishing — Passwords can be intercepted if you log in from an insecure machine or network. Even strong passwords can’t match the security of asymmetric cryptography used by SSH key pairs. What SSH...
Read more

Internet Remote Software Defined Radio (SDR) Receivers – A Starter Guide

-
Image
  What do you do when you are stuck in an apartment, condo or HOA and you want to experience what HF is all about?  You can try to hide a wire antenna and use a low cost SDR dongle like the RTL-SDR but your experience is going to be very limited in what you will be able to hear.   The best solution (and it is free as well) is to use a remote internet SDR receiver. Here are a couple of sites you can go to get started: WebSDR.org: A directory of receivers around the globe, usually accessible with nothing more than a browser. These are often university or club stations that welcome public use. KiwiSDR Network: Shows active KiwiSDRs on a map. These small receivers are deployed by individuals and groups worldwide and often cover 0–30 MHz. Let’s use KiwiSDR as an example of how to operate a remote SDR.  If you go to rx.linkfanel.net on your web browser, you will see a screen like the one below. Listed here all the receivers that are available worldwide as well as an...
Read more

Wifi Network Clock Review: Great Features <$40 With A Security Concern

-
Image
  I have many clocks in my home which all seem to show different time no matter how often I try to sync them to an accurate time source.  I was looking for something inexpensive that I could have in the living room that would auto correct itself often so I had one clock I could depend on there.   I decided to stay away from radio clocks that needed to be able to receive WWV to reset themselves as I knew that would work maybe once a week, if I was lucky. I used to have a WWV correcting watch and I had to remember to put by a window at night to get updates. Ideally, I wanted something that would reset hourly so it could be accurate to within a second or two.   After searching around, I found this clock on Amazon and thought I’d give it a try.  It can be set to synchronize over wifi with any time server worldwide or even a local one if you have your own NTP server. It is customizable via a web browser to display any time zone (including UTC – great for ...
Read more

Automated Server Failover for Remote Stations

-
Image
  Overview Here's a cool trick for anyone with a remote station that wants to have an automated computer failover. This router setup will allow you to have multiple redundant computers on site and if one fails, your remote users will automatically be sent to the backup machine.  When the primary comes back online, users are sent back there.  Any failures can be emailed to you from the router, so you can troubleshoot. What you need 2 computers - can be Windows, Linux (Raspberry Pi, etc) or Mac Mikrotik Router - In my case I'm using the hAP ac3 - which goes for about $110 on Amazon Step By Step Setup (using the Mikrotik Web Gui or Winbox) - this is the IP you give to your users 1. Add a Virtual Service IP This is the “VIP” your LAN clients will always use (e.g. 192.168.1.100 ).     A.  Open IP → Addresses     B. Click Add New           •   Address: 192.168.1.100/24          •...
Read more

Ham RSS News Feeds

Amateur Radio Daily

Loading...

ARRL News

Loading...

Zero Retries

Loading...