Raspberry Pi and Secure Browsing

There's already a lot of great information on the web about the Raspberry Pi and projects you can build with it. This post is not intended to be a detailed tutorial, but rather a collection of links and references to the resources that I used to build my own VPN gateway.

I finally received my Raspberry Pi in the mail this week. If case you're not familiar, it's a tiny (almost credit-card sized) computer. It was conceived as a low cost personal computer that could be mass produced cheaply to provide comuting opportunities, particularly in education, where they might not have otherwise existed. I ordered my Model B from Allied Electronics. Since release they've been pretty much perpetually on back order, but I got mine about 6 weeks after ordering.

The basic Model B comes with just the computer board and attached connection ports. I made a list of the things I would need prior to receiving the Pi in the mail. Most of the cables and connectors can be ordered with the Pi, but I just scrounged through my cable & gadget caches to come up with most of what I needed.

 

  • 5V Micro-USB Power Cable
  • HDMI <-> HDMI cable
  • Ethernet Patch Cable
  • USB Keyboard
  • USB Mouse
  • SD Card
  • Case

 

The Power Cable. I had one of these laying around from an old Motorola Bluetooth headset charger. HDMI cable? Check. I always have plenty of those around because they're so cheap from MonoPrice that I buy more than I need. Patch cable? I've accumulated more of those over the years than I care to think about... including a nice 50-footer that I could use to connect to my router/switch from the guestroom (where the Television is) temporarily. An old Apple USB keyboard did the trick nicely along with my wireless Logitech mouse that I use when traveling. I bought a 4GB SD card at Best Buy using my Reward Points so it was, in effect, free to me.

The Case

That left just the case. I looked online... a lot. I saw a lot of cases. There are some amazing and impressive designs out there. That said, I couldn't justify spending $20 on a case for a $35 computer. That's like buying a $20,000 car cover for my JEEP. So for the short-term I settled on the Punnet printable case. This will help prevent any accidental short circuits while also keeping some of the dust bunnies at bay. Also, because the device will be located on a shelf in my network "closet" aesthetics aren't really an issue.

I downloaded the PDF from Squareitround

http://squareitround.co.uk/Resources/Punnet_net_Mk1.pdf

printed on some colored (red, of course) construction paper and set about cutting and folding. The finished prodcut turned out quite agreeable and the board fit nicely inside.

The OS

To install the Raspbian (Raspberry Debian, get it?) OS onto the SD card, I first downloaded the "Wheezy" image from the Raspberry Pi downloads page and verified the image checksum (what's the point of setting up a secure VPN if you don't know your source OS is legit?).

http://www.raspberrypi.org/downloads

 The eLinux wiki has good instructions for preparing the SD card and loading the image. I used section 4.4 for a "mostly graphical" process from my Macbook Pro.

http://elinux.org/RPi_Easy_SD_Card_Setup

The Connections

It was time to bring everything together and fire up the Pi. I connected the USB power supply, Apple keyboard, wireless mouse, HDMI cable to the guestroom television and a nice long patch cable to the router in the closet. The little board sprang to life.

The first boot launches RasPi Config. Good details can be found here: http://elinux.org/RPi_raspi-config. Most importantly, change the default password! I'm planning to expose this machine to the outside world. It's absolutely critical that it not use the default password. Also, enable SSH to allow remote access for administration.

Even though the machine will be sitting "headless" in the closet, I wanted to see the Raspbian desktop at least once, so I booted it up the GUI to have a look. It's slow by modern desktop standards, but given it's tiny size it's still incredibly impressive to see a full functioning Linux desktop running from such a small device. For my use case it won't matter anyway because I won't be booting to the desktop.

All the rest of the configuration I could do "remotely" via SSH. I chose a suitable static IP address on my internal network and added a DHCP reservation so I'd be able to predictably find the device on the network.

The VPN

For setting up the VPN, I followed the excellent guide at Scott Jordan's blog: http://unvexed.blogspot.com/2012/08/how-to-set-up-real-encrypted-vpn.html. His instructions are clear and concise and everything worked as expected.

It's worth noting (and it came up in the comments on the above blog) that PPTP VPN has been compromised by way of attacking the MS CHAP v2 Key Exchange. If you want to know more, read Moxie Marlinspike's excellent write up here : https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/. It's not a trivial attack in that it still takes a great deal of compute power and/or time, but you should be aware of it.

The Dynamic DNS Address

To make sure you can access this server from where you are, you'll need to ensure that even if your router reboots and your WAN IP address changes, that you can still look it up by DNS name. I've previously used DynDNS and their Pro package is exactly that type of service.

The SSH Tunnel

In case you missed it, I wrote some time ago about connecting via an SSH Tunnel to provide for privacy. Now, with the Raspberry Pi, that's even easier to do. The same blog has another easy to follow article detailing how to configure and use the Pi as an SSH Tunnel endpoint.

http://unvexed.blogspot.com/2012/08/how-to-use-raspberry-pi-as-secure-web.html

As mentioned there, I added 443 as a listener port to allow me access back to my Pi even when the default SSH port has been blocked. This should be allowed almost anywhere. In fact, anyone blocking port 443 is basically telling me that they don't want me to use their network.

Securing the SSH Connection

Since the Pi is now exposed to the Internet and using the default "Pi" username, I wanted to dial up the security a bit and prevent a possible brute force password attack. I did this by enabling two-factor authentication in the form of SSH keys. The following video gives a nice tutorial on how to set it all up.

http://www.youtube.com/watch?v=QVvcGb8GjVU

Accessing the VPN

I setup VPN on my laptop (as well as the wife's) using the instructions in Scott Jordan's blog referenced above. Setting up access on our iPhones and iPads was even easier. Just navigate to Settings > General > VPN and create a new PPTP VPN connection.

Conclusion

That's it. It took some hand-drawn sketches to explain to the wife when, where and why she should be using these secure connections, but I think she gets it. And as an added bonus, we can now access our Drobo fileserver at home from anywhere.