SvxLink Echolink behind natted provider

Hosting a service on your server at home can be a big problem if you have (like me) a dsl/fiber connection with a provider that NAT his network, like Fastweb,TIM and Vodafone in Italy.
You can see technical description about how they make it on wikipedia https://en.wikipedia.org/wiki/Carrier-grade_NAT.
Now, we want to run svxlink software in order to have an echolink node connected to our station.
My setup is Kenwood TS-480 + audio usb key + Tinker board ( ASUS raspberry clone ).
In a previous post you can see how I made the audio cable.
Basic setup of our single board pc should be already done, connecting it to internet through lan cable is preferred over wifi.

Now connect the usb audio key and make it the default device disabling the onboard audio.

Login as root,
edit the following files ( create it if needed )
/etc/modprobe.d/blacklist.conf
and add the line: blacklist snd_bcm2835

edit : /lib/modprobe.d/aliases.conf and comment out "snd-usb-audio index=-2"

create: /etc/modprobe.d/snd_usb_audio.conf and write “options snd_usb_audio index=0”

edit: /etc/modprobe.d/alsa-base.conf and add the following 3 lines:
options snd_usb_audio index=0
options snd_bcm2835 index=1
options snd slots=snd_usb_audio,snd_bcm2835

Then, I force the cpu governor to be in performance mode rather then ondemand
echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
and add it to /etc/rc.local to preserve the setting between reboots.

Next install svxlink,
apt-get update; apt-get install svxlink-server

and configure basic features as follow,
for now I have only created an echolink node to listen only in rx.
Edit /etc/svxlink/svxlink.conf
under [SimplexLogic] section edit the lines
CALLSIGN=IU2MEH
under [Rx1] section edit the lines
TYPE=Local
AUDIO_DEV=alsa:plughw:0
under [Tx1] section edit the lines
TYPE=Local
AUDIO_DEV=alsa:plughw:0
AUDIO_CHANNEL=0
PTT_TYPE=NONE 

To know which AUDIO_DEV you have to put in config you can run "aplay -l" and you will get an output like this:
aplay -l
**** List of PLAYBACK Hardware Devices ****
card 0: Device [USB Audio Device], device 0: USB Audio [USB Audio]
Subdevices: 1/1
Subdevice #0: subdevice #0
as you see, our usb audio key is the number 0.

Next step is to configure echolink module of svxlink,
edit the file /etc/svxlink/svxlink.d/ModuleEcholink.conf
and change the lines :
CALLSIGN=MyCall-L
PASSWORD=MyPass
SYSOPNAME=MyName
LOCATION=[Svx] …

Then run svxlink as root, if it is the first time you use callsign-L you should get a message that ask you to validate the callsign, you have to visit echolink website and follow the instructions.

SvxLink uses the TCP port 5200 and UDP 5198 and 5199, these ports have to be reacheable from internet cause echolink is a p2p protocol, but if we have a natted provider this is "impossible".
To resolve this issue we can use an external server with a vpn,
in my case a VPS bought from https://contabo.com/ where we have a linux system with full access as root and the server can be reached from internet without any issue.


On the external server side install openvpn:
apt-get install openvpn (assuming that your server is debian based)

Generate certification authority and keys:
cd /etc/openvpn/easy-rsa/
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

then generate they key for our svxlink server:
./build-key svxlink 

under keys directory you should find all the generated files, move them on /etc/openvpn/ directory
cd keys
mv ca.crt /etc/openvpn/ 
mv ca.key /etc/openvpn/
mv dh2048.pem /etc/openvpn/
mv server.crt /etc/openvpn/
mv server.key /etc/openvpn/

create and edit /etc/openvpn/server.conf , write the following lines:
port 5050
proto udp
dev tun0 ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.128
persist-key
persist-tun
tun-mtu 1500
script-security 2
log /var/log/openvpn.log
sndbuf 393216 rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
verb 2

edit /etc/default/openvpn , find the line AUTOSTART and set it as:
AUTOSTART="server" # this is the same name of the conf file

reboot openvpn service:
/etc/init.d/openvpn restart

if all is ok you should see a new network interface named tun0 with address 10.8.0.1:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 86819  bytes 92236228 (87.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 70603  bytes 14042290 (13.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enable ip forward:
edit /etc/sysctl.conf and uncomment the line
net.ipv4.ip_forward=1
then run:
sysctl -p /etc/sysctl.conf