Set up PHproxy server on Raspberry PI

PHproxy
# PHproxy on raspberry pi
# tested on Soft-float Debian “wheezy” and standard Hard-float Raspbian “wheezy”
# NOTE youtube videos don’t play via this PHproxy
#
# Based upon these blogs
# http://lifehacker.com/5447726/install-phproxy-in-your-web-space-to-access-blocked-sites
# http://www.debian-administration.org/articles/391


sudo apt-get update
sudo apt-get install apache2 -y
sudo apt-get install php5 -y
sudo apt-get install php5-mysql php5-curl -y
sudo a2enmod php5
sudo /etc/init.d/apache2 start

# for info see http://sourceforge.net/projects/poxy/

cd /var/www
sudo mv /var/www/index.html /var/www/index_old.html
sudo wget http://downloads.sourceforge.net/project/poxy/PHProxy/0.5%20beta%202/poxy-0.5b2.zip
sudo unzip poxy-0.5b2.zip

# open web page
# if your connected to the same router as the Raspberry PI
# put in local IP address of PI e.g. 192.168.0.2
#
# As you know, to get to your PHproxy from the outside world
# you gotta do port forwarding and get a domain name or use
# IP address etc etc

# You can password protect the website if you want
http://www.debiantutorials.com/password-protecting-a-directory-with-apache-and-htaccess/

Advertisements

Wrapping openVPN with stunnel

# Some countries like China, Syria, North Korea etc, are using deep packet inspection
# to detect and block openvpn connections.
# To get around this, VPN connections can be hidden inside another SSL envelope
# using a program called stunnel making the VPN look like something else

# This blog is based upon these
# http://kyl191.net/2012/12/tunneling-openvpn-through-stunnel/
# https://syria.hacktivist.me/?p=161
# http://pve.proxmox.com/wiki/Stunnel_in_DAB_appliances
# http://www.jeffyestrumskas.com/index.php/how-to-setup-a-secure-web-proxy-using-ssl-encryption-squid-caching-proxy-and-pam-authentication/
#
# Using Rasperry PI as Openvpn server, we wrap the openvpn signalling inside
# another SSL envelope using stunnel

# On Raspberry PI, after you have installed openvpn
# Install stunnel and openssl

sudo apt-get install stunnel4 openssl -y

# Generate your own  Private Key (server.pem)
cd /etc/stunnel/
sudo openssl genrsa -out server.key 4096
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo bash
cat server.key > server.pem && cat server.crt >> server.pem
chmod 400 /etc/stunnel/server.pem
exit

# enable stunnel
sudo nano /etc/default/stunnel4

ENABLED=1

#=========================================
# Server stunnel.conf   on Raspberry PI
#=========================================

sudo nano /etc/stunnel/stunnel.conf

sslVersion = all
options = NO_SSLv2
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel

[openvpn]
client = no
accept=993
connect=34567

#=========================================
# Add Firewall setting  on Raspberry PI
#=========================================
# Edit the same firewall file we used for openvpn
# and add a new line

sudo nano /usr/local/bin/firewall.sh

iptables -A INPUT -p tcp --dport 993 -j ACCEPT

#================================================
# Restart stunnel or reboot Raspberry PI and we are done
#================================================

sudo /etc/init.d/stunnel4 restart

# check status
ps aux | grep 'stunnel*'

#================================================
# Installing & configuring stunnel on windows client:
#================================================

# You can download stunnel installer from the official website
# http://mirrors.go-part.com/stunnel/stunnel-4.54-installer.exe
# or check here http://www.stunnel.org/downloads.html
# Installation shouldn’t be a problem… it’s a few clicks

# On windows, you should see an stunnel icon on your desktop, run it as administrator.  
# Now you should see the stunnel icon also on the taskbar.
# Do a right click on it, and choose “Edit stunnel.conf”

# Notepad will opened automatically, to edit the stunnel.conf file…

# add the following lines:
[openvpn]

client = yes
accept = 127.0.0.1:1194
connect = change_this_to_your_to_raspberry_PI_server_address_from_no-ip.com:993

# Save & exit
# right click on stunnel icon, and click reload stunnel.conf

# in Windows, create a new text file called
# C:\Program Files (x86)\OpenVPN\config\raspberry_via_stunnel.ovpn
# this is the OpenVPN client configuration

client
dev tun
proto tcp
remote  localhost 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca capi.crt
cert clientpi.crt
key clientpi.key
tls-auth tapi.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

diagram

Install Hamachi on Raspberry PI


# The benefit of Hamachi, is you don't need to do port forwarding on the router
# you can just connect it and then ssh to it
# using the Hamachi IP address.
# You need to create an account at logmein.com
# its free to make a network upto 5 machines

# My post based upon this blog
# http://lifehacker.com/5978098/turn-a-raspberry-pi-into-a-personal-vpn-for-secure-browsing-anywhere-you-go
#
# Check latest hamachi at https://www.vpn.net/linux

wget https://www.vpn.net/installers/logmein-hamachi_2.1.0.174-1_armhf.deb
sudo dpkg -i logmein-hamachi_2.1.0.174-1_armhf.deb

sudo hamachi login
sudo hamachi attach [your hamachi email address]
sudo hamachi set-nick [whatever nickname you make]

# check status
sudo hamachi

# uninstall hamachi
sudo dpkg -r logmein-hamachi
sudo dpkg -P logmein-hamachi

# Backup
https://www.dropbox.com/s/a59u88xhile8oju/logmein-hamachi_2.1.0.174-1_armhf.deb

# TIP: I got error
#
# hamachi login
# Logging in .. failed, busy
#
# workaround
#
# /etc/init.d/logmein-hamachi stop
# /etc/init.d/logmein-hamachi start

Lazy command list to install openvpn server on raspberry pi

# Based upon these blogs 
http://wingloon.com/2012/05/25/how-to-install-setup-openvpn-on-debian-6-0-squeeze-with-certificate-authentication/

http://www.serverubuntu.it/openvpn-bridge-configuration

# Using SD card with "2012-08-08-wheezy-armel"
# Remember you gotta do port forwarding, not covered in this post
# Lets get started, start with an updated installation
sudo apt-get update

# Now install openvpn
sudo apt-get install openvpn -y
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

# You can put whatever you like in the vars file, it does not need to be accurate data
# just don't leave anything blank
# It will work, even if you leave everything as it is, even fields that says "changeme"
nano /etc/openvpn/easy-rsa/vars

# Now build certs and keys for server and client
# TIP: answer yes to Sign the certificate? [y/n]:y
# TIP: 1 out of 1 certificate requests certified, commit? [y/n]y
# leave everything else default, just keep pressing return

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key clientpi

cd /etc/openvpn/easy-rsa/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt clientpi.crt clientpi.key $HOME/openvpn-client-files
sudo mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
sudo chmod +r $HOME/openvpn-client-files/clientpi.key
sudo openvpn --genkey --secret /etc/openvpn/tapi.key
sudo cp /etc/openvpn/tapi.key $HOME/openvpn-client-files
sudo chmod +r $HOME/openvpn-client-files/tapi.key

# Now we create the OpenVPN client configuration on the Raspberry PI
# You could create this file in windows client PC if you want, which might be better
# remember files created in linux and transferred to windows will be missing CRLF
# if you want to edit it later on windows, it will appear as one long line
# we just do it on raspberry pi to group the 5 client files together

cd $HOME/openvpn-client-files/
sudo chown -R $USER $HOME/openvpn-client-files/
sudo nano $HOME/openvpn-client-files/raspberry.ovpn

client
dev tun
proto tcp
remote change_this_to_your_server_IP_address 34567
resolv-retry infinite
nobind
persist-key
persist-tun
ca capi.crt
cert clientpi.crt
key clientpi.key
tls-auth tapi.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

# Nano editor TIP: CTRL+o writeout, in other words save the file
# CTRL+x exit

# Now, copy the 5 client files in $HOME/openvpn-client-files directory to client PC
# tip, For windows 7 client, using WinSCP, due to write permissions
# I had to copy whole directory to C:\openvpn-client-files
# then in windows, copy the files
#
# clientpi.key
# capi.crt
# clientpi.crt
# tapi.key
# raspberry.ovpn
#
# to C:\Program Files (x86)\OpenVPN\config
# windows 32bit will have a different OpenVPN directory
# C:\Program Files\OpenVPN\config

# Back to Raspberry PI, Now we create file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf

port 34567
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth tapi.key 0
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script file executable
sudo chmod +x /usr/local/bin/firewall.sh

# run firewall
sudo /usr/local/bin/firewall.sh

# check firewall
sudo iptables --list

# add a new text line /usr/local/bin/firewall.sh into file /etc/rc.local
# before ‘exit 0' to ensure the iptables rules is created every reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# When Finished, for security reasons, make directory $HOME/openvpn-client-files/
# only readable by root
sudo chmod 600 $HOME/openvpn-client-files/
# Later, if you want to copy client files again
sudo chmod +rx $HOME/openvpn-client-files/

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

# check VPN is working by checking your IP address
# changes after you connect http://ipchicken.com/


# Extra: If you want to put the certs and keys inline, within the client script
# see http://pastebin.com/TAu3T7JX#

no-ip and Raspberry PI running wheezy raspbian.

# First, create an account over at http://www.no-ip.com/ then goto
#  https://www.no-ip.com/members/dns/ and click “add a host”.
# Then use this lazy command list for pi.  

sudo bash
cd /usr/local/src/
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
make install

# Add a new text line /usr/local/bin/noip2 into file /etc/rc.local
# just before its last line “exit 0” so no-ip starts automatically after reboot
nano /etc/rc.local

/usr/local/bin/noip2

CTRL+o ENTER # write output, save in other words
CTRL+x # exit nano editor

# start it with
sudo /usr/local/bin/noip2

# check status with
sudo /usr/local/bin/noip2 -S

# kill it
sudo /usr/local/bin/noip2 -K ‘pid’ (get pid from -S)

# If you need to recreate the default config file
sudo /usr/local/bin/noip2 -C