Born out of frustration with my cable Internet provider constantly dropping my connection and a desire to teach myself Python, I developed the Multi Host Availability Grapher (MHAG). I wrote MHAG in Python 3 and it is intended to run on a Raspberry Pi or similar Linux host. FAIR WARNING, this script will send five pings to the top three DNS servers every minute. Below I will describe how to install and configure MHAG on a Raspberry Pi 3 running a fresh install of the latest version of Raspbian Lite (the non-GUI version). I Recommend looking over/following my previous post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine. In the examples below my Raspberry Pi's hostname is "mhag". OK, now here's where to find the script: https://github.com/jullrey/MHAG |
IT Monger
IT's a dirty job, but somebody's got to do it.
Monday, January 21, 2019
Multi Host Availability Grapher (MHAG)
Wednesday, December 5, 2018
Headless Raspberry Pi - Initial Baseline Configuration
Prerequisites/Assumptions
Making the assumption that you can follow the instructions on the Raspberry Pi web site to download and install the Raspbian Lite image on a Micro SD card. Installing Raspberry Pi Operating System Images
Setup the Raspberry Pi
From the PC used to install Raspbian on the Micro SD card, configure the Pi to allow SSH access by creating an empty file named 'ssh' in the /boot directory on the Micro SD (may need to mount it first). This will enable running the Pi without a monitor, keyboard and mouse (i.e. headless).
If you need to run your Raspberry Pi via WiFi (i.e. You have the Pi 3 A+ wireless only version) you will need to mount the rootfs partition on the Micro SD card from your PC and edit the /etc/wpa_supplicant/wpa_supplicant.conf file and add your Wi-Fi network settings at the bottom, then save and unmount the Micro SD card. Note: the double-quote marks are required.
Insert the Micro SD into the Raspberry Pi and connect the Pi to your network via CAT5/6 Ethernet cable (or not if you are using Wi-Fi). Then connect the power cable to the Pi.network={ ssid="Your SSID goes here" psk="Your Wi-Fi password goes here" }
After a few minutes the Pi should boot and receive an IP address from your router and register itself to your local internal DNS.
Try SSH'ng to pi@raspberrypi, if unsuccessful try pi@raspberrypi.local. If that still doesn't work, you will need to login to your router and figure out what IP address was assigned to your Raspberry Pi. If you are connecting from a Windows PC I recommend using the PuTTY SSH client. (PuTTY SSH Client Download) The default password for the pi user is "raspberry".
Initial Raspbian Configuration
You should see something similar the first time you SSH to the Pi:
Next we will run the raspi-config command as root: sudo raspi-config | |
1st thing to do is change the "pi" user's password, by selecting Change User Password.
| |
Under Network Options select Hostname and we'll change the hostname to mhag and select <Ok>. You can substitute whatever you like for mhag, I chose this name because this How To is a prerequisite for installing a program I have developed named the Multi Host Availability Grapher. |
|
Under Localization Options select Change Locale and enable en_US.UTF-8 UTF-8, select <Ok> and then set the Default locale to C.UTF-8 and select <Ok> again. |
|
Go back into Localization Options and select Change Timezone and set it to your timezone and select <Ok>. |
|
Again go back into Localization Options and select Change Wi-fi Country and set it to your country and select <Ok>. |
|
Under Advanced Options choose Expand Filesystem then select <Ok>. |
|
Select <Finish> and then select <Yes> to reboot now. |
|
After a few minutes you should be able to SSH back into the Raspberry Pi as pi@mhag |
|
Labels:
3,
advanced,
baseline,
config,
configuration,
expand,
filesystem,
Headless,
initial,
Lite,
localization,
Network,
options,
Pi,
pi@raspberrypi,
Raspberry,
Raspbian,
raspi-config,
SSH
Saturday, February 10, 2018
OpenVPN Raspberry Pi 3 / Ubuntu Linux Server HowTo
This post is outdated.... Recommend using this article instead:
https://www.pcmag.com/how-to/how-to-create-a-vpn-server-with-raspberry-pi
Loosely based on Hak5’s video “ Linux Server Build: OpenVPN From Scratch - Hak5 2019”
My setup: Raspberry Pi 3 running Raspbian with a static internal IP address behind a DD-WRT wireless router configured to use Dynamic DNS to automatically update a DNS A record.
I Recommend looking over/following my post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine.
I Recommend looking over/following my post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine.
Install OpenVPN and Easy-RSA
$ sudo -i
# apt-get update
# apt-get upgrade
# apt-get install openvpn easy-rsa
# cd /usr/share/doc/openvpn/examples/sample-config-files
# gunzip -c server.conf.gz >/etc/openvpn/server.conf
# cd /etc/openvpn
# vi server.conf
Update Diffie Hellman from 1024 to max 2048
dh dh2048.pem
Uncomment (remove begining ‘;’) these lines
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 192.168.1.1” (add for local system name resolution)
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
user nobody
group nogroup
The addresses above are OpenDNS servers. You can change these to 8.8.8.8 and 8.8.4.4 (google’s DNS servers) if you want.
Setup Firewall
# cat /proc/sys/net/ipv4/ip_forward
0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vi /etc/sysctl.conf
Uncomment (remove begining #)
net.ipv4.ip_forward=1
Use ufw to create rules
# ufw status (may need to run apt-get install ufw)
# ufw allow ssh
# ufw allow 1194/udp
# vi /etc/default/ufw
Change default forward policy to accept
DEFAULT_FORWARD_POLICY=”ACCEPT”
Setup NAT and IP Masquerading for clients
# vi /etc/ufw/before.rules
Add NAT rules at the top of the file (assumes eth0 is your interface name)
*nat
:POSTROUTING ACCEPT [0.0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
Enable/start firewall
# ufw status
# ufw enable
# ufw status
Create Certificate Authority and generate RSA keys
# cd /usr/share/easy-rsa
# cp -r /usr/share/easy-rsa/ /etc/openvpn/
# mkdir /etc/openvpn/easy-rsa/keys
# vi /etc/openvpn/easy-rsa/vars
Modify the following export lines:
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston” (last name/business name)
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit” (“home”/business unit)
Now generate some keys and create the pem file we pointed to earlier
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048 (this will take some time)
# cd /etc/openvpn/easy-rsa
# . ./vars (initializes variables we set in the vars file earlier)
# ./clean-all
# ./build-ca
Verify/accept each property. Common Name should default to your Organization Name followed by CA. When prompted for “Name” change “EasyRSA” to “server”.
# ./build-key-server server
Verify/accept each property. You can leave “Common Name” set to “server”, or change it to something more descriptive like “John’s OpenVPN server”. Be sure to change the “Name” field from “EasyRSA” to “server” and do not specify a password when prompted. Enter Y to sign the certificate and Y to commit.
Still in the /etc/openvpn/easy-rsa directory we need to copy some keys to /etc/openvpn/
# cd keys
# cp server.crt server.key ca.crt /etc/openvpn/
# cd /etc/openvpn
# ls
You should see: ca.crt, dh2048.pem, server.conf, server.crt, and server.key files
Start the openvpn service
# service openvpn start
# service openvpn status (should show “* VPN ‘server’ is running”)
Create client keys
(Start here for each unique client/device key)
# cd /etc/openvpn/easy-rsa
# . ./vars (initializes variables we set in the vars file earlier)
# ./build-key client1 (To password-protect client key, use: build-key-pass client1) Here client1 refers to the key file we are creating, and could be anything you want (i.e. john-laptop for instance). Verify/accept each key property EXCEPT change “Common Name” to something descriptive like “John’s Laptop” and change “Name” from “EasyRSA” to “client1”. The Name field must match the filename you specified above. Enter Y to sign the certificate and Y to commit.
# ls keys
client1.crt client1.csr client1.key ...
Copy keys and config files to /root/client
# mkdir ~/client (only the 1st time creating a client key)
# cd ~/client
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf client1.ovpn
# ls
client1.ovpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt . (only the 1st time creating a client key)
# cp /etc/openvpn/easy-rsa/keys/client1.* .
# ls (still in the /root/client directory)
ca.crt client1.crt client1.key client1.ovpn
Need to find the FQDN clients will use to connect, or real IP address for our OpenVPN server
# ifconfig (look for inet addr: ) or google “What’s my IP address?”
If the VPN server is behind a firewall/router, you will need to setup port forwarding 1194/udp to the OpenVPN server.
(Notice: You should have a tun0 interface with the 10.8.0.1 VPN address in the ifconfig output.)
# vi client1.ovpn
Find and uncomment (remove leading “;”) the line with “remote my-server-1 1194” Replace my-server-1 with the real IP address or the FQDN clients will use to connect to your OpenVPN server.
Uncomment (remove leading “;”) these lines:
user nobody
group nogroup
Comment out default ca, cert, and key lines
# ca ca.crt
# cert client.crt
# key client.key
Now we will combine the client1.crt, client1.key, ca.crt, the client1.ovpn files.
(see Appendix for a merge.sh script to make things easier)
# echo “<ca>” >> client1.ovpn
# cat ca.crt >> laptop1.ovpn
# echo “</ca>” >> client1.ovpn
# echo “<cert>” >> client1.ovpn
# echo client1.crt >> client1.ovpn
# echo “</cert>” >> client1.ovpn
# echo “<key>” >> client1.ovpn
# cat client1.key >> client1.ovpn
# echo “</key>” >> client1.ovpn
# vi client1.ovpn (look over it and make sure open and close tags are all good)
Securely transfer the /root/client/client1.ovpn file to the client’s home directory. (flash or scp.)
Test it from the client either through the GUI OpenVPN client or the command line.
$ sudo openvpn client1.ovpn
Google “What’s my IP address” and verify that you are now using the VPN servers IP address on the Internet.
APPENDIX: merge.sh script
#!/bin/bash
# /root/client/merge.sh
# Merge FILE.ca, FILE.crt, FILE.key and FILE.ovpn
# usage: ./merge.sh name (client name without any file extension)# File Tests
if [ -z $1 ]; then
echo "syntax: $0 Filename"
exit 1
fi
FILE=$1
if [ ! -s ca.crt ]; then
echo "Missing or Zero byte file: ca.crt"
exit 1
fi
if [ ! -s ${FILE}.ovpn ]; then
echo "Missing or Zero byte file: ${FILE}.ovpn"
exit 1
fi
if [ ! -s ${FILE}.crt ]; then
echo "Missing or Zero byte file: ${FILE}.crt"
exit 1
fi
if [ ! -s ${FILE}.key ]; then
echo "Missing or Zero byte file: ${FILE}.key"
exit 1
fi
# Merge the files
echo -e "<ca>" >>${FILE}.ovpn
cat ca.crt >>${FILE}.ovpn
echo -e "</ca>" >>${FILE}.ovpn
echo -e "<cert>" >>${FILE}.ovpn
cat ${FILE}.crt >>${FILE}.ovpn
echo -e "</cert>" >>${FILE}.ovpn
echo -e "<key>" >>${FILE}.ovpn
cat ${FILE}.key >>${FILE}.ovpn
echo -e "</key>" >>${FILE}.ovpn
# Merge FILE.ca, FILE.crt, FILE.key and FILE.ovpn
# usage: ./merge.sh name (client name without any file extension)# File Tests
if [ -z $1 ]; then
echo "syntax: $0 Filename"
exit 1
fi
FILE=$1
if [ ! -s ca.crt ]; then
echo "Missing or Zero byte file: ca.crt"
exit 1
fi
if [ ! -s ${FILE}.ovpn ]; then
echo "Missing or Zero byte file: ${FILE}.ovpn"
exit 1
fi
if [ ! -s ${FILE}.crt ]; then
echo "Missing or Zero byte file: ${FILE}.crt"
exit 1
fi
if [ ! -s ${FILE}.key ]; then
echo "Missing or Zero byte file: ${FILE}.key"
exit 1
fi
# Merge the files
echo -e "<ca>" >>${FILE}.ovpn
cat ca.crt >>${FILE}.ovpn
echo -e "</ca>" >>${FILE}.ovpn
echo -e "<cert>" >>${FILE}.ovpn
cat ${FILE}.crt >>${FILE}.ovpn
echo -e "</cert>" >>${FILE}.ovpn
echo -e "<key>" >>${FILE}.ovpn
cat ${FILE}.key >>${FILE}.ovpn
echo -e "</key>" >>${FILE}.ovpn
exit 0
Subscribe to:
Posts (Atom)