Difference between revisions of "RaspberryPi"

From dbawiki
Jump to: navigation, search
(Generate certificate authority files)
(Build a server config file)
Line 206: Line 206:
 
gunzip /etc/openvpn/server.conf.gz
 
gunzip /etc/openvpn/server.conf.gz
 
</pre>
 
</pre>
... or paste this snippet.
+
or
 
<pre>
 
<pre>
 
cd ..
 
cd ..
 
vi server.conf
 
vi server.conf
 +
</pre>
 +
and paste this snippet:
 +
<pre>
 
dev tun
 
dev tun
 
proto udp
 
proto udp
Line 228: Line 231:
 
comp-lzo
 
comp-lzo
 
</pre>
 
</pre>
 +
 
====Enable IP forwarding====
 
====Enable IP forwarding====
 
<pre>
 
<pre>

Revision as of 12:52, 9 February 2014

Install Raspbian using img file

  • Format the SD card using SDCardFormatter
  • Check where the SD card is mounted
mbpi7:.ssh stuart$ df -g
Filesystem    1G-blocks Used Available Capacity   iused    ifree %iused  Mounted on
/dev/disk0s2        237   47       189    21%  12608239 49696631   20%   /
devfs                 0    0         0   100%       724        0  100%   /dev
/dev/disk1s2        931  637       293    69% 167108601 76998065   68%   /Volumes/data
map -hosts            0    0         0   100%         0        0  100%   /net
map auto_home         0    0         0   100%         0        0  100%   /home
/dev/disk2s1          3    0         3     1%         0        0  100%   /Volumes/UNTITLED 4

We see here it is mounted on /Volumes/UNTITLED 4

  • Unmount the SD card using Disk Utility or
sudo umount /Volumes/UNTITLED\ 4/
  • Copy the image file to the SD card
sudo dd if=../Downloads/2014-01-07-wheezy-raspbian.img of=/dev/rdisk2 bs=1m

Autoboot the wlan0 wireless lan interface

root@raspberrypi:/# cat /etc/network/interfaces 
auto lo

iface lo inet loopback
iface eth0 inet dhcp

#allow-hotplug wlan0
#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp


auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid "<SSID>"
wpa-psk "<PASSPHRASE>"


iface default inet dhcp

Assign a fixed IP address (to the wireless adapter in the case)

Get the current IP address and other info 

ifconfig -a

We're interested in these bits: 

wlan0
          inet addr:192.168.1.15  Bcast:192.168.1.255  Mask:255.255.255.0

Get the router/gateway address 

netstat -rn

We're interested in these bits: 

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0

Now using the above data, edit /etc/network/interfaces and add the following lines to the wlan0 section (also changing the iface line to "static") 

address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

It should end up looking something like this: 

auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
wpa-ssid "<SSID>"
wpa-psk "<PASSPHRASE>"

Restart the networking daemon

/etc/init.d/networking reload (or reboot)

Install an OpenVPN server

All operations as root

Get the Pi up-to-date

apt-get update
apt-get upgrade
apt-get autoremove
raspi-config  # set overclocking to Medium

Install the packages

apt-get install openvpn openssl

and optionally this to be able to reach the server from the internet using names instead of numbers 

apt-get install ddclient

and other useful stuff 

apt-get install host shorewall telnet lighttpd

Generate a copy of the easy-rsa structure

cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

Modify the easy-rsa location

cd easy-rsa
vi vars
Change 
#export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
. ./vars
./clean-all

Link correct binary

ln -s openssl-1.0.0.cnf openssl.cnf

Generate certificate authority files

./build-ca ca

This creates 4 files in the keys subdirectory... 

-rw-r--r-- 1 root root 1383 Feb  2 12:02 ca.crt
-rw------- 1 root root  916 Feb  2 12:02 ca.key
-rw-r--r-- 1 root root    0 Feb  2 12:02 index.txt
-rw-r--r-- 1 root root    3 Feb  2 12:02 serial

Generate the server key files

just hit ENTER for the password but sign and commit the certificate when asked 

./build-key-server home_server

keys subdirectory now looks like this 

-rw-r--r-- 1 root root 4129 Feb  2 12:03 01.pem
-rw-r--r-- 1 root root 1383 Feb  2 12:02 ca.crt
-rw------- 1 root root  916 Feb  2 12:02 ca.key
-rw-r--r-- 1 root root 4129 Feb  2 12:03 home_server.crt
-rw-r--r-- 1 root root  737 Feb  2 12:03 home_server.csr
-rw------- 1 root root  916 Feb  2 12:03 home_server.key
-rw-r--r-- 1 root root  141 Feb  2 12:03 index.txt
-rw-r--r-- 1 root root   21 Feb  2 12:03 index.txt.attr
-rw-r--r-- 1 root root    0 Feb  2 12:02 index.txt.old
-rw-r--r-- 1 root root    3 Feb  2 12:03 serial
-rw-r--r-- 1 root root    3 Feb  2 12:02 serial.old

Generate the client keys

just hit ENTER for the password but sign and commit the certificate when asked 

./build-key home_client1

keys subdirectory now looks like this 

-rw-r--r-- 1 root root 4129 Feb  2 12:03 01.pem
-rw-r--r-- 1 root root 4012 Feb  2 12:04 02.pem
-rw-r--r-- 1 root root 1383 Feb  2 12:02 ca.crt
-rw------- 1 root root  916 Feb  2 12:02 ca.key
-rw-r--r-- 1 root root 4012 Feb  2 12:04 home_client1.crt
-rw-r--r-- 1 root root  737 Feb  2 12:04 home_client1.csr
-rw------- 1 root root  916 Feb  2 12:04 home_client1.key
-rw-r--r-- 1 root root 4129 Feb  2 12:03 home_server.crt
-rw-r--r-- 1 root root  737 Feb  2 12:03 home_server.csr
-rw------- 1 root root  916 Feb  2 12:03 home_server.key
-rw-r--r-- 1 root root  283 Feb  2 12:04 index.txt
-rw-r--r-- 1 root root   21 Feb  2 12:04 index.txt.attr
-rw-r--r-- 1 root root   21 Feb  2 12:03 index.txt.attr.old
-rw-r--r-- 1 root root  141 Feb  2 12:03 index.txt.old
-rw-r--r-- 1 root root    3 Feb  2 12:04 serial
-rw-r--r-- 1 root root    3 Feb  2 12:03 serial.old

Generate the Diffie-Hellman file

./build-dh

This gives us one extra file 

-rw-r--r-- 1 root root  245 Dec 24 13:40 dh1024.pem

Build a server config file

Copy from the examples directory... 

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

… or 

cd ..
vi server.conf

and paste this snippet: 

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo

Enable IP forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

Check IP address and interface name

Alter routing table to allow traffic to the server (assuming wired interface and the ip address of our Pi is 192.168.1.100) 

ifconfig -a
iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100

Allow IP forwarding across reboots

vi /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Start the server

/etc/init.d/openvpn start

Server is running, setup client.

Generate and export an OpenVPN config file

Use Tunnelblick or Viscosity (on a Mac) or copy/paste and modify this: 

dev tun
client
proto udp
#remote 192.168.1.100 1194    # testing with lan address of Raspberry Pi
remote <public ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Make routing table modifications persistent

Some info on iptables might come in handy at this point. See references... 

vi /etc/rc.local
Add the routing commands before the exit
iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.100

Some other bits that may be needed: 

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -o eth0 -j MASQUERADE

3 files needed for each client
ca.crt, client.crt, client.key

Eventually got it working with this but don't know which bits are really necessary just yet

Put these lines in /etc/iptables.rules 

# Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014
*nat
:PREROUTING ACCEPT [526:41694]
:INPUT ACCEPT [363:30775]
:OUTPUT ACCEPT [197:12420]
:POSTROUTING ACCEPT [197:12420]
-A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100
-A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.100
COMMIT
# Completed on Sun Jan 26 18:19:17 2014
# Generated by iptables-save v1.4.14 on Sun Jan 26 18:19:17 2014
*filter
:INPUT ACCEPT [484:38699]
:FORWARD ACCEPT [1:40]
:OUTPUT ACCEPT [1896:366345]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
# Completed on Sun Jan 26 18:19:17 2014

then edit /etc/network/interfaces and add the following line just after "iface eth0 inet static" 

pre-up iptables-restore < /etc/iptables.rules

ddclient sample configuration file

Put this in /etc/ddclient.conf and modify it to taste
I use dnsdynamic. If you don't, you'll need to change more than is indicated below 

daemon=600                              # check every 10 minutess
syslog=yes                              # log update msgs to syslog
mail=root                               # mail all msgs to root
mail-failure=root                       # mail failed update msgs to root
pid=/var/run/ddclient.pid               # record PID in file.
ssl=yes                                 # use ssl-support.  Works with ssl-library
use=web, web=myip.dnsdynamic.com        # get ip from server.
server=www.dnsdynamic.org               # default server
login=[your username here]              # default login
password=[your password here]           # default password
server=www.dnsdynamic.org,              \
protocol=dyndns2                        \
[your website here]

iptables

  • man iptables!

list open ports 

netstat -tulpn

see if firewall is allowing access 

telnet <ip address> <port>

list FILTER rules 

iptables -L -n -v

list NAT rules 

iptables -L -t nat -n -v

list all rules in selected chain 

iptables -S -t nat -v

show all rules in a form to use for input 

iptables-save | tee /etc/iptables.rules

bring in those rules previously saved 

iptables-restore < /etc/iptables.rules

show local routing table 

ip route show table local

References

Retrieved from "https://mailnest.com/dbawiki/index.php?title=RaspberryPi&oldid=966"