Building A Raspberry Pi VPN HowTo: Creating An Encrypted Client Side

By now, it’s pretty apparent that turning your Raspberry Pi into a Virtual Private Network is an all-evening activity. But as security flaws further compromise our Internet lives, it feels increasingly worth it to have a secure server on your side. That way, you’re free to write emails and transfer data without worrying about what or whom might be intercepting it as it travels from your computer to the Web.

If you’ve followed the steps from other Raspberry Pi VPN HowTo, you’ve got a fully functional VPN server on your Raspberry Pi. You can use this to connect securely to your home network wherever there’s an unencrypted wireless connection. You can also access shared files and media you keep stored on your home network.

Only, you can’t access those files just yet. We’ve created keys for clients (computers and devices) to use, but we haven’t told the clients where to find the server, how to connect, or which key to use.

If you remember, we created several different client keys for each of the devices we want to grant VPN access. We called them Client1, Client2 and Client3.

It’d be a lot of trouble to generate a new configuration file for each client from scratch, which is why we’ll use an ingenious script written by Eric Jodoin of the SANS institute. Instead of generating a file for each client on our own, this script will do it for us.

Following The Script

The script will access our default settings to generate files for each client. The first thing we need to do, then, is create a blank text file in which those default settings can be read.

nano /etc/openvpn/easy-rsa/keys/Default.txt

Fill in the blank text file with the following:

client
dev tun
proto udp
remote <YOUR PUBLIC IP ADDRESS HERE> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

It should look like the screenshot below, except it should show your public IP address. You’ll see that I deleted my own public IP address because that’s private information you shouldn’t be sharing around. On the other hand, local static IP addresses are very similar for everyone. They usually start with “192.168.”
Now, if you don’t have a static public IP address, you need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address. I recommend using the free service DNS Dynamic, which lets you pick a name of your choice. Then on your Pi, you need to run DDclient to update your DDNS registry automatically. I wrote a full tutorial for how to do this here.

(more…)

What do you think of this post?
  • Sucks (0)
  • Boring (0)
  • Useful (0)
  • Interesting (0)
  • Awesome (0)

Chmod permissions (flags) explained: 600, 0600, 700, 777, 100 etc..

Want to know what the numbers in chmod mean? Using flags is an easy and short form to set user permissions. This article(I hope) puts it SIMPLE, if you want to learn the theory, also visit the links in the end.

There are four OCTAL (0..7) digits, which control the file permissions. But often, only three are used. If you use 600 it equals 0600. The missing digit is appended at the beginning of the number.

Each of three digits described permissions. Position in the number defines to which group permissions do apply!

Permissions:
1 – can execute
2 – can write
4 – can read

The octal number is the sum of those free permissions, i.e.
3 (1+2) – can execute and write
6 (2+4) – can write and read

Position of the digit in value:
1 – what owner can
2 – what users in the file group(class) can
3 – what users not in the file group(class) can

Examples:
chmod 600 file – owner can read and write
chmod 700 file – owner can read, write and execute
chmod 666 file – all can read and write
chmod 777 file – all can read, write and execute

Links:
1) Wikipedia explains that in greater detail: http://en.wikipedia.org/wiki/Filesystem_permissions
2) Main page for chmod: http://linux.die.net/man/1/chmod

What do you think of this post?
  • Sucks (0)
  • Boring (0)
  • Useful (0)
  • Interesting (0)
  • Awesome (0)

Building A Raspberry Pi VPN: HowTo Build A Server

Free, unencrypted wireless is everywhere, but you shouldn’t be checking your bank account on it unless you don’t mind somebody else snooping. The solution? A virtual private network, or VPN.

A VPN extends your own private network into public places, so even if you’re using Starbucks’ Wi-Fi connection, your Internet browsing stays encrypted and secure.

There are plenty of ways to set up a VPN, both with free and paid services, but each solution has its own pros and cons, determined by the way the VPN provider operates and charges and the kinds of VPN options it provides.

The easiest and cheapest solution to keep your data safe is to just abstain from public Wi-Fi completely. But that sounds a little extreme to me when it’s relatively simple and inexpensive to build your own VPN server at home, and run it off of a tiny, inexpensive ($35) Raspberry Pi.

My Raspberry Pi is about the size of a smartphone, but it runs a fully functional VPN server. That means no matter where I am, I can connect my computer to my home network and access shared files and media over a secure connection. It came in handy on a recent trip to Boston, where I was still able to watch videos stored on my network back home in DC.

This is the part where I’d link you to a handy tutorial on how to set this up. The problem is one doesn’t exist—or at least one that could satisfy this average computer user. And while there are plenty of tutorials about how to set up a VPN server on Raspberry Pi, there are very few that explain why.

I read several different tutorials and cobbled together the results into this semi-coherent tutorial for setting up a VPN on Raspberry Pi, which even I can understand, complete with the why behind the how. Most prominently, I relied on Eric Jodoin’s VPN tutorial for experts, and dumbed it down for me.

So follow me down the cryptography rabbit hole and learn that no matter how paranoid you are, whoever came up with the methods to generate VPNs was even more so.

 

Materials

Hardware

Raspberry_Pi_Model_B_Rev._2
Raspberry Pi Model B: Plus everything that comes with it—by that, I mean a regular power source and a case to put it in. A case can help prevent accidental short-circuits that could permanently damage the machine—the case can even be as simple as a cardboard box you fold yourself.

SD card: I’m suggesting 8GB or more, just to make sure you have the space. As always for all Raspberry Pi projects, this should already have NOOBS installed.

Cat5e cable: This will connect the Pi’s ethernet port to the ethernet port on the router.

Software

Open VPN: This is the open source VPN service we’ll be installing today.

(more…)

What do you think of this post?
  • Sucks (0)
  • Boring (0)
  • Useful (0)
  • Interesting (0)
  • Awesome (0)

Multiple vhosts, Apache

One of the most common Apache2 questions I’ve seen on Debian mailing lists is from users who wonder how to host multiple websites with a single server. This is very straightforward, especially with the additional tools the Debian package provides.
There are many different ways you can configure Apache to host multiple sites, ranging from the simple to the complex. Here we’re only going to cover the basics with the use of the NameVirtualHost directive. The advantage of this approach is that you don’t need to hard-wire any IP addresses, and it will just work. The only thing you need is for your domain names to resolve to the IP address of your webserver.
For example if you have an Apache server running upon the IP address 192.168.1.1 and you wish to host the three sites example.com, example.net, and example.org you’ll need to make sure that these names resolve to the IP address of your server.
(This might mean that you need example.com and www.example.com to resolve to the same address. However that is a choice you’ll need to make for yourself).
Since we’ll be hosting multiple websites on the same host it makes a lot of sense to be very clear on the location of each sites files upon the filesystem. The way I suggest you manage this is to create a completely seperate document root, cgi-bin directory, and logfile directory for each host. You can place these beneath the standard Debian prefix of /var/www or you may use a completely different root – I use /home/www.
If you’ve not already done create the directories to contain your content, etc, as follows:

root@irony:~# mkdir /home/www

root@irony:~# mkdir /home/www/www.example.com
root@irony:~# mkdir /home/www/www.example.com/htdocs
root@irony:~# mkdir /home/www/www.example.com/cgi-bin
root@irony:~# mkdir /home/www/www.example.com/logs

root@irony:~# mkdir /home/www/www.example.net
root@irony:~# mkdir /home/www/www.example.net/htdocs
root@irony:~# mkdir /home/www/www.example.net/logs
root@irony:~# mkdir /home/www/www.example.net/cgi-bin

root@irony:~# mkdir /home/www/www.example.org
root@irony:~# mkdir /home/www/www.example.org/htdocs
root@irony:~# mkdir /home/www/www.example.org/logs
root@irony:~# mkdir /home/www/www.example.org/cgi-bin

Here we’ve setup three different directory trees, one for each site. If you wanted to have identical content it might make sense to only create one, and then use symbolic links instead.
The next thing to do is to enable virtual hosts in your Apache configuration. The simplest way to do this is to create a file called /etc/apache2/conf.d/virtual.conf and include the following content in it:

(more…)

What do you think of this post?
  • Sucks (0)
  • Boring (0)
  • Useful (0)
  • Interesting (0)
  • Awesome (0)

Install par2cmdline on CentOS 5.x

This has been bugging me for a while.

So, here’s a quick and easy way to do it:

Code:

wget http://garr.dl.sourceforge.net/sourceforge/parchive/par2cmdline-0.4.tar.gz

wget http://sage.math.washington.edu/home/binegar/src/par2cmdline-0.4-gcc4.patch

tar zxf par2cmdline-0.4.tar.gz

cd par2cmdline-0.4

patch <../par2cmdline-0.4-gcc4.patch reedsolomon.cpp

./configure

make

make check

make install # Need to do this as admin

cd ..

What do you think of this post?
  • Sucks (0)
  • Boring (0)
  • Useful (0)
  • Interesting (0)
  • Awesome (0)