RaspberryPi

From dbawiki
Revision as of 13:45, 24 December 2013 by Stuart (talk | contribs) (Install OpenVPN server)
Jump to: navigation, search

Autoboot the wlan0 wireless lan interface

root@raspberrypi:/# cat /etc/network/interfaces 
auto lo


iface lo inet loopback
iface eth0 inet dhcp


#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
autp wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid "<SSID>"
wpa-psk "<PASSPHRASE>"


iface default inet dhcp

Assign a fixed IP address

Get the current IP address and other info 

ifconfig -a

We're interested in these bits: 

wlan0
          inet addr:192.168.1.15  Bcast:192.168.1.255  Mask:255.255.255.0

Get the router/gateway address 

netstan -rn

We're interested in these bits: 

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0

Now edit /etc/network/interfaces and replace the 'dhcp' with 'static' for the required interface 

address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

The interface section ends up looking something like this... 

auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
wpa-ssid "<SSID>"
wpa-psk "<PASSPHRASE>"

Install OpenVPN server

All operations as root
Get the Pi up-to-date 

apt-get upgrade
apt-get update
raspi-config  # set overclocking to Medium

Install the packages 

apt-get install openvpn openssl

cd /etc/openvpn Generate a copy of the easy-rsa structure 

cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

Modify the easy-rsa location 

cd easy-rsa
vi vars
Change 
#export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
. ./vars
./clean-all

Link correct binary 

ln -s openssl-1.0.0.cnf openssl.cnf

Generate certificate authority files 

./build-ca ca

This creates 4 files in the keys subdirectory... 

-rw-r--r-- 1 root root 1383 Dec 24 13:32 ca.crt
-rw------- 1 root root  912 Dec 24 13:32 ca.key
-rw-r--r-- 1 root root    0 Dec 24 13:31 index.txt
-rw-r--r-- 1 root root    3 Dec 24 13:31 serial

Now the server key files (sign and commit the certificate when asked) 

./build-key-server server

New files in keys subdirectory 

-rw------- 1 root root  916 Dec 24 13:35 server.key
-rw-r--r-- 1 root root  729 Dec 24 13:35 server.csr
-rw-r--r-- 1 root root    3 Dec 24 13:35 serial
-rw-r--r-- 1 root root   21 Dec 24 13:35 index.txt.attr
-rw-r--r-- 1 root root  136 Dec 24 13:35 index.txt
-rw-r--r-- 1 root root 4120 Dec 24 13:35 server.crt
-rw-r--r-- 1 root root 4120 Dec 24 13:35 01.pem

Build client keys (sign and commit the certificate when asked) 

./build-key client1

Client files in keys subdirectory... 

-rw------- 1 root root  916 Dec 24 13:39 client1.key
-rw-r--r-- 1 root root  729 Dec 24 13:39 client1.csr
-rw-r--r-- 1 root root    3 Dec 24 13:39 serial
-rw-r--r-- 1 root root   21 Dec 24 13:39 index.txt.attr
-rw-r--r-- 1 root root  273 Dec 24 13:39 index.txt
-rw-r--r-- 1 root root 3999 Dec 24 13:39 02.pem
-rw-r--r-- 1 root root 3999 Dec 24 13:39 client1.crt

Build Diffie-Hellman file 

./build-dh

This gives us one extra file 

-rw-r--r-- 1 root root  245 Dec 24 13:40 dh1024.pem

Build a server config file. Copy from the examples directory... 

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
gunzip /etc/openvpn/server.conf.gz

... or paste this snippet. 

cd ..
vi server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#user nobody
#group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo

Enable IP forwarding 

echo 1 >/proc/sys/net/ipv4/ip_forward

Check IP address and interface name and alter routing table to allow traffic to the server 

ifconfig -a
iptables -t nat -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to 192.168.1.100

Allow IP forwarding across reboots 

vi /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Start the server 

/etc/init.d/openvpn start

Server is running, setup client.
Use Tunnelblick or Viscosity to generate and export an OpenVPN config file or paste and modify this: 

dev tun
client
proto udp
#remote 192.168.1.100 1194    # testing with lan address of Raspberry Pi
remote <public ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Make routing table modifications persistent 

vi /etc/rc.local
Add the routing commands before the exit
iptables -t nat -A INPUT -i wlan0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to 192.168.1.100

3 files needed for each client
ca.crt, client.crt, client.key

Retrieved from "https://mailnest.com/dbawiki/index.php?title=RaspberryPi&oldid=851"