How to use a Raspberry PI to encrypt network traffic when traveling

As a gift I was a given a Raspberry PI a few weeks back. So far I’ve set it up to do everything from being a VPN server while traveling, a CalDAV and CardDAV server for calendar and contacts and even set it up using a PicoBorg to automate feeding my cat while away using the Twilio api. For my first article, I wanted to dive into how to use your Raspberry PI to encrypt your network traffic while traveling or using public WiFi.

When traveling you probably find your self using a lot of public wifi spots, one problem when using these hotspots is that anyone can snoop (rather easily) on any webpage you load or request.

While https will save your banking information from being blasted out into the open. Even in 2016 not every website is served using https just yet.

Also depending on where you are going you may find certain services (Instagram, Facebook, etc) are blocked behind the countries firewall.

So thats where VPN comes in to save the day. Using a VPN server we can encrypt all of our traffic using our home internet connection. Making it impossible to snoop on our internet traffic or even know what websites we are browsing. While services exist that you can pay to use as a VPN for just ~45 USD you can buy a Raspberry PI kit and setup your own VPN server.

Setup

  1. Raspberry PI
  2. Micro SD Card (recommend 8gb)
  3. Cat 5e ethernet cable

If you want a decent setup I recommend this kit it includes everything you need to get setup. I will caution against using the wifi card however as it won’t be as reliable as a wired connection.

Setup SSH (and optionally VNC)

Setting up SSH is a good first step since you will want to run your PI headless.

Open a terminal and run

sudo raspi-config

Look for advanced options and then ssh.

From there hit Enable SSH server.

On your computer run (sorry Windows users you will need to find a ssh client)

ssh <ip_address> -l pi

If you haven’t changed the password the default password will be raspberry

Optionally also run

sudo apt-get install tightvncserver

followed by

vncserver :1

Then using something like VNC Viewer you can remotely connect and work with your PI.

Tip: To use ssh or vnc you will need the ip address of your device. Run “sudo ifconfig” to find it. If using a wired connection it will be under etho (wireless will be wlan0) Then look for inet addr

Install OpenVPN

Now that we have ssh up and running we need to install OpenVPN.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install openvpn

The first two commands will update the packages on your Raspberry PI to be safe. You can skip those commands if you don’t want to update.

Now we need to get a super user session, the reason for doing this is the next couple of commands won’t work if we don’t have the right permission.

Run

sudo su

From there open /etc/openvpn/server.conf using your favorite editor for this guide I will work with nano.

nano /etc/openvpn/server.conf

and copy and paste the contents of the gist into it. Remember to update it to use your PI’s ip address.

Below I broke down some of the lines to explain what they do

dh dh2048.pem

We are using dh2048.pem over dh1024.pem to to double the strength of our key. This means it will take a little longer to generate a cert, feel free to use 1024 if you think this is overkill.

push "redirect-gateway def1 bypass-dhcp"

This will have all clients that connect to our OpenVPN server push all their traffic through the server.

Next lets setup what DNS server to use. I prefer OpenDNS and by default its the recommended DNS server for OpenVPN. This will help prevent domain name lookups from leaking outside the VPN server.

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

You can of course change the ip address to be any DNS server you want like Google’s (8.8.8.8 and 8.8.4.4.)

Now the last change and a very important one.

user nobody
group nogroup

By default OpenVPN will run as root which is not ideal. Why? Well if a vulnerability is found in OpenVPN the attacker can use the root privileges of the application to do as they please with your device. User nobody is an unprivileged user which is often used for running applications like servers. This reduces the scope any attacker would have if they were able to gain access. Now save and write out the changes you have made.

Generating Keys

Next we need to create a few keys, these make it so the actual traffic is encrypted and so not just anyone who knows the ip address of our device can connect.

Copy over the RSA scripts

cp -r /usr/share/easy-rsa/ /etc/openvpn

Then make a directory to hold them

mkdir /etc/openvpn/easy-rsa/keys

Now lets modify those scripts a bit by opening it up

nano /etc/openvpn/easy-rsa/vars

Look for the following keys and change them to what suits you.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="San Francisco"
export KEY_ORG="Speed Force"
export KEY_EMAIL="zach@example.com"
export KEY_OU="The Rising Tide"

Now we need to generate the Diffie-Hellman parameters, since we are using 2048 this may take a bit (15 to 45 minutes.)

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

So what is this doing? Well in order for the server and client to exchange keys without any prior knowledge of each other this sets them up in a way that they can communicate with each other until they create a secure channel and exchange keys.

Now lets switch back to the easy-rsa directory and build our Certificate Authority

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca

Now simply press enter while being asked a serious of questions, if you need to change something while going through the prompt just update it inline.

Generate a Certificate and Key for the Server

Now run

./build-key-server server

Press enter through all the prompts. When asked for a challenge password hit enter as well. When asked to sign and commit the cert say Y to both.

Everything should finish with

Write out database with 1 new entries
Data Base Updated

Now lets run the OpenVPN service

service openvpn start
service openvpn status

Everything should be up and running!

Create keys for the client

Now we’ve setup the server with all the keys and certs it needs, now we need to create certs for our devices. Each device should have its own cert ideally. Out of the box OpenVPN will not allow multiple connections with the same cert.

Since I’m making the first cert for my iPhone I will run

./build-key iphone
cd keys/
openssl rsa -in iphone.key -des3 -out iphone.3des.key

But feel free to change iphone to whatever device you are creating this cert for. Do the same as before and hit enter at each prompt and Y to both questions at the end.

When asked for a passphrase come up with a decent password and remember it!

Do the following steps for each client you have.

Enable DoS attack protection

Now we need you to enable the built in denial of service protection OpenVPN comes with.

cd ../
openvpn –-genkey –-secret keys/ta.key

Setup the Raspberry to forward traffic

Now we need to forward traffic from to our PI to the outside

nano /etc/sysctl.conf

Uncomment the next line below that says (remove the # in front of it)

Uncomment the next line to enable packet forwarding for IPv4.

and run

sysctl -p

to have the changes applied.

Now we need to open a hole in the Raspberry PI to forward traffic OpenVPN.

nano /etc/firewall-openvpn-rules.sh

and change it to

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT — to-source 192.168.XX.X

Change the XX.X to the ip address for your PI

Now update the permissions of the firewall file so we can run it

chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh

Now we have a file we can run to open the connection we need. Now we just need to update our config so it runs at boot

nano /etc/network/interfaces

Look for

iface eth0 inet manual

and add

pre-up /etc/firewall-openvpn-rules.sh

Please note you will need to place the new line with an ident (tab)

which should look like

Now lets reboot our PI.

reboot

Install the cert on your device

So to recap so far we’ve done quite a lot. We’ve setup our server, installed the OpenVPN software and created our certs.

Now we need to install our client certs to the device and get it up and running.

Making a new cert for each client will be a lot of work so we can use a script to help us with that.

First lets create a file and copy/paste the contents of the gist into it

nano /etc/openvpn/easy-rsa/keys/Default.txt

Make sure to change that public ip to your public ip address. This file is basically used to append to the top of your ovpn config file we will be making later.

If you don’t have a static ip address I suggest running a DDNS service instead to update based on ip address changes.

Now we need to run a script to generate the certs.

Create an other file and fill it with the contents of this gist

nano /etc/openvpn/easy-rsa/keys/makeOVPN.sh
cd /etc/openvpn/easy-rsa/keys/
chmod 700 makeOVPN.sh

This will also make the script runnable, now run

./makeOVPN.sh

and give it the name of the client you created before (for me in this case its iphone)

Copy files off Raspberry PI

Now we need to copy the files off the Raspberry PI to some other device.

First lets change the permission of the file to help us

chmod 777 -R /etc/openvpn/easy-rsa/keys/

Then lets exit ssh and copy the file over to our downloads folder

scp pi@<ip address of pi>:/etc/openvpn/easy-rsa/keys/iphone.ovpn ~/Downloads

Then lets ssh back in and undo the permission changes we made

sudo su
chmod 600 -R /etc/openvpn/easy-rsa/keys/

Now open install the “.ovpn” cert using iTunes and the OpenVPN app on iOS and you should be good to go! You should now see a VPN icon in the status bar.

Show your support

Clapping shows how much you appreciated Zach’s story.