Connecting to your SDR from anywhere using Tailscale

Photo by Alex Blăjan on Unsplash
Photo by Alex Blăjan on Unsplash

Amateur radio connections over a geostationary satellite with a hardware setup in your garden, accessible from any location where you have network connectivity. Powered via the magic of an analog Devices Pluto SDR, Remote SDR by F1ATB and Tailscale!

After making a school contact with the amateur radio station DP0GVN in Antarctica last year I of course had to build my own QO-100 ground station to be able to talk to other radio amateurs via the Es’hail 2 satellite.

I ended up installing a 1 meter offset dish in the back of our garden.

1 meter offset dish with Bullseye LNB and DX patrol helical antenna for uplink

Combined with a Pluto SDR, a preamplifier and a power amplifier with the excellent SDR Console application I was soon up and running and making contacts.

Initial hardware setup

There was only one issue: the back of my garden is uncomfortably far away from my warm and cosy HAM shack. Moving the dish is not an option, relocating the shack isn’t either. After almost freezing my fingers off writing logs on a chilly winter Sunday (slight exaggeration) I had to find a way to be able to control the radio equipment from a distance (read: preferably my cosy chair close to the fireplace).

Solution part 1: Remote SDR

While searching for a way to make this happen I stumbled upon Remote SDR by André F1ATB. André wrote all required software to allow you to control your SDR via a simple browser interface by adding a Raspberry Pi into the mix. The ingenious part of this solution is that you only need to stream a limited amount of data (2 x 3 kHz audio plus the data for the waterfall plot and some control traffic) over the network connection between the browser and the computer close to the SDR. Compared to network connecting the Pluto and streaming the complete 500 kHz spectrum in I/Q format this saves you a massive amount of required bandwidth.

Side note: André also happens to be an extremely helpful person who was willing to help troubleshooting - in true HAM spirit - an issue with my setup via a remote connection. Thanks again André!

This got me thinking: I do have wifi that covers our garden. If I can enable a remote wifi connection to a Raspberry Pi then I’m all set.

First tests with a Raspberry Pi close to the dish show me that I can reach speeds up to 40 Mbit/s. More than ample for what Remote SDR needs.

Up next: attempting an actual conversation over the satellite. Bummer: as soon at the TX is enabled (which operates at 2.4 GHz) the network speed of the wifi connection is drastically reduced. Apparently the wifi in the Pi does not like the 20 W 2.4 GHz power amplifier to be active. This is not completely unexpected. After connecting the RPi via an ethernet cable to an Ubiquity UAP-AC-M accesspoint that meshes to the UAP-AC-Pro accesspoint inside our house the network connection remains solid as a rock and increases even to 80 MBit/s transfer speeds.

Since version 5 of Remote SDR, André has updated the software so that all traffic is routed via port 443 (HTTPS) on the RPi. This means that from a browser perspective all is fine to allow the use of the microphone to record audio. Of course this means that you need to take care of having a valid server certificate on the RPi. André provides a self-signed certificate in the image, which works fine after accepting it.

However, there is something I can add to the mix that takes care of the certificates using official certificates from the LetsEncrypt certificate authority. Plus as a bonus the solution also allows you to access the RPi effortlessly from any location on the globe that has an internet connection…

Solution part 2: Tailscale VPN

Enter the zero-config, zero-worry, best-thing-since-sliced-bread VPN solution called Tailscale.

Tailscale allows you to create your own private VPN without going through complicated setup procedures, taking care of key generation and distribution and having to keep track of key expiry. All things that you get ‘for free’ with traditional VPN solutions.

Basically, you install the client on your devices, you authenticate them using a single account and from then on all devices can reach each other securely through the magic of a Wireguard encrypted VPN mesh. Read all about it here. And oh, in the mean time it will also generate the certificates for your private SSH session into your SDR setup.

Basic setup is really trivial:

  • install Tailscale on your computer and on the Raspberry Pi. For the latter see instruction here. For the former: Tailscale has a client for every platform available, see the App Store of your favourite platform. The software is free to use for private use, just use a gmail or GitHub address to authenticate.
  • authenticate the clients you installed.
  • navigate to your Tailscale admin console and authenticate the clients. Ensure to disable the key expiry on the remote SDR client for the VPN connection as otherwise you’ll need to re-authenticate the client from time to time.
  • now you are able to reach the remote SDR from any computer where you install the client and you authenticate with your credentials. This means you can already use the web interface, but it it currently still using the self-signed certificate André included in the image.

Then to enable the SSH certificate generation:

  • navigate to your Tailscale admin console and select ‘Settings > Feature previews’. Enable the setting ‘HTTPS’. You’ll receive a subdomain name that ends with ‘’. Your clients will be available to you (and only you) at the hostname <client_hostname>.<yourdomain-name> This globally available hostname is required for Tailscale to be able to ask LetsEncrypt to generate a keypair for the SSH connection.
  • log into the RPi (in fact, just use the newly setup Tailscale VPN connection to do this. Yes it takes a little bit of time to get accustomed to a VPN that is working so transparently, right? 😇)
  • Navigate to the folder where the self-signed certificates are stored and generate the certificate for remoteSDR. Please note: the hostname I selected for the raspberry pi in this example is ‘remote-sdr’. If your hostname is different, you need to adapt it for your situation. Thanks to Nick G1BVI for bringing this under my attention.
$ cd /remsdr
$ sudo tailscale cert remote-sdr.<your-subdomain>
$ mv selfsigned.key selfsigned.key.original
$ mv selfsigned.crt selfsigned.crt.original
$ ln -s remote-sdr.<your-subdomain> selfsigned.key
$ ln -s remote-sdr.<your-subdomain> selfsigned.crt 
  • Reboot the RPi to ensure that the webserver of Remote SDR is using the newly generated keys

Open your browser, navigate to https://remote-sdr.<your-subdomain> and start making QSO’s! Hope to work you soon on the satellite.

Remote SDR in browser screenshot

73, Lieven ON8HZ

2 responses to “Connecting to your SDR from anywhere using Tailscale”

  1. […] Une alternative intéressante pour s’affranchir du certificat auto-signé est proposée par Lieven ON8HZ. Elle consiste à utiliser le VPN Tailscale et ses propres certificats de sécurité. Une fois installé, la connection à votre Remote SDR est parfaitement transparente.Lieven, ON8HZ a décrit toute la procédure ici. […]

  2. […] An interesting alternative to get rid of the self-signed certificate is offered by Lieven ON8HZ. It consists of using the Tailscale VPN and its own security certificates. Once installed, the connection to your Remote SDR is perfectly transparent.Lieven, ON8HZ described the whole procedure here. […]