Securi-Pi: Uses Raspberry Pi as a stepping stone for security

Securi-Pi: Uses Raspberry Pi as a stepping stone for security
GuideLike many readers of LinuxJournal, I have also lived a very common "technology nomadic" life today, from one access point to another between networks, we are in different places in the real world, but we are always connected to the Internet and other networks that are commonly used.

Recently, I have found that more and more network environments are starting to block common external ports such as SMTP (port 25) and SSH (port 22. When you walk into a cafe and want to SSH to one of your servers to do something, it is annoying to find port 22 blocked.

However, so far, I have not found any network environment where HTTPS will be directed to the wall (port 443 ). After slightly configuring Raspberry Pi 2 in my house, I successfully set myself to use port 443 connected to Raspberry Pi as a stepping stone, so that I can connect to the desired target port in various network environments. In short, I set Raspberry Pi in my house to an OpenVPN endpoint and an SSH endpoint, as well as an Apache server. All these services are listening on port 443, so that you can restrict network services that I don't want to expose.

Remarks

This solution can handle most restricted network environments, but some firewalls call deep packet checks for external traffic, which can often block the information transmitted in this article. However, I have not tested such a firewall so far. At the same time, although I have used a lot of cryptographic tools (OpenVPN, HTTPS, SSH), I have not strictly audited this configuration scheme: the author means that this solution can help you bypass port restrictions, but it does not mean that your activities are completely secure ). Sometimes, even the DNS service may leak your information, which may be omitted in the corner I did not consider. I strongly do not recommend using this stepping stone configuration scheme as a safe way to hide network traffic. This configuration only hopes to bypass some port restrictions and connect to the network, rather than doing some dangerous things.

Start

Let's start with what you need. I used Raspberry Pi 2 and loaded the latest version of Raspbian. However, this configuration should also be able to run on Raspberry Pi Model B; 512 MB memory is more than enough for us. Although the performance may not be as good as Raspberry Pi 2, Model B has only one single-core CPU compared to four-core Raspberry Pi 2. My Raspberry Pi is placed behind the firewall and router at home, so I can also use this Raspberry Pi as a springboard to access other electronic devices at home. At the same time, this also means that my traffic on the Internet seems to come from the ip address of my house, so it also protects my anonymity in a sense. If you do not have Raspberry Pi or do not want to run the service from home, you can place the configuration on a small ECS (such as IPS ). Make sure that the server runs the Debian-based Linux release. This guide is still available.

Figure 1 Raspberry Pi is about to become our encrypted network endpoint

Install and configure BIND

Whether you use Raspberry Pi or a server, you can install BIND after it is started successfully. This is a domain name service software that drives a considerable part of the Internet. You will use BIND only as a cache Domain Name Service, instead of configuring it to process domain name requests from the Internet. Installing BIND will give you a DNS server that can be used by OpenVPN. Installing BIND is very simple. apt-get can be done directly:

root@test:~# apt-get install bind9Reading package lists... DoneBuilding dependency treeReading state information... DoneThe following extra packages will be installed:  bind9utilsSuggested packages:  bind9-doc resolvconf ufwThe following NEW packages will be installed:  bind9 bind9utils0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.Need to get 490 kB of archives.After this operation, 1,128 kB of additional disk space will be used.Do you want to continue [Y/n]? y

Before we use BIND as the cache Domain Name Server, We need to configure some small details. Both modifications are completed in/etc/bind/named. conf. options. First, uncomment the forwarders section and add a target server that can forward domain name requests. For example, I will use Google's DNS server (8.8.8.8) (LCTT: In China, I need to find a replacement). The forwarders section of the file looks like this:

forwarders {    8.8.8.8;};

The second change you need to make is to allow query requests from the Intranet and the local machine to directly add this line to the end of the configuration file, remember to put it in the last}; before that, you can:

allow-query { 192.168.1.0/24; 127.0.0.0/16; };

The above configuration will allow this DNS server to receive requests from its network (in this example, my network is after my firewall) and local machine. Next, restart the BIND Service:

root@test:~# /etc/init.d/bind9 restart[....] Stopping domain name service...: bind9waiting for pid 13209 to die. ok[ ok ] Starting domain name service...: bind9.

Now you can test nslookup to ensure that your service runs properly:

root@test:~# nslookup> server localhostDefault server: localhostAddress: 127.0.0.1#53> www.google.comServer:     localhostAddress:    127.0.0.1#53Non-authoritative answer:Name:   www.google.comAddress: 173.194.33.176Name:   www.google.comAddress: 173.194.33.177Name:   www.google.comAddress: 173.194.33.178Name:   www.google.comAddress: 173.194.33.179Name:   www.google.comAddress: 173.194.33.180

Perfect! Now a normal Domain Name Service is working in your system. Next, configure OpenVPN.

Install and configure OpenVPN

OpenVPN is an open-source VPN solution that uses SSL/TLS as key exchange. It is also very easy to deploy in a Linux environment. It may be a little difficult to configure OpenVPN, but you do not need to make too many modifications in the default configuration file. First, run apt-get to install OpenVPN:

root@test:~# apt-get install openvpnReading package lists... DoneBuilding dependency treeReading state information... DoneThe following extra packages will be installed:  liblzo2-2 libpkcs11-helper1Suggested packages:  resolvconfThe following NEW packages will be installed:  liblzo2-2 libpkcs11-helper1 openvpn0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.Need to get 621 kB of archives.After this operation, 1,489 kB of additional disk space will be used.Do you want to continue [Y/n]? y

Now that OpenVPN has been installed, You need to configure it. OpenVPN is SSL-based and relies on certificates from both the server and client. To generate these certificates, You need to configure a certificate issuing (CA) on the machine ). Fortunately, OpenVPN installed with scripts for generating certificates, such as "easy-rsa", to help you speed up this process. You will create a file directory for storing the easy-rsa script and copy it from the template directory:

root@test:~# mkdir /etc/openvpn/easy-rsaroot@test:~# cp -rpv /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Next, copy the vars file to a backup:

root@test:/etc/openvpn/easy-rsa# cp vars vars.bak

Next, edit vars to make the information conform to your state. I will use the information I want to edit as an example:

KEY_SIZE=4096KEY_COUNTRY="US"KEY_PROVINCE="CA"KEY_CITY="Silicon Valley"KEY_ORG="Linux Journal"KEY_EMAIL="bill.childers@linuxjournal.com"

The next step is to import the environment variables in vars so that the system can process the information as environment variables:

root@test:/etc/openvpn/easy-rsa# source ./varsNOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

Establish CA (certificate issuing)

Next, Run "clean-all" to make sure there is a clean system working environment, and then you have to issue a certificate. Note that I have modified some of the content prompted by changeme to meet my needs:

root@test:/etc/openvpn/easy-rsa# ./clean-allroot@test:/etc/openvpn/easy-rsa# ./build-caGenerating a 4096 bit RSA private key...................................................++...................................................++writing new private key to 'ca.key'-----You are about to be asked to enter information thatwill be incorporated into your certificate request.What you are about to enter is what is called aDistinguished Name or a DN.There are quite a few fields but you can leave someblank. For some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:State or Province Name (full name) [CA]:Locality Name (eg, city) [Silicon Valley]:Organization Name (eg, company) [Linux Journal]:Organizational Unit Name (eg, section) [changeme]:SecTeamCommon Name (eg, your name or your server's hostname [changeme]:test.linuxjournal.comName [changeme]:test.linuxjournal.comEmail Address [bill.childers@linuxjournal.com]:

Generate server certificate

Once the CA is created, you can generate the OpenVPN certificate of the client:

root@test:/etc/openvpn/easy-rsa# ./build-key-server test.linuxjournal.comGenerating a 4096 bit RSA private key...................................................++writing new private key to 'test.linuxjournal.com.key'-----You are about to be asked to enter information thatwill be incorporated into your certificate request.What you are about to enter is what is called aDistinguished Name or a DN.There are quite a few fields but you can leave someblank. For some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:State or Province Name (full name) [CA]:Locality Name (eg, city) [Silicon Valley]:Organization Name (eg, company) [Linux Journal]:Organizational Unit Name (eg, section) [changeme]:SecTeamCommon Name (eg, your name or your server's hostname) [test.linuxjournal.com]:Name [changeme]:test.linuxjournal.comEmail Address [bill.childers@linuxjournal.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'US'stateOrProvinceName   :PRINTABLE:'CA'localityName          :PRINTABLE:'Silicon Valley'organizationName      :PRINTABLE:'Linux Journal'organizationalUnitName:PRINTABLE:'SecTeam'commonName            :PRINTABLE:'test.linuxjournal.com'name                  :PRINTABLE:'test.linuxjournal.com'emailAddress          :IA5STRING:'bill.childers@linuxjournal.com'Certificate is to be certified until Sep  1 06:23:59 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entries

In the next step, it takes some time to generate the Diffie-Hellman key required by the OpenVPN server. This step takes several minutes on a general desktop-level CPU, but on the Raspberry Pi of the ARM architecture, it takes a very long time. Be patient, as long as the point on the terminal is still jumping, everything will be running step by step (the following example omitted many points ):

root@test:/etc/openvpn/easy-rsa# ./build-dhGenerating DH parameters, 4096 bit long safe prime, 

Generator 2 This is going to take a long time .............................. ...................... + <omitted many points>Generate client certificate

Now you need to generate the key used by the client to log on to OpenVPN. Generally, OpenVPN is configured with an encryption method that uses certificate verification. In this configuration, the client must hold a certificate issued by the server:

root@test:/etc/openvpn/easy-rsa# ./build-key bills-computerGenerating a 4096 bit RSA private key...................................................++...................................................++writing new private key to 'bills-computer.key'-----You are about to be asked to enter information thatwill be incorporated into your certificate request.What you are about to enter is what is called aDistinguished Name or a DN. There are quite a fewfields but you can leave some blank.For some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:State or Province Name (full name) [CA]:Locality Name (eg, city) [Silicon Valley]:Organization Name (eg, company) [Linux Journal]:Organizational Unit Name (eg, section) [changeme]:SecTeamCommon Name (eg, your name or your server's hostname) [bills-computer]:Name [changeme]:bills-computerEmail Address [bill.childers@linuxjournal.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'US'stateOrProvinceName   :PRINTABLE:'CA'localityName          :PRINTABLE:'Silicon Valley'organizationName      :PRINTABLE:'Linux Journal'organizationalUnitName:PRINTABLE:'SecTeam'commonName            :PRINTABLE:'bills-computer'name                  :PRINTABLE:'bills-computer'emailAddress          :IA5STRING:'bill.childers@linuxjournal.com'Certificate is to be certified until Sep  1 07:35:07 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updatedroot@test:/etc/openvpn/easy-rsa#

Now you need to generate an HMAC code as the shared key to further enhance the security of the entire encryption:

root@test:~# openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

Configuration server

Finally, it is time to configure the OpenVPN service. You need to create a/etc/openvpn/server. conf file. Most of the configuration files can be implemented using templates. The main modification to setting up OpenVPN is to make it use only TCP instead of UDP connections. This is required for the next step-if it is not a TCP connection, your service will not work on port 443. Create/etc/openvpn/server. conf and then drop the following Configuration:

port 1194proto tcpdev tunca easy-rsa/keys/ca.crtcert easy-rsa/keys/test.linuxjournal.com.crt ## or whatever your hostname waskey easy-rsa/keys/test.linuxjournal.com.key  ## Hostname key- This file should be kept secretmanagement localhost 7505dh easy-rsa/keys/dh4096.pemtls-auth /etc/openvpn/certs/ta.key 0server 10.8.0.0 255.255.255.0 # The server will use this subnet for clients connecting to itifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp" # Forces clients to redirect all traffic through the VPNpush "dhcp-option DNS 192.168.1.1" # Tells the client to use the DNS server at 192.168.1.1 for DNS - replace with the IP address of the OpenVPN machine and clients will use the BIND server setup earlierkeepalive 30 240comp-lzo # Enable compressionpersist-keypersist-tunstatus openvpn-status.logverb 3

Finally, you will need to enable IP Forwarding on the server, configure OpenVPN to start up, and immediately start the OpenVPN service:

root@test:/etc/openvpn/easy-rsa/keys# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.confroot@test:/etc/openvpn/easy-rsa/keys# sysctl -p /etc/sysctl.confnet.core.wmem_max = 12582912net.core.rmem_max = 12582912net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.core.wmem_max = 12582912net.core.rmem_max = 12582912net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.core.wmem_max = 12582912net.core.rmem_max = 12582912net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.ipv4.ip_forward = 0net.ipv4.ip_forward = 1root@test:/etc/openvpn/easy-rsa/keys# update-rc.d openvpn defaultsupdate-rc.d: using dependency based boot sequencingroot@test:/etc/openvpn/easy-rsa/keys# /etc/init.d/openvpn start[ ok ] Starting virtual private network daemon:.

Configure the OpenVPN Client

The installation of the client depends on the operating system of the client, but you need to copy the certificate and key generated earlier to your client, import your OpenVPN client, and create a new configuration file. OpenVPN clients in each operating system may be slightly different in operation, which is not covered in this article, so you 'd better see the OpenVPN document in a specific operating system to get more information. See the resource section in this document.

Install SSLH-"magic" multi-protocol switching Tool

The most interesting part of the solution described in this article is the use of SSLH. SSLH is a multi-protocol tool-it can listen to the traffic on port 443, analyze whether they are SSH, HTTPS or OpenVPN communication packets, and forward them to the correct system services. This is why this solution allows you to bypass most port blocking-you can always use HTTPS communication because it is almost never blocked.

Similarly, install apt-get directly:

root@test:/etc/openvpn/easy-rsa/keys# apt-get install sslhReading package lists... DoneBuilding dependency treeReading state information... DoneThe following extra packages will be installed:  apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common  libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libconfig9Suggested packages:  apache2-doc apache2-suexec apache2-suexec-custom openbsd-inetd inet-superserverThe following NEW packages will be installed:  apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common  libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libconfig9 sslh0 upgraded, 11 newly installed, 0 to remove and 0 not upgraded.Need to get 1,568 kB of archives.After this operation, 5,822 kB of additional disk space will be used.Do you want to continue [Y/n]? y

After SSLH is installed, the Package Manager will ask whether it is allowed in inetd or standalone mode. Select standalone mode because you want SSLH to run in its own process. If you have not installed Apache, the apt Package Manager will automatically download and install Apache for you, although it is not completely indispensable. If you already have Apache, make sure that it only listens to the localhost port instead of all ports (otherwise, SSLH cannot run because port 443 is already occupied by the Apache listener ). After installation, you will see an error message as follows:

[....] Starting ssl/ssh multiplexer: sslhsslh disabled, please adjust the configuration to your needs[FAIL] and then set RUN to 'yes' in /etc/default/sslh to enable it. ... failed!failed!

This is not an error message, but SSLH reminds you that it is not configured and cannot be started. This is normal. Configuring SSLH is relatively simple. Its configuration file is stored in/etc/default/sslh. You only need to modify the RUN and DAEMON_OPTS variables. My SSLH configuration file is as follows:

# Default options for sslh initscript# sourced by /etc/init.d/sslh# Disabled by default, to force yourself# to read the configuration:# - /usr/share/doc/sslh/README.Debian (quick start)# - /usr/share/doc/sslh/README, at "Configuration" section# - sslh(8) via "man sslh" for more configuration details.# Once configuration ready, you *must* set RUN to yes here# and try to start sslh (standalone mode only)RUN=yes# binary to use: forked (sslh) or single-thread (sslh-select) versionDAEMON=/usr/sbin/sslhDAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --openvpn 127.0.0.1:1194 --pidfile /var/run/sslh/sslh.pid"

Save and edit and start SSLH:

root@test:/etc/openvpn/easy-rsa/keys# /etc/init.d/sslh start[ ok ] Starting ssl/ssh multiplexer: sslh.

Now you should be able to ssh from port 443 to your Raspberry Pi. It will use SSLH forwarding correctly:

$ ssh -p 443 root@test.linuxjournal.comroot@test:~#

SSLH now listens to port 443 and can forward traffic information to SSH, Apache, or OpenVPN, depending on the type of incoming traffic packets. This system is now ready to go!

Conclusion

Now you can start OpenVPN and configure your client to connect to port 443 of the server. Then, SSLH forwards traffic to port 1194 of the server. But since you are communicating with port 443 of the server, your VPN traffic will not be blocked. Now you can sit comfortably in a coffee shop in a strange town and browse the Internet through OpenVPN on your Raspberry Pi. By the way, you have added some security to your link, which will make your link more secure and private. Enjoy browsing the Internet through the security springboard!

From: https://linux.cn/article-7556-1.html

Address: http://www.linuxprobe.com/securi-pi.html