RaspberryPi/July 2020: Difference between revisions
From charlesreid1
| Line 213: | Line 213: | ||
Boot up the Pi and go to the admin interface at <code>192.168.0.*/admin</code>. Navigate to the Settings, then the DNS tab, and pick the option to respond to all queries from computers that are one hop away (local devices). | Boot up the Pi and go to the admin interface at <code>192.168.0.*/admin</code>. Navigate to the Settings, then the DNS tab, and pick the option to respond to all queries from computers that are one hop away (local devices). | ||
===Using the PiHole | ===Using the PiHole DNS as the PiHole DNS=== | ||
For some reason, the PiHole doesn't configure itself to use itself as its own DNS server. By default, if you run <code>dig doubleclick.net</code>, it will return the real IP for doubleclick.net (even though that's a domain that the PiHole will block). But if you use the loal IP address of the PiHole, <code>dig doubleclick.net @192.168.0.300</code> (replace 300 with the IP of the PiHole server), it resolves to <code>0.0.0.0</code> as expected. | For some reason, the PiHole doesn't configure itself to use itself as its own DNS server. By default, if you run <code>dig doubleclick.net</code>, it will return the real IP for doubleclick.net (even though that's a domain that the PiHole will block). But if you use the loal IP address of the PiHole, <code>dig doubleclick.net @192.168.0.300</code> (replace 300 with the IP of the PiHole server), it resolves to <code>0.0.0.0</code> as expected. | ||
| Line 226: | Line 226: | ||
(replace 300 with the ip of the pihole server) | (replace 300 with the ip of the pihole server) | ||
Now restart the resolved service: | |||
<pre> | |||
sudo systemctl restart systemd-resolvd | |||
</pre> | |||
==Installing PIA on Thing 2== | ==Installing PIA on Thing 2== | ||
Revision as of 03:15, 17 July 2020
Startup
Wipe SD Cards
Wipe SD cards and install raspbian
Mount SD Cards
Mount the SD cards as a local filesystem on a Linux box
Now, if you want to modify the file /foo/bar, you can edit the file on the SD card at /media/ubuntu/rootfs/foo/bar
Enable SSH
Touch a file named ssh in the boot sector of the SD card to enable the service to start on boot:
touch /media/ubuntu/boot/ssh
Wifi
Set up wpa supplicant config file for your local wifi network
https://charlesreid1.com/wiki/Ubuntu/Bespin#Configure_WPA_Supplicant
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="YOURWIFINETWORK"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
psk="YOURWIFIPASSWORD"
}
Network Interfaces
Next set up the WPA supplicant service to automatically start for our wifi device
Update the contents of your network interfaces file to look like this:
/etc/network/interfaces
source-directory /etc/network/interfaces.d
allow-hotplug lo
iface lo inet loopback
allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Power up the Pi
Next time you boot up the Pi you should see your wifi card light blinking.
Try running an nmap scan for port 22 before and after the pi is plugged in, from another computer on the same network:
nmap -p22 192.168.0.0/24 > nmap-before # plug in the pi, wait a few minutes nmap -p22 192.168.0.0/24 > nmap-after
assuming your home wifi is 192.168.0.0/24.
Troubleshooting
If you need to troubleshoot, power off the Pi and re-mount the SD card on a Linux box. Check the syslog at /media/ubuntu/rootfs/var/log/syslog and see what's going on.
Thing 1
Installing PIA on Thing 1
This sets up a VPN tunnel at tun0 that connects to a PIA VPN server.
Run these commands as sudo:
# install openvpn
apt-get -y install openvpn
# set up pia
cd /tmp
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d openvpn openvpn.zip
cd openvpn
# pick a profile to install
mv 'US West.ovpn' 'West.ovpn'
PROFILE="West"
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp ${PROFILE}.ovpn /etc/openvpn/.
# set up login credentials for PIA
touch /etc/openvpn/login
echo "USERNAME" >> /etc/openvpn/login
echo "PASSWORD" >> /etc/openvpn/login
chown root:root /etc/openvpn/login
chmod 600 /etc/openvpn/login
# modify openvpn service to use .ovpn files intead of .conf files, and set absolute paths
sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+\.conf+.ovpn+' /lib/systemd/system/openvpn@.service
# start openvpn
openvpn --config /etc/openvpn/${PROFILE}.ovpn
Once you have verified it is working, cancel the openvpn process and run the openvpn service:
systemctl enable openvpn@${PROFILE}
systemctl start openvpn@${PROFILE}
Verify it is working:
curl -4 icanhazip.org
and verify it is working.
Connect Thing 1 to internet
At this point, you will need an internet connection, plus an unoccupied wifi device.
You can leave the first wifi card alone as it is, and plug in a second wifi card (wlan1).
Or, you can connect an ethernet cable (eth0) and use wlan0 to run the hostapd.
We use the first scenario.
Hostapd on Thing 1
First allow the Pi to forward packets and act as a router by adding this line to your sysctl config:
/etc/sysctl.conf
net.ipv4.ip_forward=1
Reload the sysctl:
sudo sysctl --system
Install hostapd:
sudo apt-get -y install hostapd
Configure hostapd file:
/etc/hostapd/hostapd.conf
interface=wlan1 driver=nl80211 hw_mode=g channel=1 macaddr_acl=0 ignore_broadcast_ssid=0 # LAN10 ssid=LAN10 wpa_passphrase=cow-doctor-horse-building-5 auth_algs=1 wpa=3 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP
Connecting Hostapd and PIA
Next step is to connect the hostapd network to the PIA tunnel so all traffic from clients on the hostapd wifi network will pass through the PIA tunnel.
Thing 2
Installing PiHole on Thing 2
This one is pretty easy. The one-liner, once you've inspected the code you're about to run (OF COURSE), is:
curl -sSL https://install.pi-hole.net | sudo bash
Normally it's bad practice to pipe to sudo bash, but this time around we make an exception. Ya know. Cuz we do like we do. You don't like it, you fuck off, you hear?
Now where was I.
Enabling DNS queries from local network
To make the PiHole work for everyone on the local network, you need to enable the PiHole to respond to DNS queries from other hosts.
Boot up the Pi and go to the admin interface at 192.168.0.*/admin. Navigate to the Settings, then the DNS tab, and pick the option to respond to all queries from computers that are one hop away (local devices).
Using the PiHole DNS as the PiHole DNS
For some reason, the PiHole doesn't configure itself to use itself as its own DNS server. By default, if you run dig doubleclick.net, it will return the real IP for doubleclick.net (even though that's a domain that the PiHole will block). But if you use the loal IP address of the PiHole, dig doubleclick.net @192.168.0.300 (replace 300 with the IP of the PiHole server), it resolves to 0.0.0.0 as expected.
To use the PiHole DNS as the system DNS, edit the following file:
/etc/resolv.conf
nameserver 192.168.0.300
(replace 300 with the ip of the pihole server)
Now restart the resolved service:
sudo systemctl restart systemd-resolvd
Installing PIA on Thing 2
Follow the steps above to install PIA on Thing 2.
When the installation is done, you'll probably notice that DNS is borked on the PiHole. That's because the PiHole set up to use itself, the PiHole, as a DNS server, but when the local DNS server can't resolve a URL, it sends the requests to an upstream DNS server. If the PIA tunnel is up, PIA attempts to prevent DNS leaks by blocking the outbound DNS request going to 8.8.8.8.
To fix this, we have to set some iptables rules, so that the DNS requests from the PiHole will be directed through the tunnel, and therefore will not be blocked but will be sent upstream to the PIA proxy server.
Connecting PiHole to PIA
Next step is to set up PIA on Thing 2 so that all DNS queries will pass through a PIA tunnel.
As mentioned above, we need to use iptables to forward packets from one interface to another so that DNS requests can flow from clients to the PiHole server, and from the PiHole server out through the PIA tunnel to the wider internet.
The basic idea behind the rules is to specify when packets can be shared between network interfaces. For example, a packet leaving the PiHole and destined for port 53 should be shared with the VPN tunnel, so the VPN tunnel can send the traffic out.
To set up iptables rules, you can create a script that will flush all rules, populate iptables with the rules you want, then save them so they are persistent on reboot.
PiHole iptables setup
This section gives an iptables setup script that will redirect DNS traffic in the desired way.
Start by installing a tool that allows us to save iptables state across boot:
sudo apt-get -y install netfilter-persistent
Now the script.
iptables_thing2.sh
#!/bin/bash
# iptables setup for thing 2 raspberry pi
set -e
ipt="sudo /sbin/iptables"
# start by flushing all rules and setting defaults
$ipt -F
# This makes it a little more difficult...
#$ipt -P INPUT DROP
#$ipt -P FORWARD DROP
# Easier:
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -F
$ipt -t mangle -F
$ipt -F
$ipt -X
# Name of PIA VPN tunnel device
PIATUN="tun0"
# Name of loopback interface for PiHole DNS server
PHDNS="lo"
# Name of wifi interface 192.168.0.0/24
WLAN="wlan0"
##################
# Incoming
# Allow any established connection to come in or out
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#################
# Ping
# Allow incoming ping requests
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#################
# SSH
# Allow incoming SSH sessions, new or established
$ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow incoming SSH traffic, if part of established conversation
$ipt -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#########################
# http/https (web ui)
# Allow incoming HTTP/HTTPS traffic, part of established conversation
$ipt -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
##################
# PIA VPN
# This is a PIA VPN tunnel that handles outbound DNS queries
# Accept all traffic coming in from tunnel
$ipt -A INPUT -i ${PIATUN} -j ACCEPT
# Masquaerade outgoing traffic leaving via the tunnel
$ipt -t nat -A POSTROUTING -o ${PIATUN} -j MASQUERADE
##################
# DNS
PROTOCOLS="tcp udp"
for prot in $PROTOCOLS; do
# General DNS Traffic:
# Allow incoming DNS traffic coming from 53, part of established conversation
$ipt -A INPUT -p $prot --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# PiHole DNS (lo) <-> PIA VPN Tunnel (tun0):
# PiHole can always send DNS queries out through tunnel
$ipt -A FORWARD -p $prot -i ${PHDNS} -o ${PIATUN} --dport 53 -j ACCEPT
# Responses to PiHole can always return via tunnel
$ipt -A FORWARD -p $prot -i ${PIATUN} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Local traffic
# local wifi (wlan0) <-> pihole DNS (lo)
# Allow DNS traffic to travel both ways between wifi and pihole
$ipt -A FORWARD -p $prot -i ${WLAN} -o ${PHDNS} --dport 53 -j ACCEPT
$ipt -A FORWARD -p $prot -o ${WLAN} -i ${PHDNS} --sport 53 -j ACCEPT
done
# Enable logging
$ipt -N LOGGING
$ipt -A INPUT -j LOGGING
$ipt -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " --log-level 4
$ipt -A LOGGING -j DROP
# Make rules persistent
sudo netfilter-persistent save
Related Pages
Flags
