tirsdag 21. juli 2015

E.T. phone home - piVPN as a remote network access point for all your network resources

My  original homemade plexi casing for the RPi 2 made it look a little bit like E.T. ,with it's "long head" and USB ethernet cards "eyes".

piVPN's E.T. phone home

While E.T. himself made a "makeshift communicator" (among its parts was a Speak & Spell, an umbrella lined with tinfoil, and a coffee can filled with other electronics) to phone home, the piVPN RPi version of "phone home" can do a lot more than just to call home using audio.
E.T.'s makeshift communicator

The piVPN "phone home" box act as a an wired and wireless access point to bridge all network resources in a home or office to any networked device over a VPN line. Also you can connect several devices to the "phone home" box at the same time. As the VPN is bridged, all the devices will look like they are a part of the main network. 
For example they get their IP addresses by the main DHCP server in the office, and they are also able to log on to active directory as they where in the office.
The IT admins in the office does not need to know anything about the exact network configuration on the remote site where the piVPN connects from. 
The connection to the "phone home box" it self can be over a 3g/4g phone, a cable to a switch, a wifi guest network or whatever available on the site you are connecting it from.
Network traffic is encrypted between the "phone home box" and your main office, making this system safe over untrusted networks. 
Network devices that are used by other people on any remote open networks that you connect your "phone home box" to, will not be able to see or access your devices or network.
The piVPN is also able to run on a solar powered battery. 
This makes it a very portable mobile field solution too. 

Best of all... It is based on opensource software, small and cheap hardware, and it is very configurable :-)

First a quick drawing on how this is done:

In the main network (this can be your office, home or wherever you have your main network resources) we will need to install a SE VPN server, which can be downloaded from here:

You could install this VPN server on a RPi 2, a windows or a linux box.
In this case I will install it on a old windows 7 pizza box, as it is less fuzzy about routing. The linux installation tend to have some issues sometimes with how the kernel sets up the routing tables.
This is fixable, but requires some extra work recompiling the linux kernel for the VPN server.

So I just get my windows 7 pizza box, and install the SE VPN server software from here.

The SE VPN official how-to is found here

Make sure you also install the server manager software that comes with the package, as we will need that later to configure the bridge on the pivpn "phone home" box.

The VPN mode you install is VPN server (central) that accepts connections from other servers.

During the installation you will be asked if you want to use a dynamic DNS name and a azure DNS name (this makes it possible to connect to your office trough the microsoft cloud).
Security wise it is not recommended to use these settings, but  for this experiment (and ease) we will do it for now.
You can try to suggest a name that you will actually remember instead of the SE auto-generated one if you want to and write it down.

I would recommend to give your PC a static IP address and NAT' the port 443 through your router to that IP address. This will guarantee a TCP connection between the remote host and your office using https. If not the system may be running on UDP which is more unstable. 
Even though SE VPN support several ports, 443 is the most practical one, as this port is normally open on all remote networks that you are able to access internet from.

If you don't have access to open ports or do changes on your router, you can just use the azure cloud DNS name (the vpnazure.net address given to you during the SE VPN server install).
This ensures a link from your VPN server to the cloud. A remote VPN client will then connect to the cloud server, and access your network through this (note that this may be a very slow link).

When the installation is done connect to the server with the "SE VPN manager" application which is installed during the SE VPN server setup.
When you connect to the localhost the first time it wants you to create a new admin password for the VPN server. Choose a long safe password. This password is for connecting to the server using the "SE VPN manager" application.
Now create a new "virtual hub", the system normally suggest the name "VPN" for this virtual hub.
Create a username and a password for the virtual hub.This is the username and password to be used for VPN clients (and bridges) that connects to the server
Create a "local bridge setting" for the virtual hub (this will be the  physical network card as this is not a multi homed PC). If you plan to have a lot of traffic, you should get one physical network card per virtual hub, but this is way out of scope for our simple setup.

Now the VPN server should look like somthing like this:
The virtual hub name is home and is online
It got two users
You will be able to see the 
softether.net DDNS and vpnazure.net DNS names 
at the bottom of the window.

You should test that it is working by connecting with a SE VPN client from another machine.

When you know the server is working, we can go ahead with the "phone home" box.

To keep control of the device ID name, I just start with a clean RPi 2, connected to my network switch using the built in ethernet card eth0, a USB keyboard connected to a USB port and freshly installed raspbian OS (16 gb SD card formatted with SDFormatter and 2015-05-05-raspbian-wheezy.img added using win32imager).

On my main windows machine I start putty and ssh to the machine.

First thing to do is to install and run the vpn bridge script

wget http://home.pivpn.net/pivpnbridgeinstall.sh
chmod 777 pivpnbridgeinstall.sh

If all the current RPi network settings are OK, there is nothing much to to do just now. Just wait for the RPi to finish the script and reboot (approx. ten minutes).

After the RPi reboot you should see a message on the console that the VPN bridge daemon has started (e.g. "The SoftEther VPN Bridge service has been started")

So now on to the hardware to be added to our RPi:
What we want to do

eth0 (the built in ethernet card) - This will be available to connect to remote switches using a network cable 

eth1 (aadded usb ethernet port) - Available as a cabled bridged port (A port to directly connect you remote PC by cable. When you are connected a virtual network cable between your device and the office network is created).

wlan0 (added USB wifi card #1) - This will be a wifi client connection that may be used to connect to a remote wireless access point

wlan1 (added USB wifi card #2)- Available as a wireless bridged port using hostapd (SID pivpn, WPA key Passw0rd, It will act as a wifi access point for any devices that has a wireless client. When you connect with any wireless device to this AP, you will get bridged to the SE VPN server and have a virtual network cable between your device and the office network)

The basic system is this:
eth0 and wlan0 is connecting and using the remote network, respectively by cable or wireless.

eth1 and wlan1 is bridging through either of the connections eth0 or wlan0 to provide access to your office network for any client that connects through those interfaces.

First to the two cabled interfaces eth0 and wlan0. For the moment we will just leave them as is.
They both got a DHCP setting by default, so they should recieve a dhcp IP address for whatever they connect to.
It may seem a bit strange but we don't have to setup DHCPD or a static IP address for any of them. The reason is that we will let eth0 just get what ever IP address that remote network provides.
When it gets an IP address, eth0 then will connect to the VPN server. When connected through the remote internet using the https port (443) to your VPN server it will assign both eth1 and wlan1 as the interface to provide the bridge.
For wlan0 we will need to manually connect to a remote wireless AP,. We will really need to do that on site, if we don't have the wlan info beforehand. 
So conclusion; these two ports will provide any host connecting with them with the network settings from the VPN server and they should connect with DHCP wich is the default network setting in RPi.

So first we connect one WiFI USB card to the RPi to make sure it gets the interface name wlan0.

Do a reboot
(sudo reboot)

If you want you are now able to connect to a wireless access point using 
the gui application 
logon with your user to your RPi
startx (if it is not in gui mode)
in the gui scan and connect to a wireless AP

Now, check the file /etc/wpa_supplicant/wpa_supplicant.conf

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

It should contain something like this:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev


So at this time we have eth0 and wlan 0 configured

For eth1 we do not have to do anything but connect it and reboot... Yes really, don't even ask. It will not need an IP address ever.

After a reboot and the command ifconfig, you should see something like this:

pi@raspberrypi ~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:da:87:2e
          inet addr:  Bcast:  Mask:
          RX packets:350 errors:0 dropped:1 overruns:0 frame:0
          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31363 (30.6 KiB)  TX bytes:16842 (16.4 KiB)

eth1      Link encap:Ethernet  HWaddr 00:50:b6:12:84:d5
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13592 (13.2 KiB)  TX bytes:13592 (13.2 KiB)

wlan0     Link encap:Ethernet  HWaddr 34:21:09:1a:f2:95
          inet addr:  Bcast:  Mask:
          RX packets:336 errors:0 dropped:126 overruns:0 frame:0
          TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:44012 (42.9 KiB)  TX bytes:4334 (4.2 KiB)

pi@raspberrypi ~ $

So three of four is done :-)

So now to the last interface wlan1 which will be our wireless access point.
In principle this acts as the eth1 USB card. As long as the client is able to connect AND the internet connection is OK on either eth0 or wlan1 it will connect without any DHCPd setup.
What we need is to be able to connect a client. 
Do do that we will need to install the hostapd daemon, and the good thing is that the script has already done that, and the service is already started.
We will need to connect the USB wifi card and configure it, that is all :-)
Remember to run sudo reboot when you connect the new USB card wait until the reboot is finished

This may be the point where the RPi start to get a bit confused, you may notice that both wlan0 and wlan1 gets an address from the dhcp server - they both are clients to the same wireless access point now.

We need to make sure they get seperated by their device names.

The configuration file for hostapd is found here:

sudo nano /etc/hostapd/hostapd.conf

Paste something like this in to the file (dependent of the driver of wlan1):


There is a little thing with the hostapd service. Even if it is installed, it does lack a link to the config file so the daemon does not start.

So we will need to edit one more file to make the hostapd read  and run our config file:

sudo vi /etc/default/hostapd

add or edit the line to:


Now reboot

With some luck all should work now. While rebooting check the console output:

If the piVPN network is not appearing in the available wireless access point list on another PC in a few minutes, please check the command

sudo iw list

and see if the usb wifi card is recognised.

The final part; getting this all together.

Now you should have a fairly long list of devices if you run the command ifconfig:

On my PC:

pi@raspberrypi ~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:da:87:2e
          inet addr:  Bcast:  Mask:
          RX packets:1015 errors:0 dropped:2 overruns:0 frame:0
          TX packets:354 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:95467 (93.2 KiB)  TX bytes:35540 (34.7 KiB)

eth1      Link encap:Ethernet  HWaddr 00:50:b6:12:84:d5
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12928 (12.6 KiB)  TX bytes:12928 (12.6 KiB)

mon.wlan1 Link encap:UNSPEC  HWaddr 34-21-09-1A-F2-83-00-00-00-00-00-00-00-00-00-00
          RX packets:94 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10737 (10.4 KiB)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 34:21:09:1a:f2:95
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:199 errors:0 dropped:89 overruns:0 frame:0
          TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24550 (23.9 KiB)  TX bytes:3896 (3.8 KiB)

wlan1     Link encap:Ethernet  HWaddr 34:21:09:1a:f2:83
          RX packets:8 errors:0 dropped:3 overruns:0 frame:0
          TX packets:494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1157 (1.1 KiB)  TX bytes:203133 (198.3 KiB)

pi@raspberrypi ~ $

Time to configure the bridge VPN part.

Start the SE server manager and go to the eth0 ipaddress.

Set a password

Go with the default

Choose step 2

 Enter the info from the earlier VPN server setup at home, 
enter vpnazure.net or softether.net DNS name, username and password

Make sure it connects

Step 3 Set local bridge
Do this twice for eth1 and wlan0

Done and reboot :-)

Now for the final setting change the wireless client card settings (sudo nano /etc/wpa_supplicant/wpa_supplicant.conf) to something that makes sense when you are offisite.
This can be your phones 4g setting when you tether it.

Ingen kommentarer:

Legg inn en kommentar