Raspberry Pi – VPN & Proxy

Like a lot of people I purchased a Raspberry PI when they were all the rage about a year ago. Initially, I was super excited like everyone else about this piece of hardware that was going to change the world and bring affordable computers to everyone – fast forward a year – my Pi was sitting on my desk staring at me and I felt guilty for not putting it to better use.  Several of my friends had used theirs to start programming projects or a XBMC servers.  I am not much of a programmer and I already have Roku boxes on all of my TVs so it basically got booted up from time to time to show others that it was a tiny device that could hook to an TV with an HDMI port and surf the web… not earth shattering stuff.
I decided that my Pi needed to find new life as a part of my network.  I went to http://www.raspberrypi.org and downloaded the newest version of their operating system referred to as Raspbian “wheezy” – it is based on Debian Linux which I regularly use in my job as a security administrator.  However I use it mostly to launch Nessus scans from or NMap hosts with.  NMap the Pi can do… Nessus not so much.  I recalled some articles I had read on LifeHacker.com about using the Pi as a VPN / Proxy to put your traffic behind.  Ok, I travel quite a bit so this could be my use case.  I am not knocking LifeHacker, I am a regular reader of their articles and have found it to be tremendously useful resource.  However their material on making the Pi into your web proxy was referencing specific versions of software that made the article useful, but not especially helpful to someone new to using the Pi or Linux.
Well now that I am into this post, we should probably flash back to the beginning and start with a Pi that is dead, lifeless, and sitting on a shelf.  First we will need an operating system.  The one I mentioned above is the way to go for this project.  Once it is downloaded it needs to be uncompressed to SD media.  There is a great guide to be found here – http://elinux.org/RPi_Easy_SD_Card_Setup – what this guide doesn’t readily mention, and that it took me about 20 minutes to figure out, is that if you have fat fingers (guilty of ham hands here) it is easy to accidentally “lock” the SD card and make it read only.  The GUI tools that load the OS do not warn you of this fact.  I only discovered this after I got fed up with the GUI and went to do the command line route.  First command I type it tells me that the destination is read-only.  After I removed my palm from my forehead and flipped the switch I returned to the path of the GUI.  This only takes a few minutes and once it is done boot up the Pi for the first time.
What none of the guides told me, but I quickly figured out on my own is that the Pi doesn’t always start up correctly the first time. If you don’t see any video on the screen unplug the power, reconnect all of the cables, and re-insert it.  When the Pi boots for the first time it will give you a menu to reset the password for the Pi user (it defaults to raspberry). It also allows you to enable the SSH server – do this, and it allows you to say if you do or do not want to GUI to start at boot.  I went ahead with it starting but I may turn this off later as I am mostly using this guy for VPN and Proxy.  I want to conserve as many CPU cycles as I can to devote it to passing my VPN packets.  Once the Pi is up and running the rest of this can be done from your workstation it needs no monitor on the Pi just an SSH session.  To get the IP Address use the Terminal shortcut on the desktop of the GUI, or from the Terminal that it boots into if you did not enable the GUI, -and at the Terminal type ifconfig to get the ip address of the Pi. Make a note of this address we will need it for the following steps.
Using SSH – if you are already an avid SSH user skip to the next paragraph, if not stay with me I am going to give you two simple ways.  On a Mac open your terminal – shortcut way is Press Command and Space start typing the world terminal and hit enter.  This will bring up a strange white box that will feel foreign to many Mac users.  In the terminal type – ssh pi@ip address of your raspberry pi – it will prompt you to accept the key just hit Y and enter the password you changed in the boot menu or enter raspberry if you forgot to change that default password. On a Windows machine there is no default SSH client so you need to download a client.  The client that I recommend is putty and can always be found here – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html – putty has a GUI enter you Pi’s ip address, username, and password and get connected.
Now – we now have a fully functional Pi that is running Linux and providing us with a shell via SSH.  The next two commands you are going to be typing in your sleep and wishing that every operating system that you use contained – sudo apt-get update – and once that completes – sudo apt-get upgrade.  These two wonderful commands will scour the internet repositories for updates and then apply them in the second step, this keeping your Pi running with the newest software available.
I know this seems like a lot, or maybe I am just wordy.  Now we are ready to continue on.  There are 3 files we need to download that we are going to need later.
1. The installer for Hamachi http://secure.logmein.com/labs
If you haven’t used logmein before – be ashamed be very ashamed.  Instead of going to the download page you will be presented with a login page.  Login, open the link again and then you will see the LogMeIn Labs page.  Click on Hamachi for Linux which at the time of this writing is in Beta.  Hit learn more to see the list of software versions.  The one I had the best success with was the file under ARM (processor type in the Pi) that ends with .tgz  This is a tar file that is to be downloaded to your workstation and then copied to the Pi and installed from.
2. The installer for Webmin (an admin tool that comes in handy)
Go here http://webmin.com and click on Debian Package there is only 1 webmin package for all processor types it is not picky.  Once it downloads it is time to get installing.
Open your favorite secure ftp client I prefer Cyber Duck on the Mac and WinSCP on the windows platform. Configure the client to connect to the Pi the same way you connected using SSH – we are using the same service on the Pi and the same basic protocol just some different features that it offers.  The folder you connect to by default is the home folder of the Pi.  When you connect via SSH or SCP you will be presented this folder first for whichever user you authenticate as.  It is a good practice to create a folder here for storing your files.  I usually go with source, but call it whatever you like.  Just right-click and create the new folder, dragging your files over and dropping them into the newly created folder.
After the file copy completes. We can install the Hamachi VPN service.  Back in the LogMeIn webapp you can access Networks, and My Networks.  This is where you create and name your Hamachi Free VPN connections – up to 5 computers.  It is best to create for our purposes a Mesh network topology and add you laptop or other computers that you want to proxy/VPN traffic on. Knowing your login name and network name will be very important shortly.
To get the Hamachi client extracted and installed first return to your SSH session and navigate to your software install directory use cd source or whatever you named it.  CD stands for change directory in Linux, Mac, and Windows.  The command is similar in all of them.  You can use cd .. to back up one level or pwd (Mac and Linux) to know exactly where you are in the file system.  Inside of the source folder you will see logmein-verison number information-armel.tgz.  This is the file we will need type sudo tar –xvf and the .tgz filename.  We use sudo to run commands as the root user – similar to administrator on a Windows machine.  Tar is used to expant the tarball file we are working with.  Once the process returns you to the prompt use ls to see what you have created and cd to move yourseld into the new folder.  When you do ls now there are several files, the one we are interested in is install.sh to execute this file use the command sudo ./install.sh to start the install.  If you did’t already know using the tab key on the keyboard will autocomplete filenames and commonly used commands in most operating systems.
The install will complete and we are ready to join our Hamachi network.  First run sudo hamachi this will show you that the Hamachi program is running and connected. Next is sudo hamachi attach “email address you use for LogMeIn” and hit enter this  will set your Pi to reference your LogMeIn account, next use sudo hamachi join “Name of the network you created”.  This will prompt your for your Hamachi network password, if you it great, if not no problem.  Return to the LogMeIn portal and to the My Network section and you will see the new machine at the top of the list.  If you haven’t altered the default hostname of the Pi it will appear as raspberrypi.  Edit it and move it into your Hamachi network.  It should rapidly appear in the Hamachi window on your laptop or desktop.
Now we are ready to install the proxy server.  This part is a breeze do to the amazing apt command.  Simply type sudo apt-get install privoxy and hit enter.  This will install the software and configure it.  We only need to make one minor change once the install completes.  Answer Yes to any question that pop up during the process.  Once you are returned to the command shell type sudo hamachi to view your hamachi IP address, write it down we are going to need it in the next step.
The privoxy service needs to know that it will be contacted on it’s Hamachi IP address.  We can define this behavior in the config file for privoxy using nano, a simple text editor for Linux.  There is the more powerful vi, but this is for beginners not seasoned Linux veterans.  First use this command cd /etc/privoxy/ to take us to the privoxy files use sudo nano config to open the config file as the root user (so that we have rights to change it).  We have to find the space that needs editing so the simplest way is to hold down control and press w for the search command and search for localhost:8118 – go to the line below this one and mirror the syntax of the line above with localhost like this:
listener-address        hamachi ip address:8118
The space between the listen-address directive and the Hamachi IP address is a tab not a space to enter it that way.  The 8118 is the TCP port we will be using to connect with.  Once you have the edit in there properly control X to exit and answer Y for yes to save and exit.
Now we need to restart the privoxy service – sudo service privoxy restart will take care of it from the command line. Most Linux services can be restarted so that they can affect changes to config files without the need for a reboot unlike some operating systems… windows. Now with the service restarted configure one of your browsers to use the Hamachi IP address as the proxy IP and enter the port as 8118.  If you can connect to the internet you are now browsing across your VPN, but for a real test you are going to have to leave the comfort of your computer room to test it.
The final step for this article is to get WebMin installed.  This is a great little utility for administrating Linux machines.  It would be most helpful to set a root password. By default on Debian machines they do not use the root account much. To set this password use sudo passwd root and follow the prompts to set this password.  Make note of it and keep it safe.  Move back to the folder where we put the install files cd /home/pi/source/ as in my previous example.  To start the webmin install sudo dpkg –I webmin-version-number.deb  This will start the dpkg (debian package utility) installing the .deb (debian package) installing but it will not complete.  There are several other files that WebMin needs to run.  We are going to cheat and have the operating system find them for us.  Once the WebMin installer errors out there will be several missing packages.  I picked one called apt-show-versions (it doesn’t really matter which) and entered sudo apt-get install apt-show-versions after this completes I ran sudo apt-get –f install this command will find the dependencies for installed software and install them.  When it competes it will tell you the login URL for your webmin instance.  You can use the Hamachi IP just don’t forget the HTTPS:// in the front and the port :10000 at the end of the URL. When presented with the WebMin login page give root for the username and the password that you configured earlier in this paragraph.
Now you have a handy utility machine that can be accessed safely from virtually anywhere that you have internet connectivity.  As I use the Pi more I hope to create more post showing how I am making use of my ultra cheap computer to make my computing more fun.
This entry was posted in Ramblings. Bookmark the permalink.

Comments are closed.