Introduction
Motivation
How about a secure access from outside into the own home network? So we can maintain machines, change configurations, getting files, .. from where ever we are. For this we let a VPN tunnel be established between a local RPi in our network to a hosted server. If this hosted server that offers a web based console we only need a web browser to access our own resources at home.
The idea of the project comes from my colleague Michael and I like to thank him for the first inputs to get that running.
Starting point
Instead of mess up your official hosted server I can only recommend to start with one of the cheap offers to start. I take www.digitalocean.com for such server playgrounds, which has a real nice package for only $5 per month. But in reality you pay only cents, because only running systems count. So my account, initially charged with $5 has still more than $4 for further tests.
But beside this, they also make it so easy to get a new machine up. For the creation you only define the name, choose the “hardware” specification and select the operation system – and seconds later you receive a mail with the credential and the information, that your machine is up and running. Amazing!
In case you are interested in testing this provider, let me know. Currently I can send you an invitation with a value of $10 or use this link https://www.digitalocean.com/?refcode=5fde389ac6da (be aware, they request your credit card details, but don’t charge from it. it is only for future business with you and you can delete the details later). $10 - that’s enough for a long time play period.
Realization
Preparing the server
For this sample I choose a Debian based machine with the smallest hardware specification in New York.
btw: having a server somewhere outside your residence country, it offers you some interesting benefits. Why? Because you get an IP which let the surfed page not track where you really come from – you obfuscate the one your router gets from your provider – and location based services could offer you other things.
So far I found the following:
- Cheaper flight tickets
Typical price watching portals try to offer you the prices from the area you come from, but the prices vary. www.skyscanner.com offered my a 10% better offer for the same connection by another location. - Avoid blocked YouTube videos
In Germany the GEMA (and others) let YouTube block a lot videos because of licensing issues (http://en.wikipedia.org/wiki/Blocking_of_YouTube_videos_in_Germany). Notably for videos with music you end up in “Dieses Video ist in Deutschland leider nicht verfügbar” (“Unfortunately, this video is not available in your country.”).
Okay – so let’s take this configuration now:
And not a half minute later your machine is online with a public IP address (here 104.131.97.68) and after a few minutes you get the mail with your credentials.
Connect to the new server, update it and install OpenVPN
Now ssh to this machine, confirm the following question with yes and update your password. Use the IP and password you get via mail.
ssh root@104.131.97.68
Let’s update the installation with
apt-get update
and install OpenVPN with
apt-get install openvpn
Creating the certificates and keys
The OpenVPN package contains some nice scripts (called easy-rsa) to create all the certificate stuff we need later. So let’s copy that stuff to a place with easier access and go to this folder.
cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0/
There is a file which contains the default properties for further certificate creations. So we adjust the content for our needs
nano vars
the last lines contain some export commands and that’s the place where we have to specify our values
export KEY_COUNTRY="DE"
export KEY_PROVINCE="BY"
export KEY_CITY="Freising"
export KEY_ORG="Private"
export KEY_EMAIL="dont@spam.me"
export KEY_EMAIL=dont@spam.me
export KEY_CN=Private
export KEY_NAME=Private
export KEY_OU=Private
After saving the file and quitting nano we source these variables
source ./vars
and clean our environment for the new certificates and keys
./clean-all
We don’t have certificates from a Certificate Authority so we create our own ones.
Therefore we start by faking us an own Certificate Authority
./build-ca
You see during the input that the default values are taken from our exported ones.
This creates some files below the “keys” folder
-rw-r--r-- 1 root root 1306 Dec 5 13:49 ca.crt
-rw------- 1 root root 920 Dec 5 13:49 ca.key
Time to create the keys for our OpenVPN server. You see the same game with default values here. At the end you confirm the two questions with “y”.
./build-key-server OpenVpnServer
We get some new files under the key folder
-rw-r--r-- 1 root root 4002 Dec 5 13:53 OpenVpnServer.crt
-rw-r--r-- 1 root root 712 Dec 5 13:53 OpenVpnServer.csr
-rw------- 1 root root 916 Dec 5 13:53 OpenVpnServer.key
With the next command we create the Duffie Hellman stuff. On the Digital Ocean server this is done in seconds. I did the same on a Raspberry Pi for a similar project and had to wait around half an hour. So you can image how powerful the Digital Ocean equipment is!
./build-dh
which creates the next file
-rw-r--r-- 1 root root 245 Dec 5 13:57 dh1024.pem
Creating the keys for the client
Later we need the keys for our client so let create them now too. The name of our Raspberry Pi will be alarmpi, so we use this name for key too. Again you have to confirm the last two questions with “y”.
./build-key AlArmPi
The next set of files was created
-rw-r--r-- 1 root root 3870 Dec 5 14:08 AlArmPi.crt
-rw-r--r-- 1 root root 704 Dec 5 14:08 AlArmPi.csr
-rw------- 1 root root 912 Dec 5 14:08 AlArmPi.key
Again we copy the necessary files to a place with easier access in further steps
cp /etc/openvpn/easy-rsa/2.0/keys/ca.* /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/OpenVpnServer.* /etc/openvpn/
Later we copy the client relevant stuff via scp to our Raspberry
Under /usr/share/doc/openvpn/examples/sample-config-files/ you can find a zipped configuration file for the server.
You can unzip it end use it as a template or documentation for the content we paste in the next step
gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
But for now to make it easy, lets start with a simplified own one starting from the scratch
nano /etc/openvpn/server.conf
Paste the following content into it
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/OpenVpnServer.crt
key /etc/openvpn/OpenVpnServer.key
dh /etc/openvpn/dh1024.pem
cipher BF-CBC
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/openvpn.log
verb 6
lets activate IP forwarding via
echo 1 > /proc/sys/net/ipv4/ip_forward
and modify the routes
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Now we can start our OpenVPN server
openvpn /etc/openvpn/server.conf &
check the last line of the log file
tail /etc/openvpn/openvpn.log
if everything is fine you see the last words
Initialization Sequence Completed
additionally you can check the existence of the new /etc/net/tun device. This is our device for the tunneled traffic.
ifconfig
But be aware it can take a while to see it!
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
Our OpenVPN server is now up and running and we can switch to the client configuration.
Preparing the client
For this tutorial the Raspberry Pi get a complete fresh Arch Linux for ARM distribution. Unfortunately the Arch Linux team provides no up to date image. So we use the latest one (http://downloads.raspberrypi.org/arch/images/arch-2014-06-22/) and let the pacman package manager make the update for us.
After burning the image an SD card and booting the RPi you can ssh that machine via
ssh root@alarmpi.local
It is important that server and client have around the same date and time. So first at all let’s set the clock of the system
timedatectl set-timezone Europe/London
timedatectl set-time "2014-12-05 20:02"
Be aware, Digital Ocean’s server run in UTC. So I try to use Europe/London to have the same time. For sure this is not the right way, but it works.
Otherwise I got errors by starting the service (SSL3_GET_SERVER_CERTIFICATE:certificate verify failed).
And next, let’s update the installation. This will download a lot (more than 100MB), because our image is from JUN 2014 and therefore a little bit outdated. Confirm all questions with “Y”.
pacman -Syu
and install openvpn
pacman -S openvpn
Yes, both sides – the server and the client – are using the same package. The used configuration during startup of the openvpn decides whether to act as a server or client.
Now check the availability of the client-side tun device
test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available
You should get that output
tun is available
Now we have to copy the key files from our server to the client. Again, use the IP of your server
scp root@104.131.97.68:/etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
scp root@104.131.97.68:/etc/openvpn/easy-rsa/2.0/keys/AlArmPi.crt /etc/openvpn/
scp root@104.131.97.68:/etc/openvpn/easy-rsa/2.0/keys/AlArmPi.key /etc/openvpn/
Now we have the necessary files on our Raspberry
AlArmPi.crt 100% 3891 3.8KB/s 00:01
AlArmPi.csr 100% 708 0.7KB/s 00:00
AlArmPi.key 100% 920 0.9KB/s 00:00
On a Arch Linux system you can find the samples for client configuration files here:
/usr/share/openvpn/examples/
But again we start from the scratch.
nano /etc/openvpn/client.conf
And paste these lines
client
dev tun
proto udp
remote 104.131.97.68 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/AlArmPi.crt
key /etc/openvpn/AlArmPi.key
ns-cert-type server
comp-lzo
verb 3
log /etc/openvpn/openvpn.log
Start the client-side of OpenVPN
openvpn /etc/openvpn/client.conf &
and check again the last lines of the log file
tail /etc/openvpn/openvpn.log
if everything is fine you see again these last words
Initialization Sequence Completed
If you see this message
You must define TUN/TAP device
reboot your Raspberry
shutdown -r now
Verify the configuration
Traceroute
With traceroute it is easy to see the hops of our communication. To use is we have first to install the package
pacman -S traceroute
and then we can trace our traffic with
traceroute www.bmw.de
This should produce something like
traceroute to www.bmw.de (23.44.193.230), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 261.505 ms
2 104.131.0.254 (104.131.0.254) 262.644 ms
3 162.243.188.229 (162.243.188.229) 261.967 ms
4 162.243.188.249 (162.243.188.249) 262.589 ms
5 net2ez-ewr.netarch.akamai.com (206.130.10.100) 262.931 ms
Outside visible IP
There are some of these “what is my IP address” services available, which shows you the IP of you entry-point to the internet. Usually that is the IP your router got. But with tunneled traffic it should be the IP of our OpenVPN server – the IP of our Digital Ocean server. Let’s check this.
Therefore we install a console based browser.
pacman -S w3m
and then we check our outside visible IP with
w3m www.whatismyip.com
In one of the first lines you see the interesting output
Your IP:
104.131.97.68
This is exactly what we expect – the IP of our Digital Ocean’s server and not the IP of our internet provider.