Mikrotik OpenVPN Configuration

Posted on by

There is heaps of information about configuring a Mikrotik Router as an OpenVPN server on the net.  The following simply documents what I found when I tried to follow in their footsteps.

The first reference I found was Medo’s instructions on how to configure the VPN, I used this to create the certificates, configure the server and get close to a working solution.

However my configuration was a little different in that the remote device I was connecting too (RB411 over 3G) did not have a FQDN only a fixed IP.  So for the ca-template and server-template I used the Fixed IP (xx.xx.xx.xx) for the common name, for the client-template I used the name of the router (RouterName).

/certificate
add name=ca-template common-name=xx.xx.xx.xx days-valid=3650 key-size=4096 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=xx.xx.xx.xx days-valid=3650 key-size=4096 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=RouterName days-valid=3650 key-size=4096 key-usage=tls-client

I’ve changed both the IP and RouterName to protect the innocent, I’m sure any readers will figure out where to insert their own configuration.

I also found that if you did not change the common name of the client-template certificate then the signing process of Medo’s post would fail with a weird error message.

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Now getting the certs off the remote router was also “interesting”.  This wasn’t something that I’d really done before.   So after a bit of googling and some trial and error I ended up using the pscp utility that is part of the PuTTY package.  You can find the relevant certificates using the /file command.

C:\Program Files (x86)\PuTTY>pscp -r -P 22 user@xx.xx.xx.xx:/* \temp
user@xx.xx.xx.xx's password:
ca-certificate.crt        | 1 kB | 1.8 kB/s | ETA: 00:00:00 | 100%
server-certificate.crt    | 1 kB |   1.8 kB/s | ETA: 00:00:00 | 100%
client-certificate.key    | 4 kB |   1.8 kB/s | ETA: 00:00:00 | 100%

Once I had the certs on my local machine I could continue to follow Medo’s blog.

Now I didn’t want the VPN users to end up in a different IP address space, so I changed my VPN DHCP pool range to be just under the usual Ethernet pool and then set the VPN local address to be the next address under the VPN pool.  Here’s a quick overview;

VPN local_address:  xx.xx.xx.64
VPN dhcp_pool:      xx.xx.xx.65-xx.xx.xx.75
ethernet dhcp_pool: xx.xx.xx.100-xx.xx.xx.200

So I ended up modifying the following commands;

/ip pool
add name="vpn-pool" ranges=xx.xx.xx.65-xx.xx.xx.75

/ppp
profile add name="vpn-profile" use-encryption=yes local-address=xx.xx.xx.64 dns-server=xx.xx.xx.64 remote-address=vpn-pool
secret add name=user profile=vpn-profile password=p4ssw0rd

/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes256 enabled=yes

Now before anyone says anything you need to change the name and password to suit your own VPN user, at the very least make sure you use a good password.  You’ll notice I dropped the AES-128 and AES-192 ciphers in preference to the 256bit option.   More on this later.

This is where I ran into trouble that took me a while to resolve.

I had installed OpenVPN GUI 2.4.5 which simply refused to connect, it throws TLS errors that are odd.  It turns out that as of OpenVPN 2.3.11 there was a change made that makes it incompatible with older Mikrotik routers, you can read all about it here and there is more information here.

This post also talks about being able to use the tls-cipher parameter to force the client to relax it’s checking of certificates, however I wasn’t able to make this work.  It appears that the latest version of RouterOS have fixed this issue, but that has to wait until I’m next at the console of this particular router to upgrade it.

So after uninstalling the latest OpenVPN 2.4.5 GUI and installing an older version OpenVPN 2.3.10, I was able to connect to my RB411 with v3.2.2 firmware with the following config;

client
dev tun
proto tcp-client
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
verb 3
remote-cert-tls server
auth SHA1
auth-user-pass
redirect-gateway def1
ca "C:\\Program Files\\OpenVPN\\config\\ca-server.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"

As you may notice I use Windows for my main machine, so Mac and Linux users will have to do a little more googling on how to specify the paths in this file.   Now the cipher matches the tweak I made to the ovpn-server within the mikrotik router limiting the choice to AES-256 bit.

The proof is in the pudding, after copying all of the certs and config into the approriate directory I could get the VPN client to connect to my remote Mikrotik RB411 router over the VPN.  Many thanks to Medo for blogging his adventures with RouterOS and I hope the suggestions I’ve made above are useful to some.

APRS iGate – Part 3 AX25 Config

Posted on by

Now that the Raspberry Pi is configured we can get back to the radio part again, so lets start with configuring the TNC.

Configure AX25 axports file

Before we can start any ax25 configuration we need to define the call signs and ports in the axports file;

$ sudo nano /etc/ax25/axports

edit the last line to look like this;

# /etc/ax25/axports
#
# The format of this file is:
# name callsign speed paclen window description
#
1 VK5ZM-5 19200 236 2 145.175MHz (1200 bps)

Don’t worry about all the speed, paclen and window values just yet, copy what you see below.  These values are as described in the TNC-Pi user manual.

Configure Kissattach

Now before the ax25 tools can use a TNC it has to be attached to the kernel.  We’ll do this using a utility called kissattach.  This utility will create the necessary ax0 networking interface, we’ll assume our TNC will use the Serial Port ttyAMA0.  Lets test that kissattach will start;

$ sudo kissattach /dev/ttyAMA0 1 10.1.1.1

One note make sure that the IP address passed to the ax0 port is not part of your LAN, it needs to be different !  If you want to be old school you can always throw this into the 44.xx.xx.xx IP address range that was reserved for Amateur use, you can find more details here.

If you dont see any error messages type the following command;

$ ifconfig

look for the following lines;

 ax0: flags=67<UP,BROADCAST,RUNNING> mtu 236
 inet 10.1.1.1 netmask 255.0.0.0 broadcast 10.255.255.255
 ax25 VK5ZM-5 txqueuelen 10 (AMPR AX.25)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

All going well we now have a working ax25 interfaces and most of the TNC configured.

Now we need to make sure kissattach is started after a reboot, so open the following file;

 $ sudo nano /etc/rc.local

We need to add the following lines somewhere near the bottom, I found that the maintainers of raspbian-stretch print the IP address to the console when the machine boots, so I added the following after this;

# starting ax0 interface using kissattach
if [ -x /usr/sbin/kissattach ]; then
  echo "Starting Kissattach: Binding port ax0"
  /usr/sbin/kissattach /dev/ttyAMA0 1 10.1.1.1
fi

You can test this by rebooting and then checking if the service was restarted, but we’ll need to edit this file again before the end of this post so hang tight for a minute !

AXListen

One of the more tricky aspects of configuring ax25 on linux is we must deal with is non-root access to the ax0 interface that we’ve just created.  On any Linux system you normally must have be root or use sudo to access any network interface.

So what we do is the same trick that admins do with the command ping and set the SUID permission bit on the axlisten file.  By setting this permission bit it will allow non-root users to execute this command as if they were root, without being granted any further root privileges.

$ sudo chmod 4755 /usr/bin/axlisten

now we can test it;

$ls -al /usr/biin/ax*
-rwxr-xr-x 1 root root 50836 Sep 20 2015 axcall
-rwxr-xr-x 1 root root 17516 Sep 15 2015 axgetput
-rwsr-xr-x 1 root root 43064 Sep 20 2015 axlisten

Depending on your shell you may find that the text “axlisten” is coloured with a red background.  If you look carefully at the user permission bits (highlighted above in bold) you should see that instead of an X for execute it has changed to an S for SUID.

Unless you have your TNC connected to a radio and channel traffic there is not much point in testing just yet, however if you do simply run;

$ axlisten -c

It can take time but you should see packets being decoded, the yellow LED on the tncpi will also light when a packet is decoded.

One thing I’ve noted (a of Feb 2018) is that axlisten has not been compiled with ncurses support in the latest Raspbian-stretch packages which means there is no colour support.  You will occasionally see “Could not initialize color support” (sic), wihch is annoying since raspbian-jessie works perfectly.  Hopefully the maintainers will fix this oversight at some point.  We can always compile ax25-tools from scratch, Charles K4GBB has an excellent tutorial and script here for those wishing to try this themselves.

Configure Mheard

The mheard daemon monitors the AX25 channels and records call signs that it hears along with some basic stats.   This can be handy for debugging RF issues and just generally gauging how well your node is working.  It’s much the same as the mheard function found in many packet TNC’s in the day.

To get mheard running we simply edit the rc.local file again;

$ sudo nano /etc/rc.local

Then add the following lines at the bottom of the file after where we start kissattach (see above);

# starting mheard daemon
if [ -x /usr/sbin/mheardd ]; then
  echo "Starting Mheard Daemon"
  /usr/sbin/mheardd
fi

Now is probably a good time to test that we will survive a reboot;

$ sudo reboot

Once the Pi has restarted use the following commands to see what happened;

$ ps -aux | grep mheard
root 2049 0.0 0.0 1908 120 ? S Feb17 0:00 mheardd
$ ps -aux | grep kiss
root 413 0.0 0.0 1908 108 ? S Feb17 0:00 /usr/sbin/kissattach /dev/ttyAMA0 1 10.1.1.1

The mheard command needs to monitor the AX25 channels for a little while before it starts recording information, here’s an example of it working.

$ mheard
Callsign Port Packets Last Heard
VK5ZM-7 1 11 Sun Feb 18 09:52:04

If the output remains blank then using axlisten make sure you’re hearing traffic and that the receive LED (yellow) is being illuminated as traffic is heard.   This needs to be working before mheard will start to do something.

Now we can get onto alignment of the radio and some further testing in the next instalment.

APRS iGate – Part 2 Pi Config

Posted on by

Bringing up a Raspberry Pi (rPi) is not difficult for anyone with some basic linux admin skills.  If you haven’t looked at the hardware I’m using you can read this back here in part 1.  The instructions below are the basics of what I’ve done for my rPi, yours will likely be different YMMV.

Prepare Raspbian

I downloaded the latest “lite” version of Raspbian from here at the time of writing that was Raspbian Stretch.  For an iGate you don’t really need all the graphics and bling, the command line is easy to use.

Once downloaded I extracted and wrote the image to an 8Gb SDCard using win32diskimager.   From there the card went in to the Pi and then let it boot with a screen and keyboard attached.   Watch carefully and make sure that the OS expands the image to fill your entire SDCard.

I’d suggest plugging the Pi into your network using the Ethernet adaptor to start with, this is somewhat easier to deal with than setting up the WiFi.

Update, Upgrade and Configure

Once the Pi has booted log in using the default pi user name and password, you can find this on the rPi website.  Once you’re logged in run the following commands;

#sudo apt-get update
#sudo apt-get update

Answer yes to any questions regarding increased disk usage.   This will bring your Pi up to date with all of the latest changes.  Now we’re ready to configure the Pi hardware, execute the following command;

#sudo raspi-config

This will bring up a ncurses menu in which you can configure your Pi.  I’d suggest the following changes are made;

  • Configure your WiFi in the network options menu
  • Configure your localisation options (locale, timezone and keyboard layout)
  • Configure the Interfaces
    • Enable SSH
    • Enable i2c
    • Enable Serial

Once you have finished then exit the raspi-config tool and reboot your Pi

Change the Default User

Personally I don’t use the Pi user account and prefer to create my own user.   I usually run the following commands;

#sudo adduser myuser

Where myuser is your preferred user name.  Follow the questions and when faced with the password don’t be tempted to make it an easy one, especially if you intend to allow external ssh.   If you fear loosing the password then look at Lastpass, there are others but I like Lastpass.

Now still using the pi user open the following file;

#sudo nano /etc/group

Working your way down the file every time you see a line that contains pi add your new users name.  This will then grant your new user the same privileges as the default pi user.  It’s really important you update this one;

sudo:x:27:pi,myuser

Again change “myuser” to your preferred user name and before anyone tries to hack my systems this isn’t the user name I use either (Duh!).   Once you’ve worked your way to the end of this file then save your changes, again google will help you here.

It’s time to test your new account, make sure that you can login and execute sudo commands before you go any further.

Open the following file in your favourite editor;

#sudo nano /etc/shadow

Did I mention I like nano ?  Now look for the line starting with pi, it will be long compared to the others in this file, between the first and second colon replace the text with an asterisk.  Pay careful attention while deleting that you don’t go too far !   It should end up looking something like this;

pi:*:17499:0:99999:7:::

The text between the first and second colon is a hash of the user password, replacing it with the asterisk disables this user from logging in from the console or ssh without deleting the user.  It means you can use the command;

#sudo su pi

to switch to the pi user should you ever need to in the future.

 

Firewall

Personally I don’t like running my Pi’s without some form of firewall.   Right now the firewall is not configured this will be done after the AX25 tools have been installed.  It is up to the reader if they decide to enable the firewall before allowing remote logins to the Pi.

WiFi & Bluetooth

The rPi-3 comes with WiFi and Bluetooth enabled.  I was pleasantly surprised to see both interfaces in the boot up sequence appear and be configured.   The Bluetooth interface does not present any security risks and it should be safe to leave this enabled.

I prefer to connect my rPi’s to Ethernet interfaces in preference to using WiFi.  I’d also like at some point to work out how to get the rPi to perhaps be a WiFi access point, meaning I can log into the machine locally.  That will certainly be a blog entry at some point in the future.  For the time being I’ve simply left the interface un-configured.  Both the Bluetooth and WiFi can be disabled by adding the lines shown to config.txt file in the boot directory;

#sudo nano /etc/config.txt

>> Add these lines to the bottom of config.txt <<
dtoverlay=pi3-disable-bt
dtoverlay=pi3-disable-wifi

Finished ?

Anyway the basic installation and configuration of the Pi is now complete.  Next we can concentrate on configuring the AX25 and iGate software, which I’ll continue in Part 3.

APRS iGate – Part 1 Hardware

Posted on by

In late 2012 I built my first receive only APRS iGate from a Raspberry Pi (rPi) and a Argent Data Tracker T2-301.   This has faithfully sat in a corner of my garage forwarding APRS packets to the internet all this time.  Drawing just shy of 1 watt in power, it doesn’t add any significant costs the household power bill.   I’ve been surprised just how reliable this setup has been and from time to time I even remember to login and check for security updates.

Since I built that first machine there’s been some nice developments in the world of rPi’s and AX25, so I thought I’d share the details of my latest APRS iGate project.

While searching for rPi power supplies I came across the BitScope Blade Uno which can power and hold a Model-B rPi and a HAT.   I was pondering one of these when it hit me that if you take this board, add a rPi and a Coastal ChipWorks TNCPi then I’d have a rather nice hardware platform on which to build a new APRS iGate  Even better is I can stuff it in a small 19″ rack mount case instead of sitting it on a shelf in the garage !.

So I just had to order the bits and wait the for the shipping.  Below is the hardware assembled, total cost just shy of A$150

I ordered the TNCPi as a kit and soldered it together in an hour or so, John W2FS’s kit is easy to build and the instructions are great.   I’ve also decided to use a Raspberry Pi 3 which includes on-board WiFi and Bluetooth.   With the hardware assembled then all we’ve got to do is configure it, which I’ll continue in Part 2.

Hilux Wiring

Posted on by

As part of the final push to get my Hilux past her impending Road Worthy I spent quite a bit of time dealing with the electrical’s.   I hate working on automotive wiring at the best of times so to make my job easier I remove the centre console and seats to give me room to manoeuvre.

After pulling out the seats I found there was a heap of dirt and muck that had collected under the floor mat, along with evidence of a water leak from the front windscreen in both foot wells.   While I was under the floor mat I also took the opportunity to remove unused wiring from different radio experiments, that had accumulated over the years.  Cleaning up the floor pan certainly took a while.

Once the floor pan was clean I was able to tackle the last of the wiring jobs;

  • Get the high beam indicator lamp in the instrument cluster working
  • Get the washer bottle pump working again
  • Replace the second hand combination switch on the steering wheel (again), turns out it had a fault I’d not spotted previously when flashing the high beams with the headlights OFF

Now as you’d expect pulling an old car apart will quickly result in broken plastic clips.  I was a little surprised when the cowling that covers the steering wheel column came part in my hands, it had gone brittle.  Thankfully a suitable replacement it was reasonably priced at the local wrecker.  While I was at the wrecker I also took the opportunity to pick up all those little plastic cover pieces that you loose over the years.

So after the wiring was done it was time to reassemble the interior and put this old girl back together.

Hilux Turbo Blanket

Posted on by

Since rebuilding my old Toyota Hilux engine last year and fitting a turbo I’ve never been happy with the heat shield that was supplied in the kit.

This shield would attach to two studs on the brake booster assembly and hang their keeping the heat from the turbo away from the master brake cylinder.  However the weight and orientation of this bracket did not give me confidence that it would survive under the bonnet on a rough road.  To put it blunt there wasn’t enough mechanical support.  If it were to fail it would potentially cause damage to the braking system which is counter intuitive.

So instead I went looking for a better solution.   After a bit of research I found suppliers for “Turbo Blankets”.  These blankets are made from fire proof materials and are designed to wrap around the turbo exhaust turbine and keep the heat within the turbo and out of the engine compartment.  It relies on the exhaust gases taking the heat out of the engine bay and into the exhaust.   So one was duly ordered from an online supplier which arrived promptly.

Fitting a turbo blanket is fiddly, you will feel like you need three hands.  The two springs that wrap around the exhaust manifold and pipe seem to have a mind of their own.  Perseverance and a little Zen may be required.

So after a few scun knuckles and small injuries I managed to get the turbo blanket fitted.

It’s worth spending a little time making the edges neat, the better the fit the better the heat shielding.  What I like about this arrangement is the weight of the blanket is off the brake booster assembly.

The turbo blanket came with a warning that it should be replaced if removed.  Inside are silica based materials that fuse together when heated.  So moving or breaking these materials by removing will see it’s effectiveness reduced.  So I’ve ordered a spare that will sit in my cupboard if I need to do any work on this in the future.

So the question is how well does it work?  Well getting the turbo hot in a diesel hilux requires hills and load.  I’m lucky to have a long steep grade not too far from my home where I can make the turbo work hard for some time.  So starting at the bottom of the hill we simply pushed the old girl to full boost and held her there until the EGT hit max (550degC), then I could try to pull over and make a measurement.

Now the trick is the EGT cools down really, really fast from this temp so you’ve got to be quick.   When I lept out of the cab having stopped in a parking bay with my phone in hand the EGT was already down to 450 degC and the car had been driven for 20 mins in normal traffic beforehand.

I’d think you agree that the brake booster is not in any danger of being overheated by the exhaust turbine.  So now I’ve just got to wait for some hot weather to arrive and see if I can borrow a Flir temp camera and make some better measurements.  Cant’ wait to see how this goes.

Stackmatch Initial Tests

Posted on by

Well the Stackmatch PCB’s finally came back from the Manufacturer along with the components from Mouser, so it was time to build.  I’m pleased with the 3D model and the actual final assembly, they are pretty close !

This slideshow requires JavaScript.

I’ve not mounted the LED’s on the left hand side yet, this will wait until I can drill the front panel of the diecast enclosure and begin final assembly.  Since I’ve got more than one of these to make I’m getting a template made from steel that I can mount on the front panel and then drill all the holes.

The assembly in the picture above is the first prototype and I wasn’t going to wait for the front panel and die-cast box to be ready before testing.  The connectors have been attached at roughly the right height using an additional nut as a spacer, I’ve only fitted half the standoffs to save some time.

So the question is does it work?

The first test is simply a test of the isolation between ports.  So taking a spectrum analyser with tracking generator the idea is to measure the insertion loss between the input and one output as we switch between all three outputs one at a time and record the results.  All outputs are terminated in a 50 ohm load.  What is interesting with this stackmatch is we can also select “no outputs” where no relays are energised, this has a surprising result on the measured isolation;

This slideshow requires JavaScript.

OK, so what can we deduce from these series of plots.  The Spectrum analyser (SA) tracking generator was on the Stackmatch input, the SA input was on Output #1 unless you missed it.   As we switch each output from #1 to #3 we can see the insertion loss change.  As you would expect when we select output #1 we measure the insertion or through loss of the stackmatch, when we select any output other than #1 we measure the Isolation between ports.

Here’s the all important worst case summary, which is of course at the high end of the HF band i.e 10m;

  • Insertion Loss < -0.2dB
  • Isolation > 37dB

That is not too bad for a single device covering from 160m to 10m.  In real terms it means when we are transmitting 400W PEP (+56dBm) on 10m that less than 80mW (+19dBm) will be leaking out the other two ports.  The same can be said for helping prevent overload in the receiver from adjacent contest stations (i.e. on 20m).  The AREG typically use Elecraft K3’s and high end Icom transceivers so these typically don’t give too hoots about QRO contest stations on adjacent bands in the first place.     The best part is as we go lower in frequency the Isolation increases a further 10dB which can only improve the situation.

The insertion loss is barely measurable, so nothing should be getting really hot or require further bypassing.

Now what was also interesting is the difference in output isolation with no outputs being selected and just one.   The isolation to an unused port increased by +5dB to +6dB when the input was terminated into just one antenna.  That is something that we’ll need to take care of with our control system, not selecting any output is bad.

So then it was a question of moving the Spectrum Analyser input to Port #2, terminating Port #1 and repeating the above measurements again.  We do the same again for Port #3, shuffling the dummy loads and measuring once more.  I’ll not bother putting up all of these plots, suffice to say all of the isolation between ports were within 0.5dB of each other and insertion loss didn’t move.

Now for the main event, parallel combinations.

To do this we use a Return Loss (RL) measurement, so I’ve placed the RL bridge on the input to the Stackmatch and then terminated every output in a good quality dummy load, this is important !.  Then by switching the outputs in succession I can generate the various parallel combinations (25 ohms and 16.7 ohms) and then switch the transformer into to see the effect.  In all cases a 30pF Silver Mica cap has been tacked across the output of the auto transformer as per our previous experiment (click).  Here’s the measured plots;

This slideshow requires JavaScript.

So from our first plot where only one output is selected our return loss looks excellent with the minor exception of a spike at 8MHz.   I’m not sure that this is real just yet and will be doing some further work on what that resonance could be.  It’s got to be a parasitic capacitance there somewhere, will track that down later.   You might notice that the RL is better than -20dB (1.2:1) anyway, so a moot point really.

When we place output #1 and #2 in parallel we get 25 ohms and the RL rises to -10dB as you’d expect.  Then when we kick in the transformer we see an immediate improvement of RL to better than -18dB (1.3:1) at worst case (10m).

Now when we place all three outputs in parallel our RL is destroyed -6dB, but again if we kick in the transformer we see an improvement in RL of -13.5dB (1.6:1).  If you get your calculator out you find the ratios are smack bang on our design of 2.25:1.    So to summarise;

  • Return Loss (1-output) < -20dB
  • Return Loss (2-output) < -18dB
  • Return Loss (3-output) < -13dB

Yaay it works !

So there we have it, the beginnings of a workable stackmatch design.  As with any new design there is still plenty to be tweaked and played with.  In the coming weeks I’ll be;

  • investigating the effect of the cap across the output
  • chasing down that odd parasitic resonance at 8MHz with one antenna selected
  • measuring the temperature rise of the transformer with 120W of CW being blasted into it, or 300W of RTTY to give it some real curry…
  • Making the final enclosures and seeing what effect (if any) this has on the design
  • Trying #16, #20 & #24 gauge PTFE wire on the same core to see if the performance or characteristics of the transformer changes
  • Seeing what effect the +/- J term from various antennas has on the combined feed point impedance that our radio will see (thanks to David VK5DGR for bringing that one up !)

Yes it’s going to be a busy few months as we explore what this new toy can do.

Stackmatch Binocular Matching Transformer

Posted on by

Many stackmatch designs use a toroid core, but I’ve decided to  instead investigate using a multi-aperture “binocular” core.

There are not many manufacturers of large-ish binocular cores that can take the full VK HF limit of 400W PEP, let alone a full kilowasp amplifier !

So to start with I’ve chosen two well known binocular cores that you can obtain from various online suppliers;

  • Amidon BN-61-002
  • Fair Rite 2861010002

Both are the equivalent of each other in terms of price, size and material.  Both are made from Type 61 NiZn Ferrite material with a ui of approximately 125.   This material has good low loss properties and is essentially what others have used for their toroid designs.  It seems like a good place to start.

The transformer is wound the same way as if on a toroid, so take three wires, twist them together (battery drill helps) and wind the desired number of turns through the holes.   It seems sensible to start with a full core and take turns off if I achieved too much inductance.  Both of these cores hold ~4 turns of trifiliar wound 20AWG silver plated PTFE wire, it might add the last turn is hard to do.  All that is left is to series up the windings and tap at the appropriate positions, the schematic is to the right.

To make my measurements I decided to use a variable resistor (R1) to check the effect of load change on the transformer.  I had also seen some designs using a small amount of shunt C across the output to neutralise the output leakage inductance as well, so I placed a variable cap across the variable resistor when needed.

To make these measurements I’m fortunate to have a Spectrum Analyser with tracking generator and a suitable Return Loss Bridge.  The return loss bridge has a directivity of > 45dB at HF.  This means I can see how much energy is being transferred to the load resistor (R1), any RF energy that is being reflected back to the spectrum analyser is therefore wasted, so in all of the screen captures below the lower the Return Loss the better !

You can see the experimental setup in the image below and my initial measurement on the kitchen table…

I’d start these measurements by adjusting R1 until I achieved the lowest Return Loss and then remove the resistor temporarily and measure it separately with a 4-digit ohmmeter.  I wanted to check that I was close to 22.2 ohms in all cases.   With such a low resistance don’t forget to deduct the resistance of the multimeter leads.

Once I had confirmed the impedance transformation was correct I would then tack the trimmer cap across R1 and start with it completely un-meshed (min C).   The cap on the secondary side of our transformer will assist in “tuning” out the output reactance (Xs) of the transformer a little and improving the return loss at the upper end of our plot.

However there is a null that will occur at the low end of VHF that you need to be wary of as it can be unstable, you can if you have enough capacitance bring it into HF spectrum which is not advisable.   You will easily see the point where I’ve added too much in the sequence below.   What you’re looking for is just enough turns to give you the broadest match possible with the smallest value of C across it’s output.

Here’s a sequence of plots showning what happens as you increase C from min (5p) to too much (120p).  This was with 3 turns wound through the core, R1 approx 22.3 ohms;

This slideshow requires JavaScript.

So in the above sequence you can see what the effect that the capacitance has across the output.  As we keep adding capacitance the return loss kept getting better and better before the null appears.  The ideal compromise was somewhere between 65p-80p.

What you can also do is widen out the frequency from 1-200MHz and watch what effect any nulls will have on the response.  It also pays to vary the load (R1) and see what happens as the load decreases below and above the desired match.   I found that as the output impedance goes up the null has a much more prominent effect as the load is varied.

So starting at 4 turns I checked the impedance ratio and then wen’t looking for the best compromise in terms of response, stability and lowest capacitance.   Below are the three best candidates that I found;

This slideshow requires JavaScript.

So as we reduce the turns (inductance!) we see the return loss decrease at the low end, but we also see the required capacitance to flatten out the upper end also reduce.   Based on these measurements the best compromise I found for this transformer is 2T C=30p.   Ideally a return loss less than -20dB is a good target to aim for, I’ll let the reader work out what the equivalent VSWR is for this RL value (hint: it’s low, for additional points also take a look at a RL of -10dB for reference !).

Now to check that this is stable I’ve included a plot that is much wider in terms of checking the VHF region for signs of that null we wish to avoid.  Hmm, this combination is potentially usable up to 6m, now there’s an idea for another day.

Sweet no signs of the null being anywhere close to the MF/HF bands I want to operate over.

Now the ultimate test is to make two of these transformers, place them back to back into a 50 ohm load then measure the insertion loss. That will give me some idea on what sort of loss this transformer will have an ultimate how hot it will get when I attempt to pass 120W CW/FM or 400W pep of SSB.

More to come.

Yet Another Stackmatch Design

Posted on by

In October each year I join my local radio club AREG and participate in the Oceania DX (OCDX) contest.   For the past few years I’ve been the band captain for the 15m/10m station.  We started in 2014 with just an Icom IC-706mk2 and 2 element broadband Hexbeam, but this quickly morphed into a complete Elecraft K-line, Amplifier, SDR’s, filters and Spiderbeam on a 8m pump up mast; as a portable station.

This slideshow requires JavaScript.

So to take our station yet another step forward we need to add additional antennas like mono-band verticals to take advantage of lower propagation angles. Here in VK we are along way from anywhere, so the majority of our propagation on most bands is below 20 degrees.   However before you can take advantage of these additional antennas you need to switch between them.

Trolling the internet for inspiration we discovered the 3 to 1 Broadband Stackmatch.  This is a simple 3 port antenna switch that can individually switch each antenna to the radio, but it can also be used to parallel up any two or all three antennas ports together.

It exploits the fact that two 50+j0 ohm antennas in parallel is 25+j0 ohms and three in parallel just shy of 16.7+j0 ohms.  So by inserting a transformer with a fixed impedance matching ratio we can bring the parallel antennas effective impedance back up close enough for many amplifiers/transceivers not to care about the minor mismatch.   So that is deviously clever and simple.

The equivalent circuit of a stackmatch transformer is shown to the right, you’ll see it drawn many different ways but I find it easier to understand when drawn as an autotransformer.

Accordingly the maths says;

n = Np / Ns
Z’ = (n)^2 x Zload

So lets see what happens;

Np = 3, Ns = 2, n = 3/2 = 1.5

So with two antennas in parallel;

Z’ = (1.5)^2 x 25 = ~65.3 ohms

With three antennas in parallel;

Z’ = (1.5)^2 x 16.7 = ~37.6 ohms

This small impedance mismatch (~14 ohms) either side of 50 ohms will not cause many radios much difficultly. It does however tell us that we must ensure that our antennas are resonant (50+j0) since we have ignored the imaginary impedance for simplicity.  What is also not explained is you need to keep the feedlines to each antenna from the stackmatch as close to the same length as you can or there be more trouble with impedance transformations.

There are plenty of designs on the internet and products available from suppliers but their cost are quite simply prohibitive, especially if you want 6 or more of these units to achieve your desired switching arrangement (*gasp*) at a contest.

So here starts yet another project to design and build my own low cost 3 to 1 Stackmatch.   It certainly has not taken long to come up with a workable 3D model.  It kind of helps that I design products like this every day as an Design Engineer.  I’ve also learnt a trick or two about lowering cost in my time.

However in talking about this project over a coffee with an old work colleague/Boss he reminded me about the perils of using Toroid cores for broadband transformers.  He suggested I should instead use a multi-aperture “binocular” core or “pig nose” core as I seen them listed on eBay (LOL).  These binocular cores also have the added advantage of being smaller than a FT240-61 toroid core that everyone seems fond of.  You can see the grey block in the picture below that represents this core, it’s tiny compared to the equivalent toroid.

So that begs the question, just how good are they ?   Well there is nothing like buying a core and winding one to find out (click).

Tower Project – Hexbeam is Up

Posted on by

So having finally erected the tower I could finally set about getting my K4KIO Hexbeam in the air.   Having spent quite a bit of time rebuilding the Hexbeam it was time to reassemble it in the back yard.

From there we had to man handle it into position.  To get the antenna on the pole we simply released the two front cords that hold the arms together, it makes the antenna a little wobbly for a bit but you’ve just got to be careful.

Again having the tower within 300mm of the shed makes for a rock solid platform from which to work.  I will be adding some perforated steel walk way to the top of the shed in the coming months that will give me a level platform on which to stand.  These shed roofs are slippery when wet, safety first.

Time to send it up

This slideshow requires JavaScript.

In all it’s glory !

Ok so all that is left now is to get inside and start calling…. HALLO CQ !