Warning: I found this in my drafts and I think it was mostly done. Enough where I can follow it again. You might have issues following it word for word though until I can recheck and remove this warning.
Purpose
The purpose of this project is to create an environment where we can use two Raspberry Pi’s to create a temporary VPN tunnel, where the client Pi also has an AP hotspot that routes all traffic through the VPN tunnel. This is good for those people who are going to countries that have different policies than your current country. Some of the uses I’ve used it for:
- Watching Netflix while in another country so that I can view my home countries content
- Getting around country firewalls that block applications such as Facebook, twitter, Instagram, etc
- Connecting back to a trusted network when I am in a spot where the network is known to be monitored and trying to steal data.
Install the Required Software
Install the following packages:
apt-get update apt-get upgrade rpi-update apt-get install openvpn hostapd resolvconf dnsmasq cryptsetup libnet-ifconfig-wrapper-perl cryptsetup
Now disable some of the software from starting up, as we will be having these pieces start up triggered by future events such as eth0 up and openvpn up:
update-rc.d openvpn disable update-rc.d hostapd disable update-rc.d dnsmasq disable
Load modules
echo "aes" >> /etc/modules echo "loop" >> /etc/modules echo "dm_crypt" >> /etc/modules echo "dm_mod" >> /etc/modules
Install key generator and get initial key
You need to modify this, change it around so that the keys changes values, etc.
#!/usr/bin/perl -w
use strict;
use Net::Ifconfig::Wrapper;
use Digest::MD5 qw(md5 md5_hex md5_base64);
my $netInfo = Net::Ifconfig::Wrapper::Ifconfig('list', '', '', '')
or exit(1);
if(exists($netInfo->{'eth0'}) && exists($netInfo->{'wlan0'})) {
my $ethKey = md5_hex($netInfo->{'eth0'}->{'ether'});
my $wlanKey = md5_base64($netInfo->{'wlan0'}->{'ether'});
my $call = "cat /proc/cpuinfo";
my $piSerial = `$call`;
my $piKey = md5_hex($piSerial);
my $midKey = md5_base64($wlanKey.$ethKey);
my $endKey = md5_hex($midKey.$wlanKey.$ethKey);
my $someKey = md5_base64($endKey.$midKey.$piKey.$ethKey);
my $totalKey = $someKey.$piKey.$midKey.$wlanKey.$endKey.$ethKey;
print $totalKey;
}
Now run the command once and record the key that string that was printed out.
Setting up encrypted key storage
dd if=/dev/urandom of=/srv/locker bs=1M count=10 losetup /dev/loop0 /srv/locker cryptsetup -y luksFormat -c aes -s 256 /dev/loop0 cryptsetup luksOpen /dev/loop0 locker mkfs.ext4 /dev/mapper/locker mkdir /media/locker mount /dev/mapper/locker /media/locker
Setting up dnsmasq
vi /media/locker/dnsmasq.conf rm /etc/dnsmasq.conf ln -s /media/locker/dnsmasq.conf /etc/dnsmasq.conf
/etc/dnsmasq.conf
no-resolv server=192.168.253.197 interface=wlan0 dhcp-range=10.100.0.10,10.100.0.25,4h
Setting up openvpn Client
vi /media/locker/client.conf ln -s /media/locker/client.conf /etc/openvpn/client.conf
/etc/openvpn/client.conf
client dev tun proto udp remote burner.somelab.us 2048 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server key-direction 1 cipher AES-128-CBC verb 1 mute 20 status /var/log/openvpn-status.log 20 log /var/log/openvpn.log up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
We will then need to modify the /etc/default/openvpn configuration file. We will need to add the value “” instead the OPTARGS=”–script-security 2″.
We then need to update /etc/openvpn/update-resolv-conf so that it includes some firewall rules. This will go at the end of the “up” section.
/usr/bin/up.sh
Setting up hostapd
Updating for Realtek driver
If you have a realtek wireless usb, you will probably need to update the hostapd binary to support the newer drivers. Thanks to another person, we can following his instructions:
wget http://www.daveconroy.com/wp3/wp-content/uploads/2013/07/hostapd.zip unzip hostapd.zip sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.bak sudo mv hostapd /usr/sbin/hostapd.edimax sudo ln -sf /usr/sbin/hostapd.edimax /usr/sbin/hostapd sudo chown root.root /usr/sbin/hostapd sudo chmod 755 /usr/sbin/hostapd
Configuration
vi /media/locker/hostapd.conf ln -s /media/locker/hostapd.conf /etc/hostapd/hostapd.conf
/etc/hostapd/hostapd.conf
interface=wlan0 driver=rtl871xdrv ssid=HappyHappyJoyJoy channel=1 wmm_enabled=0 wpa=2 wpa_passphrase=1234567890 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP auth_algs=1 macaddr_acl=0 wme_enabled=1 ieee80211n=1
We then need to update the /etc/default/hostapd file:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Setting up the network interfaces
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
post-up /usr/bin/eth0-up.sh
pre-down /usr/bin/eth0-down.sh
allow-hotplug wlan0
iface wlan0 inet static
address 10.100.0.1
netmask 255.255.255.0
/usr/bin/eth0-up.sh
#!/bin/bash /usr/bin/keysme | cryptsetup luksOpen /srv/locker locker if [ -e "/dev/mapper/locker" ]; then mount -t ext4 /dev/mapper/locker /media/locker /etc/init.d/openvpn start /etc/init.d/dnsmasq start /etc/init.d/hostapd start fi
/usr/bin/eth0-down.sh
#!/bin/bash /etc/init.d/hostapd stop /etc/init.d/dnsmasq stop /etc/init.d/openvpn stop umount /media/locker cryptsetup luksClose locker
vi /usr/bin/up.sh
chmod 775 /usr/bin/up.sh
#!/bin/bash iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE #iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
0 Comments.