Wednesday, December 5, 2018

Headless Raspberry Pi - Initial Baseline Configuration

Prerequisites/Assumptions

Making the assumption that you can follow the instructions on the Raspberry Pi web site to download and install the Raspbian Lite image on a Micro SD card.  Installing Raspberry Pi Operating System Images

Setup the Raspberry Pi

From the PC used to install Raspbian on the Micro SD card, configure the Pi to allow SSH access by creating an empty file named 'ssh' in the /boot directory on the Micro SD (may need to mount it first).  This will enable running the Pi without a monitor, keyboard and mouse (i.e. headless).

If you need to run your Raspberry Pi via WiFi (i.e. You have the Pi 3 A+ wireless only version) you will need to mount the  rootfs partition on the Micro SD card from your PC and edit the /etc/wpa_supplicant/wpa_supplicant.conf file and add your Wi-Fi network settings at the bottom, then save and unmount the Micro SD card.  Note: the double-quote marks are required.
network={
    ssid="Your SSID goes here"
    psk="Your Wi-Fi password goes here"
}
Insert the Micro SD into the Raspberry Pi and connect the Pi to your network via CAT5/6 Ethernet cable (or not if you are using Wi-Fi).  Then connect the power cable to the Pi.  

After a few minutes the Pi should boot and receive an IP address from your router and register itself to your local internal DNS.  

Try SSH'ng to pi@raspberrypi, if unsuccessful try pi@raspberrypi.local.  If that still doesn't work, you will need to login to your router and figure out what IP address was assigned to your Raspberry Pi.  If you are connecting from a Windows PC I recommend using the PuTTY SSH client.  (PuTTY SSH Client Download)  The default password for the pi user is "raspberry".

Initial Raspbian Configuration


You should see something similar the first time you SSH to the Pi:

Next we will run the raspi-config command as root:

sudo raspi-config
1st thing to do is change the "pi" user's password, by selecting Change User Password.
Under Network Options select Hostname and we'll change the hostname to mhag and select <Ok>.

You can substitute whatever you like for mhagI chose this name because this How To is a prerequisite for installing a program I have developed named the Multi Host Availability Grapher.


Under Localization Options
select  Change Locale and enable en_US.UTF-8 UTF-8, select <Ok> and then set the Default locale to C.UTF-8 and select <Ok> again.


Go back into Localization Options and select Change Timezone and set it to your timezone and select <Ok>.


Again go back into Localization Options and select Change Wi-fi Country and set it to your country and select <Ok>.

Under Advanced Options choose Expand Filesystem then select <Ok>.


Select <Finish> and then select <Yes>  to reboot now.


After a few minutes you should be able to SSH back into the Raspberry Pi as pi@mhag 


Saturday, February 10, 2018

OpenVPN Raspberry Pi 3 / Ubuntu Linux Server HowTo

This post is outdated.... Recommend using this article instead:
https://www.pcmag.com/how-to/how-to-create-a-vpn-server-with-raspberry-pi



Loosely based on Hak5’s video “ Linux Server Build: OpenVPN From Scratch - Hak5 2019”
My setup: Raspberry Pi 3 running Raspbian with a static internal IP address behind a DD-WRT wireless router configured to use Dynamic DNS to automatically update a DNS A record.

I Recommend looking over/following my post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine.

Install OpenVPN and Easy-RSA

$ sudo -i
# apt-get update
# apt-get upgrade
# apt-get install openvpn easy-rsa
# cd /usr/share/doc/openvpn/examples/sample-config-files
# gunzip -c server.conf.gz >/etc/openvpn/server.conf
# cd /etc/openvpn
# vi server.conf


Update Diffie Hellman from 1024 to max 2048
dh dh2048.pem


Uncomment (remove begining ‘;’) these lines
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 192.168.1.1”   (add for local system name resolution)
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
user nobody
group nogroup
The addresses above are OpenDNS servers.  You can change these to 8.8.8.8 and 8.8.4.4 (google’s DNS servers) if you want.

Setup Firewall

# cat /proc/sys/net/ipv4/ip_forward
0
# echo 1 > /proc/sys/net/ipv4/ip_forward


# vi /etc/sysctl.conf
Uncomment (remove begining #)
net.ipv4.ip_forward=1


Use ufw to create rules
# ufw status (may need to run apt-get install ufw)
# ufw allow ssh
# ufw allow 1194/udp
# vi /etc/default/ufw
Change default forward policy to accept
DEFAULT_FORWARD_POLICY=”ACCEPT


Setup NAT and IP Masquerading for clients
# vi /etc/ufw/before.rules
Add NAT rules at the top of the file (assumes eth0 is your interface name)
*nat
:POSTROUTING ACCEPT [0.0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

Enable/start firewall

# ufw status
# ufw enable
# ufw status

Create Certificate Authority and generate RSA keys

# cd /usr/share/easy-rsa
# cp -r /usr/share/easy-rsa/  /etc/openvpn/
# mkdir /etc/openvpn/easy-rsa/keys


# vi /etc/openvpn/easy-rsa/vars
Modify the following export lines:
export KEY_COUNTRY=”US
export KEY_PROVINCE=”CA
export KEY_CITY=”SanFrancisco
export KEY_ORG=”Fort-Funston”  (last name/business name)
export KEY_EMAIL=”me@myhost.mydomain
export KEY_OU=”MyOrganizationalUnit”  (“home”/business unit)
Now generate some keys and create the pem file we pointed to earlier
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048  (this will take some time)


# cd /etc/openvpn/easy-rsa
# . ./vars  (initializes variables we set in the vars file earlier)
# ./clean-all
# ./build-ca  
Verify/accept each property.  Common Name should default to your Organization Name followed by CA.  When prompted for “Name” change “EasyRSA” to “server.
# ./build-key-server server
Verify/accept each property.  You can leave “Common Name” set to “server”, or change it to something more descriptive like “John’s OpenVPN server”.  Be sure to change the “Name” field from “EasyRSA”  to “server and do not specify a password when prompted. Enter Y to sign the certificate and Y to commit.


Still in the /etc/openvpn/easy-rsa directory we need to copy some keys to /etc/openvpn/
# cd keys
# cp server.crt server.key ca.crt /etc/openvpn/
# cd /etc/openvpn
# ls
You should see: ca.crt, dh2048.pem, server.conf, server.crt, and server.key files

Start the openvpn service

# service openvpn start
# service openvpn status  (should show “* VPN ‘server’ is running”)

Create client keys

(Start here for each unique client/device key)
# cd /etc/openvpn/easy-rsa
# . ./vars  (initializes variables we set in the vars file earlier)
# ./build-key client1 (To password-protect client key, use: build-key-pass client1) Here client1 refers to the key file we are creating, and could be anything you want (i.e. john-laptop for instance). Verify/accept each key property EXCEPT change “Common Name” to something descriptive like “John’s Laptop” and change “Name” from “EasyRSA” to “client1”. The Name field must match the filename you specified above.  Enter Y to sign the certificate and Y to commit.


# ls keys
client1.crt  client1.csr  client1.key ...
Copy keys and config files to /root/client
# mkdir ~/client  (only the 1st time creating a client key)
# cd ~/client
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf client1.ovpn
# ls
client1.ovpn


# cp /etc/openvpn/easy-rsa/keys/ca.crt .  (only the 1st time creating a client key)
# cp /etc/openvpn/easy-rsa/keys/client1.* .
# ls  (still in the /root/client directory)
ca.crt  client1.crt  client1.key  client1.ovpn


Need to find the FQDN clients will use to connect, or real IP address for our OpenVPN server
# ifconfig  (look for inet addr: ) or google “What’s my IP address?
If the VPN server is behind a firewall/router, you will need to setup port forwarding 1194/udp to the OpenVPN server.
(Notice: You should have a tun0 interface with the 10.8.0.1 VPN address in the ifconfig output.)


# vi client1.ovpn
Find and uncomment (remove leading “;”) the line with “remote my-server-1 1194” Replace my-server-1 with the real IP address or the FQDN clients will use to connect to your OpenVPN server.
Uncomment (remove leading “;”) these lines:
user nobody
group nogroup


Comment out default ca, cert, and key lines
# ca ca.crt
# cert client.crt
# key client.key


Now we will combine the client1.crt, client1.key, ca.crt, the client1.ovpn files.
(see Appendix for a merge.sh script to make things easier)


# echo “<ca>” >> client1.ovpn
# cat ca.crt >> laptop1.ovpn
# echo “</ca>” >> client1.ovpn
# echo “<cert>” >> client1.ovpn
# echo client1.crt >> client1.ovpn
# echo “</cert>” >> client1.ovpn
# echo “<key>” >> client1.ovpn
# cat client1.key >> client1.ovpn
# echo “</key>” >> client1.ovpn


# vi client1.ovpn (look over it and make sure open and close tags are all good)
Securely transfer the /root/client/client1.ovpn file to the client’s home directory.  (flash or scp.)


Test it from the client either through the GUI OpenVPN client or the command line.
$ sudo openvpn client1.ovpn
Google “What’s my IP address” and verify that you are now using the VPN servers IP address on the Internet.

APPENDIX:  merge.sh script

#!/bin/bash
# /root/client/merge.sh  
# Merge FILE.ca, FILE.crt, FILE.key and FILE.ovpn
# usage: ./merge.sh name (client name without any file extension)# File Tests
if [ -z $1 ]; then
echo "syntax: $0 Filename"
exit 1
fi
FILE=$1
if [ ! -s ca.crt ]; then
echo "Missing or Zero byte file: ca.crt"
exit 1
fi
if [ ! -s ${FILE}.ovpn ]; then
echo "Missing or Zero byte file: ${FILE}.ovpn"
exit 1
fi
if [ ! -s ${FILE}.crt ]; then
echo "Missing or Zero byte file: ${FILE}.crt"
exit 1
fi
if [ ! -s ${FILE}.key ]; then
echo "Missing or Zero byte file: ${FILE}.key"
exit 1
fi

# Merge the files
echo -e "<ca>" >>${FILE}.ovpn
cat ca.crt >>${FILE}.ovpn
echo -e "</ca>" >>${FILE}.ovpn
echo -e "<cert>" >>${FILE}.ovpn
cat ${FILE}.crt >>${FILE}.ovpn
echo -e "</cert>" >>${FILE}.ovpn
echo -e "<key>" >>${FILE}.ovpn
cat ${FILE}.key >>${FILE}.ovpn
echo -e "</key>" >>${FILE}.ovpn

exit 0