GBox Radegast Setup Guide: Config, Ports & Fixes 2026
If you've spent an evening chasing "peer offline" in a GBox log with zero explanation, you're not alone. This is one of those setups where every forum post assumes you already know the missing step. I've rebuilt this bridge on Enigma2 boxes, a couple of Debian VMs, and one very stubborn ARM-based receiver, and the failure modes repeat themselves almost every time. This guide walks through gbox radegast настройка: настройка (GBox Radegast setup) from a clean box to a working reader, including the OScam side that most pages skip entirely.
We'll cover the actual config directives, the ports that get confused with each other, the OScam bridge stanzas nobody writes out, and the diagnostic commands that tell you whether the problem is your config or your network. No copy-paste peer IDs, no fake uptime numbers — just what actually breaks and how to check it.
What GBox and Radegast Actually Are (and How They Differ)
People conflate these two constantly, so let's separate them. GBox is a peer-to-peer sharing daemon with its own peer list, its own password model, and its own protocol for exchanging ECMs between boxes that trust each other. CCcam works differently — client/server, with a share list pushed down to clients. GBox peers are more or less equals; each one can serve cards and request cards from the others depending on how you configure it.
Radegast is something else entirely. It's not a sharing daemon — it's a thin, plain-text protocol for carrying ECM requests and responses over TCP. No encryption, no password handshake, nothing. Access control is whatever IP allow-list you bolt onto it at the firewall or in the daemon config. That's it. TCP 6666 is the port everyone defaults to by convention, but there's nothing magic about it — it's configurable on both ends.
Most people typing this query into a search box aren't actually trying to run two GBox instances together. They're trying to get an old GBox-only client talking to a modern OScam reader, or bridge a GBox peer network into an OScam box that holds the physical card. Radegast is the glue for exactly that situation — a bridge protocol, not something you'd choose as your primary sharing link if you had modern OScam-to-OScam options available.
GBox as a peer-to-peer sharing daemon vs CCcam's client/server model
In CCcam, one box is the server and everyone else connects as a client with a username/password from the C: line. In GBox, every peer is defined individually with its own IP, port, ID and password pair. There's no central account list — it's all point-to-point trust relationships.
Radegast as a plain, unencrypted card-request protocol
Radegast sends an ECM request, gets a control word back, done. There's no session encryption layer like CCcam's, and no login exchange like OScam's newcamd. Anyone who can reach the port and isn't blocked by IP filtering can talk to it.
Why Radegast is used as a bridge, not as a primary sharing link
Because it has no authentication of its own, and no EMM path (more on that later), it's best treated as a translation layer between two systems that otherwise couldn't talk — not as your main distribution protocol to a dozen downstream boxes.
When you need GBox at all vs staying entirely inside OScam
If every box in your setup runs OScam, you probably don't need GBox — OScam-to-OScam over its own protocol or newcamd will do the job with less overhead. GBox earns its place when you've got legacy clients or peer relationships that specifically expect the GBox protocol on one end.
Preparing the Box: Files, Paths and Permissions Before You Edit Anything
Before touching a single directive, confirm which files the running binary is actually reading. This sounds obvious, but it's the single most common time-sink in gbox radegast настройка: настройка (GBox Radegast setup) — people edit a config that the daemon never opens.
Where GBox looks for its config: /etc/gbox.cfg, /var/keys/, and image-specific overrides
On a lot of Enigma2 images the working config lives under /var/keys/, while a generic build defaults to /etc/gbox.cfg. Some images symlink one to the other; some don't. Don't assume — verify.
Locating gbox.ident, gbox.cfg and the share/peer files
Kill the running daemon, then start it by hand in the foreground:
/usr/bin/gbox -c /etc/gbox.cfg
Watch the startup lines — a properly built binary logs the exact paths it opens for the config, the ident file and the peer list. If it silently starts without printing a path, check the init script instead.
Locating gbox.ident, gbox.cfg and the share/peer files
Grep the startup script for the real path:
grep -i gbox /etc/init.d/* 2>/dev/null
Or on a systemd box:
systemctl cat gbox.service
This tells you the exact -c flag or working directory the daemon launches with — which is the config it actually reads, regardless of what's sitting in /etc.
Checking your image: Enigma2 (OpenATV/OpenPLi) vs a plain Debian/Ubuntu box
Enigma2 receivers tend to run everything as root with a flat filesystem, so permission errors are rare but path confusion is common. A Debian or Ubuntu box running GBox as a service is the opposite problem — permissions bite you constantly, path confusion rarely does.
Binary architecture: mipsel, ARM and x86 builds are not interchangeable
If you drop a mipsel binary onto an ARM-based receiver, you'll get a cryptic exec format error that looks nothing like a permissions or config problem. Check with file /usr/bin/gbox before you waste an hour editing a config that was never going to run.
Setting executable permissions and confirming the daemon starts at boot
chmod 755 /usr/bin/gbox on the binary, chmod 644 on the config files. On a Debian box, don't run the daemon as root unless the vendor image genuinely requires it — create a dedicated service account instead. Also check free space on the flash partition with df -h; on older receivers a full flash silently truncates a written config mid-file, and you won't get an error for it.
Writing the GBox Configuration: Every Line Explained
Here's an annotated skeleton. Replace every IP, ID and password below — these are placeholders, not something to copy verbatim into production.
# local identity
N: MyBoxName
P: outgoing_password_to_peers
ip: 192.168.1.10
port: 12000
# remote peer definition
C: 192.168.1.20 12000 PeerID1234 theirIncomingPass myOutgoingPass
# caid/provider filter
caid: 0500 0100
ident: 0500:000000
# hop/distance limit
hops: 2
# radegast listener
radegast: 1
radegast_port: 6666
radegast_allow: 192.168.1.0/24
Local peer identity, password and hostname lines
The N: and P: lines identify who you are to peers and what password you'll present when connecting outbound. This is separate from what a peer sends you — which is the part that trips people up.
Defining remote peers: IP, port, peer ID and the shared password pair
Every C: line needs a matching pair — the password the peer expects from you, and the password you expect from them. Get one of the two backwards and you get a silent connection failure with nothing useful in the log. There's no "wrong password" error most of the time; the peer just never comes up.
Setting the listening port and binding to the correct interface
Check whether your build binds to 0.0.0.0 (all interfaces) or 127.0.0.1 (loopback only) by default. Binding to loopback and then wondering why a LAN client can't reach the port is one of the most common own-goals in this whole setup.
Card and CAID/provider filters: sharing only what you intend to share
The caid: and ident: lines restrict what gets offered to a peer. Leaving these wide open isn't a config error exactly, but it's sloppy — and it makes debugging "why isn't this channel decoding" much harder later because you can't rule filtering in or out at a glance.
Hop limits, distance and cache settings that prevent request storms
The hops: value controls how far a request is allowed to travel through the peer mesh before it's dropped. Anything above 2 or 3 tends to pollute the ECM cache with stale entries and generates dead requests that never resolve — it doesn't get you more channels, it just adds noise.
Enabling the Radegast listener and choosing its port
This is the part people miss constantly: the Radegast listener is a completely separate service from the GBox peer port above it. radegast_port: 6666 has nothing to do with port: 12000. Each needs its own firewall rule, and forgetting this is why half the "it's not working" posts online are really two different ports with only one of them open.
Bridging GBox and OScam over Radegast
This is the section most guides skip entirely — they dump a gbox.cfg and stop, leaving you to guess the OScam side. Here's both directions.
Configuring an OScam reader with protocol = radegast
In /etc/oscam/oscam.server, define a reader that speaks Radegast to the GBox peer:
[reader]
label = gbox_bridge
protocol = radegast
device = 192.168.1.20,6666
group = 4
caid = 0500
ident = 0500:000000
inactivitytimeout = 30
The matching oscam.server block: device, IP, port, group and CAID
The device line takes IP and port comma-separated, not colon-separated — get that wrong and OScam will refuse to load the reader at all, not just fail to connect. The caid and ident filters here matter because Radegast itself carries no provider-ident negotiation; if you don't set these explicitly, OScam has no way to know what the reader is actually good for.
Adding a radegast user in oscam.user with the right group
In /etc/oscam/oscam.user, whatever client needs the cards from this reader has to be in the same group number:
[account]
user = localclient
pwd = somepassword
group = 4
This group number match is the single most common point of failure in the entire bridge. Get group 4 on the reader and group 5 on the user, and OScam will show the reader as connected, the log will look completely clean, and the ECM count will sit at zero forever. There's no error for this — it's just silent non-routing.
Enabling the OScam Radegast server in oscam.conf and setting the allowed IP
If OScam is the one serving cards out over Radegast (rather than consuming them), add this to /etc/oscam/oscam.conf:
[radegast]
port = 6666
allowed = 192.168.1.20
Since Radegast has no password exchange, allowed is your entire authentication layer here. Don't leave it blank.
Verifying the link in OScam's web interface reader status
Open the OScam web UI, usually on port 8888, and check the reader status page. "Connected" only tells you the socket is up. The number you actually want is the ECM request counter on that reader — if it's climbing when you change channels, the bridge is genuinely routing traffic. If it's stuck at zero, go back to the group numbers before you touch anything else.
Reverse direction: GBox as the card source, OScam as the client
If GBox holds the card and OScam is downstream, flip it: GBox runs the Radegast listener (radegast: 1, radegast_port: 6666) and the OScam reader with protocol = radegast points at GBox's IP and that port. Same group/CAID caveats apply on the OScam side either way.
Networking: Ports, NAT, Dynamic IPs and Firewalls
Once the config is right, most remaining failures are networking, not GBox or OScam at all.
Which ports to open: the GBox peer port and the Radegast port are different
Say it again because it bears repeating: the GBox peer-to-peer port (in the example above, 12000) and the Radegast listener port (6666) are unrelated services. Open both if you need both. Opening just one and assuming the other rides along is a very common mistake.
Port forwarding on the router and the double-NAT / CGNAT problem
Check the router's WAN IP against what a public "what's my IP" check reports. If they don't match, you're behind CGNAT — your ISP is sharing one public address across many customers, and no port forward you configure will ever be reachable from outside. In that situation the only realistic paths are an outbound VPN tunnel or getting the far side to initiate the connection instead of you.
Dynamic DNS when your ISP rotates your address
If your WAN IP does change (just not via CGNAT — a regular dynamic assignment), a DDNS hostname pointed at your router saves you from re-editing peer IPs every time your ISP reassigns you.
Confirming reachability with nc, telnet and ss/netstat
From the box running the daemon, confirm it's actually listening:
ss -tulpn | grep -E '6666|12000'
Check the local address column — 0.0.0.0:6666 means all interfaces, 127.0.0.1:6666 means loopback only and nothing outside the box can reach it. From the peer's side, test whether the packet even arrives:
nc -vz 192.168.1.20 6666
This single command separates "the daemon is broken" from "the packet never got there" faster than staring at logs.
Tunnelling Radegast over WireGuard or OpenVPN instead of exposing it
Because Radegast authenticates nothing on its own, don't forward it straight to the internet. Put a WireGuard or OpenVPN tunnel between the two ends and run Radegast inside that instead — you get the convenience of a remote peer without the port sitting open to anyone scanning for it.
Troubleshooting: Reading the Logs and Fixing the Common Failures
Work through these in order — symptom, likely cause, command to confirm, fix.
Turning on verbose logging and where the log file lands
Most builds accept a -d or debug flag on the command line, or a log-level directive in the config. Run it in the foreground first (/usr/bin/gbox -c /etc/gbox.cfg -d) before trusting whatever ends up in a log file — you'll see connection attempts scroll by in real time.
Peer shows offline: password mismatch, wrong peer ID, or blocked UDP
Double-check the two-password pair described earlier — a mismatch produces no explicit error, just a peer that never comes up. Also confirm the peer ID matches exactly on both sides; a typo here fails the same silent way.
Peer online but zero ECMs: group mismatch, CAID filter, or hop limit
Covered above in the OScam bridge section, but it's worth repeating as a checklist: group number on reader vs user, CAID/ident filter excluding the channel, or a hop limit that's dropping the request before it reaches the card. The OScam reader's ECM counter is your fastest diagnostic — watch it while you change channels.
Freezing and channel-change lag: ECM response time above the ~1.5s budget
Under roughly 500ms feels clean. Past about 1000-1500ms you'll see visible freezing on channel change, and once you're past the control word's cycle time, the response is useless no matter how fast it eventually arrives. Check response times in OScam's reader statistics — this is a network/source problem, not something a config directive fixes.
Duplicate or looping requests caused by two boxes sharing one peer ID
If two receivers on your network are accidentally configured with the identical peer ID, you'll see intermittent, seemingly random drops that only make sense once you correlate both boxes' logs side by side. Give every box a unique ID, no exceptions.
Clean restart procedure that avoids stale lock files
Before restarting after a crash or an unclean shutdown, check for a zombie process still holding the port:
ps aux | grep gboxss -tulpn | grep 6666
Kill the stale process, remove any leftover lock file the binary uses, then start fresh. Skipping this step is why a restart sometimes appears to do nothing at all.
What Doesn't Work (and Common Advice You Should Ignore)
Some of what circulates in forum threads about this is just wrong, or years out of date.
Copy-pasted forum configs with someone else's peer IDs and ports
Configs from old threads reference peer IDs, ports and even file paths that belonged to someone else's setup, possibly years ago. Treat them as templates to understand structure, never as something to paste in directly.
Raising hop count to "get more channels"
This is bad advice that keeps getting repeated. A higher hop count doesn't add channels — it degrades cache hit rates for everyone on the mesh and generates ECM requests that time out before they're useful.
Exposing the Radegast port to the internet without an IP allow-list
Because there's no authentication in the protocol itself, an open Radegast port is an open door. Always pair it with an IP allow-list, ideally combined with an iptables source-restriction rule as a second layer.
Mixing GBox binaries built for a different architecture or a different image
A mipsel binary on an ARM receiver, or an Enigma2 build dropped onto a generic Linux box, fails with an exec format error that gets mistaken for a config problem constantly. Check file on the binary first.
Expecting Radegast to carry EMMs or handle card writes
Radegast is request/response for ECMs only — there's no EMM path in the protocol. Card updates have to happen on the box that physically holds the reader, not through the Radegast link. People lose entire days assuming otherwise.
Chasing a "faster" protocol when the real bottleneck is upstream latency
If the upstream card is 400ms away over a congested link, switching protocols won't fix it. No config directive compensates for physical network latency.
Choosing a Card Source or Peer Without Getting Burned
If you're evaluating a new peer or card source rather than running your own reader end to end, judge them on measurable criteria, not marketing claims.
Technical criteria: measurable ECM response time, uptime, and hop distance
Ask for a short test window and actually measure ECM response times during evening peak hours in your own logs — not their marketing page. Anything consistently under 500ms is solid; anything regularly over 1500ms won't be usable regardless of what else is right about the setup.
Protocol support: does the source actually offer a Radegast or OScam-compatible link
Confirm they genuinely support the protocol you need before committing time to configuration. Some sources only speak newcamd or CCcam and will tell you Radegast works "with a bit of tweaking" — that usually means it doesn't.
Red flags: no test period, no support channel, unrealistic channel counts
No test period, no way to ask a technical question, or a channel count that sounds too broad for a plausible card setup are all reasons to walk away.
Local card vs remote peer: the trade-offs in cost, latency and reliability
A card you physically hold has zero network dependency and the lowest possible latency, at the cost of your own hardware and subscription. A remote peer is more flexible but inherits every bit of that peer's network reliability and distance.
Legal reality: you must hold a valid subscription for the content you decrypt
Somewhere in this chain a genuine, paid smartcard has to be doing the decryption legitimately. Sharing decryption keys without a valid subscription for that content is unlawful in most jurisdictions, and this guide assumes you're configuring hardware and cards you legitimately own or subscribe to.
What port does Radegast use by default?
TCP 6666 is the widespread convention, not a registered standard — both GBox and OScam let you set it to anything you want. Remember that the Radegast listener port is completely separate from the GBox peer port, and each one needs its own port forward and firewall rule.
Where is the GBox config file located?
Most commonly at /etc/gbox.cfg or under /var/keys/ on Enigma2 images, but the exact path depends entirely on your build. The reliable way to find out is to run the binary in the foreground and watch which path it reports loading, or grep the init script for the -c flag. Editing a config the running binary never actually reads is the most common trap in this whole process.
My GBox peer shows as connected but no channels decode — why?
Connection and routing are two separate problems. Check them in order: group number mismatch between oscam.server and oscam.user, a CAID or provider ident filter excluding that channel, a hop limit dropping the request, or the source simply not carrying that provider at all. An ECM counter stuck at zero is the tell that routing, not connectivity, is the issue.
Can I run GBox and OScam on the same box at the same time?
Yes, and it's the usual setup — but they can't fight over the same port, and only one of them should own the physical card reader. Bind each daemon to a distinct port, let OScam hold the reader hardware, and let GBox handle the peer mesh, bridged over Radegast on localhost or the LAN.
Is Radegast encrypted or authenticated?
No. It's plain text with no password handshake of any kind — access control is entirely down to your IP allow-list and firewall rules. That's exactly why it belongs on the LAN or inside a WireGuard or OpenVPN tunnel, never forwarded openly to the internet.
Why do channels freeze for a second every time I change them?
That's ECM round-trip latency, not a config bug. Under roughly 500ms feels clean; past about 1500ms you'll see visible freezing on channel change. Measure it in OScam's reader statistics, and fix it on the network or source side — a closer peer, a less congested link — not by editing a directive.
Do I still need a real subscription card if I use GBox?
Yes. Somewhere in the chain a genuine, paid smartcard has to be doing the actual decryption. Sharing decryption keys without a valid subscription for that content is unlawful in most jurisdictions — this guide covers configuring hardware and cards the reader legitimately owns.