Embedded Files
TAK server on a Raspberry Pi 3B
TAK server on a Raspberry Pi 3B
In this guide, we will demonstrate how to set up a TAK server and configure and install a VPN using ZeroTier to establish an encrypted connection without the need to open any ports on your router. We will also cover setting up a Mumble server for VoIP communication integrated with ATAK. This entire setup will be demonstrated using a Raspberry Pi 3 with only 1GB of RAM.
Different kinds of servers
Different kinds of servers
TAK servers are a crucial component of the Team Awareness Kit (TAK) ecosystem, serving as the central hub for data management and communication between TAK clients such as ATAK and WinTAK. These servers enable information sharing across different TAK platforms, provide a common operating picture for all team members, and support scalability for operations of various sizes.
As of late 2024, there are four notable TAK server options available to the public on GitHub, each catering to different needs and user preferences:
Official TAK Server: Released and open-sourced by the TAK Product Center, this full-featured server provides data access and encryption across disparate networks. It's available for download at tak.gov and on GitHub, offering a comprehensive solution for military and civilian use.
OpenTAKServer: Developed as an alternative open-source TAK server, OTS aims to be user-friendly and versatile, capable of running on both servers and single-board computers like Raspberry Pi.
FreeTAKServer: A Python3 implementation of a TAK Server, FTS is cross-platform and scalable, running from multi-node installations on AWS to Android devices. FTS is free and open-source.
Taky: This lightweight COT server allows multiple ATAK clients to connect simultaneously and is known for its simplicity in design and configuration. It runs efficiently on minimal hardware requirements.
This guide covers the installation and basic configuration of OpenTAKServer on a Raspberry Pi 3B. While straightforward for those familiar with Linux, it may be challenging for beginners.
1. Requirements
1. Requirements
Raspberry Pi 3B
16GB SD card
Pi OS Lite 64-bit (clean installation)
A computer with an Internet connection
2. Raspberry Pi Initial Setup
2. Raspberry Pi Initial Setup
First, make sure the Pi3 is up-to-date:
> sudo apt update -y && sudo apt upgrade -y
Enable automatic updates by installing unattended-upgrades.
> sudo apt install unattended-upgrades
Now we configure it to include Raspian updates. Open the file 50unattended-upgrades:
> sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
add these two lines and save it:
"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
3. Firewall Installation and Configuration
3. Firewall Installation and Configuration
In this guide, we will use ufw (Uncomplicated Firewall). To install it, run:
> sudo apt install ufw -y
Now we can enable all ports used by OpenTAKServer and other applications that we are interested in enabling (the last four are optional: rtl_tcp, Grafana, Node Exporter and Prometheus):
> sudo ufw allow proto tcp to any port 64738 comment "Mumble server voice streams"
> sudo ufw allow proto udp to any port 64738 comment "Mumble server voice streams"
> sudo ufw allow proto udp to any port 8890 comment "Publish and view SRT streams"
> sudo ufw allow proto tcp to any port 8889 comment "Publish and view WebRTC streams"
> sudo ufw allow proto tcp to any port 8888 comment "View HLS video streams"
> sudo ufw allow proto tcp to any port 8883 comment "Encrypted MQTT port used for Meshtastic"
> sudo ufw allow proto udp to any port 8554 comment "Publish and view RTSP video streams"
> sudo ufw allow proto tcp to any port 8554 comment "Publish and view RTSP video streams"
> sudo ufw allow proto tcp to any port 8322 comment "Publish and view RTSP(S) video streams"
> sudo ufw allow proto udp to any port 8189 comment "WebRTC"
> sudo ufw allow proto udp to any port 8001 comment "Publish and view RTCP video streams"
> sudo ufw allow proto udp to any port 8000 comment "Publish and view RTP video streams"
> sudo ufw allow proto tcp to any port 1936 comment "Publish and view RTMPS video streams"
> sudo ufw allow proto tcp to any port 1935 comment "Publish and view RTMP video streams"
> sudo ufw allow proto tcp to any port 1883 comment "Unencrypted MQTT port used for Meshtastic"
> sudo ufw allow proto tcp to any port 8089 comment "SSL CoT streaming port"
> sudo ufw allow proto tcp to any port 8088 comment "TCP CoT streaming port"
> sudo ufw allow proto tcp to any port 8080 comment "Web UI and proxy for HTTP API requests to OpenTAKServer port 8081"
> sudo ufw allow proto tcp to any port 8446 comment "Web UI and proxy for certificate enrollment to OpenTAKServer port 8081"
> sudo ufw allow proto tcp to any port 8443 comment "Web UI and proxy for HTTPS API requests to OpenTAKServer port 8081"
> sudo ufw allow proto tcp to any port 443 comment "Web UI and proxy for HTTPS requests to OpenTAKServer port 8081"
> sudo ufw allow proto tcp to any port 80 comment "Web UI and proxy for HTTP API requests to OpenTAKServer port 8081"
> sudo ufw allow proto tcp to any port 22 comment "ssh"
> sudo ufw allow proto tcp to any port 1234 comment "RTL_TCP"
> sudo ufw allow proto tcp to any port 3000 comment "Grafana"
> sudo ufw allow proto tcp to any port 9100 comment "Node exporter"
> sudo ufw allow proto tcp to any port 9090 comment "Prometheus"
Now that the firewall rules are in place, we can turn it on:
> sudo ufw enable
Make sure it is working properly by checking the status. It should show both IPv4 and IPv6 ports:
> sudo ufw status
4. More security: Fail2ban Installation and Configuration
4. More security: Fail2ban Installation and Configuration
Fail2ban is a security tool that automatically bans IP addresses that attempt to log into your server multiple times and fail. It does this by monitoring log files for failed login attempts, and then using firewall rules to block the offending IP addresses for a specified period.
Let's install it first by running:
> sudo apt install fail2ban -y
Now we can create and edit the configuration file. First, make the file jail.local by copying the already existing file jail.conf.
> sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now open jail.local:
> sudo nano /etc/fail2ban/jail.local
and edit the sshd section by adding the following lines. This is how it should look:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
port = ssh
logpath = %(sshd_log)s
backend = systemd
enabled = true
filter = sshd
banaction = ufw
maxentry = 5
bantime = 1h
bantime sets how long you want the user to be banned.
maxentry defines how many tries the user gets before the ban action is run.
banaction will ban the user that triggered the filter and restrict them from accessing any ports on the device by adding a new firewall rule.
Now save the file and start fail2ban:
> sudo systemctl enable --now fail2ban
If everything was set up correctly you will see fail2ban service active:
5. OpenTAKServer installation
5. OpenTAKServer installation
Now comes the easiest part of this guide. Installing OpenTAKServer is as simple as running a single command:
> curl https://i.opentakserver.io/raspberry_pi_installer -Ls | bash -
When prompted to install ZeroTier, confirm only if you have a pre-existing ZeroTier account and network configuration. Otherwise, defer installation until later. Additionally, it is advisable to accept the installation of Mumble, a VoIP server application.
After the installation is completed, check the server status by running:
> sudo systemctl status opentakserver
Now that the server is up and running, you can start tweaking it to fit your needs. Check out this official documentation for all the customization options.
6. OpenTAKServer configuration
6. OpenTAKServer configuration
The default configuration for OpenTAKServer is at ~/ots/config.yml. In this section, I'll highlight some specific options that I think should be customized for personal use. To configure the options, simply open the file and make your desired changes.
> sudo nano ~/ots/config.yml
You must restart OpenTAKServer for the changes to take effect:
> sudo systemctl restart opentakserver
OTS_AIRPLANES_LIVE_LAT: Latitude used to query ADS-B data.
OTS_AIRPLANES_LIVE_LON: Longitude used to query ADS-B data.
OTS_AIRPLANES_LIVE_RADIUS: Radius in nautical miles to query ADS-B data.
OTS_CA_CITY: City name for your certificate authority.
OTS_CA_COUNTRY: ISO country code for your certificate authority.
OTS_CA_NAME: Name for your certificate authority.
OTS_CA_ORGANIZATION: Organization name for your certificate authority.
OTS_CA_ORGANIZATIONAL_UNIT: Organizational Unit (OU) name for your certificate authority.
OTS_ENABLE_MESHTASTIC: Enable Meshtastic feature.
OTS_ENABLE_MUMBLE_AUTHENTICATION: This option provides authentication for your Mumble server. When connecting to the Mumble server you will have to use your OpenTAKServer username and password.
Upon initial startup, OpenTAKServer creates an administrator account with the username "administrator" and password "password." Please remember to change this password after logging in for the first time. Go to your web browser and enter your Raspberry Pi's IP address. You should see this screen:
After logging in as an administrator, you can add new users under Admin -> Users -> Add User:
Users can access their accounts on the server by using their username and password to connect to the Raspberry Pi 3's IP address on the network.
7. ZeroTier setup
7. ZeroTier setup
ZeroTier is a software-defined networking platform that simplifies VPN creation. By establishing secure, encrypted connections between devices globally, it creates a virtual LAN, ideal for remote TAK server access. Using ZeroTier as a VPN eliminates the complexities of port forwarding and other typical VPN configurations, ensuring secure communication and data transfer for TAK operations regardless of location.
At the time of writing, ZeroTier provides a free tier that supports up to 10 devices. To begin using ZeroTier, you'll need to create an account on their website at https://www.zerotier.com/. Once you have an account, create a private network as described in this tutorial: https://docs.zerotier.com/start/#create-a-network. This created network will function as the virtual network through which End User Devices (EUDs) will establish remote connections to the TAK server.
The admin should copy and distribute either the Network ID or the QR code of the new network to the End User Devices (EUDs). Each EUD will need to connect to the network using the ZeroTier app; this connection attempt will automatically send an access request to the admin. Consequently, each EUD needs to download and install the ZeroTier application (available for Android and iPhone). The admin will then need to approve each access request through the ZeroTier Central web interface at https://my.zerotier.com/.
We'll now proceed with the ZeroTier installation on the Raspberry Pi server (in case you did not opt for its installation during the OpenTAKServer setup). Run the following command:
> curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/main/doc/contact%40zerotier.com.gpg' | gpg --import && \
if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi
Now you can install it:
> sudo apt update -y && sudo apt upgrade -y
> sudo apt install zerotier-one
On your Raspberry Pi, use the ZeroTier command-line interface (CLI) to join the network. Execute the following command, making sure to replace [NetworkID] with your specific ZeroTier Network ID:
> sudo zerotier-cli join [NetworkID]
Return to https://my.zerotier.com/ on your computer and navigate to the ZeroTier network configuration to authorize the Raspberry Pi server's connection. Once access has been approved, if the connection is successful, running the status check should display this output:
> sudo zerotier-cli status
200 info 65c1342aef 1.14.2 ONLINE
Google Sites
Report abuse