GW-AN08 Connection to ChirpStack Basic Station LNS Protocol (with TLS) Guide
The GDO51 series outdoor gateways and GDI51 series indoor gateways from Manthink are both built on the Ubuntu system, offering powerful edge computing capabilities and protocol compatibility. They support various mainstream protocol access methods, including Basic Station, GWMP, TTN, and ChirpStack Packet Forwarder. This document will focus on how to securely connect Manthink's GDO51/GDI51 gateways to the ChirpStack platform using the Basic Station LNS protocol, covering the entire TLS encryption configuration process.
Overview: Why Choose Basic Station
Basic Station, introduced by the LoRa Alliance, is a modern LoRaWAN gateway protocol. Compared to the traditional UDP Packet Forwarder model, it offers the following advantages:
- More efficient communication mechanism (based on WebSocket)
- Support for dynamic frequency updates (CUPS)
- Built-in encrypted transmission (TLS)
- Better network management and remote configuration capabilities
It is important to note that ChirpStack currently only supports the basicstation-lns protocol mode, not basicstation-cups. Therefore, you must ensure the correct protocol type is used during configuration.
Additionally, before you begin, please confirm if your ChirpStack instance has TLS encryption enabled, as this will determine the subsequent gateway certificate configuration method.
ChirpStack without TLS Encryption: Basic Connection Configuration
ChirpStack Configuration Check
Support for basicstation-lns is implemented by the chirpstack-gateway-bridge component. Open its configuration file (usually located at /etc/chirpstack-gateway-bridge/chirpstack-gateway-bridge.toml) and check if the following fields are empty:
tls_cert = ""
tls_key = ""
ca_cert = ""If all three items above are empty, it indicates that the current mode is unencrypted (plaintext transmission), which is suitable for LAN testing environments.
⚠️ Note: In a production environment, it is strongly recommended to always enable TLS to ensure data security.

GDO51/GDI51 Gateway Configuration Steps
- Connect your computer to the gateway's Wi-Fi (SSID format is
GDO51x - <DEVEUI>orGDI51x - <DEVEUI>, default password:wifi!0804). - Open a browser and navigate to
http://192.158.1.1to log in to WebConfigure (default password:wifi!0804). - Go to the menu: Gateway Configuration → LoRaWAN Server.
- Set the following parameters:
- nsProtocol:
basicstation_lns - uri:
ws://<ChirpStack_Server_IP>:3001\nExample:*ws://192.168.1.142:3001*(The default port is 3001, which can be changed in the bridge configuration). - trust / cert / key: Leave these fields blank.
- nsProtocol:
- Click Submit to save the settings.
✅ After the configuration is complete, the gateway will attempt to connect to ChirpStack via a plaintext WebSocket connection. You can check the gateway's status on the Gateways page in ChirpStack to see if it is online.

ChirpStack with TLS Encryption: Secure Connection Configuration
To enhance security, it is recommended to enable TLS encryption in a formal deployment. Depending on the CA certificate configuration, this can be divided into two modes:
| Mode | Description |
|---|---|
| TLS One-Way Auth | Only verifies the server's identity; gateway needs no certificate. |
| TLS Two-Way (Mutual) Auth | Server and gateway verify each other's identity; more secure. |
Determining ChirpStack TLS Configuration
Check the TLS-related configuration in the chirpstack-gateway-bridge.toml file:
tls_cert = "/path/to/server.crt"
tls_key = "/path/to/server.key"
ca_cert = "/path/to/ca.crt" # If this line exists, two-way auth is enabled- ✅ If
ca_certis configured → Two-Way Authentication is enabled.

- ❌ If
ca_certis not configured → One-Way Authentication.

Generating Client Certificates (for Two-Way Authentication)
When two-way authentication is enabled, you must issue a client certificate for each gateway, and its Common Name (CN) must be set to the gateway's EUI (in HEX format, e.g., 5a53012a00000288).
Preparation: Install OpenSSL
# Ubuntu/Debian
sudo apt update && sudo apt install openssl -y
# CentOS/RHEL
sudo yum install openssl -yCreate a Self-Signed CA Certificate
# Generate CA private key (password protected)
openssl genpkey -algorithm RSA -out ca.key -aes256
# Generate CA root certificate (valid for 365 days)
openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crtYou will be prompted to enter information such as country, organization name, etc. Please fill them in accurately.
Generate Server Certificate
# Generate server private key
openssl genpkey -algorithm RSA -out server.key
# Generate CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr📌 In the Common Name (CN) field, enter the domain name or IP address of the ChirpStack server (e.g., chirpstack.local or 192.168.1.142).
# Sign the server certificate with the CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256Configure ChirpStack Gateway Bridge
Edit /etc/chirpstack-gateway-bridge/chirpstack-gateway-bridge.toml:
tls_cert = "/path/to/server.crt"
tls_key = "/path/to/server.key"
ca_cert = "/path/to/ca.crt" # Required for two-way authenticationRestart the service for the changes to take effect:
sudo systemctl restart chirpstack-gateway-bridgeGenerate Client Certificate (Gateway Certificate)
# Generate client private key
openssl genpkey -algorithm RSA -out client.key
# Generate CSR
openssl req -new -key client.key -out client.csr📌 Critical Step: In the Common Name (CN) field, enter the gateway's EUI (in lowercase HEX format), for example: 5a53012a00000288.
# Sign the client certificate with the CA
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256This will give you three key files:
ca.crt: The CA root certificateclient.crt: The client certificate (for the gateway)client.key: The client private key
GDO51/GDI51 Gateway Configuration (TLS Mode)
- Log in to WebConfigure.
- Go to: Gateway Configuration → LoRaWAN Server.
- Configure as follows:
| Parameter | Value |
|---|---|
| nsProtocol | basicstation_lns |
| uri | wss://<Server_IP_or_Domain>:3001 (Note the wss) |
| trust | Paste the content of ca.crt here. |
| cert | (Required for two-way auth only) Paste client.crt content. |
| key | (Required for two-way auth only) Paste client.key content. |
- Click Submit to save and restart the gateway.
Verifying Connection Status
After completing the configuration, you can verify the connection in the following ways:
- Check if the gateway is online in the ChirpStack Web UI.
- Check the connection status on the State → Statistics page in the gateway's WebConfigure.
- Use Wireshark to analyze WSS traffic (optional).
Contact Us
- Website: www.manthink.cn
- Email: info@manthink.cn
- Phone: +86-15810684257