Sunday, 19 July 2015

Using a Raspberry PI as a VPN Server

Having toyed with the idea for a while of setting up a VPN server at home, I was finally inspired to actually do something about it when I watched Kate Russel on BBC Click talk about how she'd set up such a system using a Raspberry PI. Deciding to strike while the iron was hot, I took advantage of my Amazon Prime membership and ordered a Raspberry PI for next day delivery.

Arriving before 0930 Sunday morning, I immediately unpacked it and set about following the instructions in the article. What follows is a few things that tripped me up a bit / weren't immediately obvious to me, split out into sections with the same names as the ones in the article.

Install Raspbian on your Rasberry Pi

A minor detail, but since the instructions don't include attaching a mouse, it isn't necessarily obvious how to "choose Raspbian and click install". To do so, use the arrow keys to highlight the Raspbian option, press the Enter key to select it and then press the i key to begin installation.

Once installed, upon booting up for the first time, a configuration screen is shown. I used this to enable SSH so that I would be able to administer the box without needing to leave a keyboard connected.

Give your Raspberry Pi a static IP address

It's not necessary to run the ifconfig command with sudo. However, the reboot command at the end does require it.

There's a slight mismatch between the names of the values referenced in the article and how they're actually displayed in the output of the ifconfig command:

Name in article Name in ifconfig output
Current IP Address inet addr
Broadcast Range Bcast
Subnet Mask Mask

The line that the article states is "iface eth0 inet dhcp" was actually "iface eth0 inet manual" in my file.

When running "sudo nano etc/network/interfaces" there is a missing leading slash; the command should be "sudo nano /etc/network/interfaces". When editing the file, although I'm not sure if it's actually necessary, the address, netmask, network, broadcast and gateway lines are usually indented under the "iface eth0 inet static" line (at least in most of the examples I found on the web).

Set up an easy control system

I used a Mac to connect to the PI over SSH, so I didn't need to install a separate SSH client. I did, however, need to connect as the pi user (by default, ssh will try and connect using the username of the current user on the Mac). This was done by entering the command:

ssh pi@[ip-address-of-my-pi]
from the command prompt on my Mac.

Update your Raspberry Pi

A very minor thing that might confuse inexperienced users, is that when running the "sudo apt-get upgrade" command, it will display how much extra space will be taken up (in my case it was actually less space!) and ask if you wish to continue. To continue, simply press the y key followed by the Enter key.

Similarly, when running the "sudo apt-get install openvpn" command, press the y key followed by the Enter key when asked if you wish to continue.

Build keys for each user

After choosing to sign the certificate, it asks "1 out of 1 certificate requests certified, commit? [y/n]", press the y key followed by the Enter key.

After running "openssl rsa -in KateAndroid.key -des3 -out KateAndroid.3des.key", the pass-phrase for the .key file is the one previously entered when running the build-key-pass command (so ignore the note about making it one you can remember), the next one is a new one for the .3des.key file.

Generate the Diffie-Hellman key exchange.

Just as a warning, when running the build-dh command, I kicked it off from an ssh session on my Mac. I then went away to do other stuff whilst waiting for the command to complete. When I came back an hour or so later, however, it appeared to not have completed, nor be progressing. I hit the Enter key and received the following message:


Write failed: Broken pipe
I decided to start it again, but this time directly on the PI (by connecting a keyboard and monitor to it). It actually completed pretty quickly the second time, so I guess the progress it had made from the first run got saved; thankfully I didn't have to wait another hour or so.

Ensure you have a static public IP address

I tried to sign up for an account with DNS Dynamic, as per the article; however, despite trying a couple of different email addresses, I never received a confirmation email and was unable to log in with the credentials I used on the sign-up page. I ended up going with an alternative dynamic DNS provider - ChangeIP.

When I ran the "sudo apt-get install ddclient" command, it launched a wizard for configuring ddclient. Unfortunately, it was unclear what options to choose in the wizard and I could find nothing on the ChangeIP website to help me. Fortunately, someone had already figured out how to configure OpenVPN to work with ChangeIP, so after choosing some options using the wizard (that turned out to be mostly correct), I edited my /etc/ddclient.conf file as per this blog post.

The ddclient command should be run with sudo: sudo ddclient

Create profile scripts for the devices you want to connect

When editing the files in this section, nano should be preceded with sudo, e.g. "nano /etc/openvpn/easy-rsa/keys/Default.txt" should be "sudo nano /etc/openvpn/easy-rsa/keys/Default.txt".

For the creation of the Default.txt file, [YOUR PUBLIC IP ADDRESS] should be replaced with your dynamic DNS value (e.g. [your-chosen-subdomain].dynamic-dns.net), not an IP address.

When creating the MakeOVPN.sh file, there are two lines that should actually be a single line:


#Ready to make a new .opvn file - Start by populating with the
default file
(The above two lines should be a single line.)

Export your client keys for use on the connecting devices

I would not recommend running the command "chmod 777 -R /etc/openvpn" followed by "chmod 600 -R /etc/openvpn". Once complete, this will end up with all files and directories under /etc/openvpn having read and write permission only by the file/directory owner. This means that all the scripts will no longer be executable. In my case, I was able to use the scp command to copy the .ovpn file, after having granted permission to read the file itself and all parent directories.


# Run from a command prompt on the Raspberry PI
chmod 777 /etc/openvpn
chmod 777 /etc/openvpn/easy-rsa
chmod 777 /etc/openvpn/easy-rsa/keys
chmod 777 /etc/openvpn/easy-rsa/keys/[ClientName].ovpn

# Run from the computer you wish to download the file to
scp pi@[ip-address-of-your-pi]:/etc/openvpn/easy-rsa/keys/[ClientName].ovpn [ClientName].ovpn

Install the OpenVPN Connect app on your device

When importing the key, the PEM pass-phrase that is needed is the one used when creating the 3des.key file.

One more thing

After all this was done, my phone still couldn't connect to the OpenVPN server. I then realised that although I'd followed the instructions to open up the firewall on the PI itself, I hadn't done anything about the firewall on my router. Once I updated my router to do port-forwarding of port 1194 to the PI, everything worked swimmingly!

Sunday, 21 June 2015

Problems With The Sunfounder Starter Kit For Arduino

Recently, work had some Sunfounder Arduino kits delivered to the office for people to experiment with. I thought I'd borrow one of the Starter Learning Kits and work my way through the lessons.

Recently opened starter-kit

As I encountered some problems getting started, I thought I'd document these here, both for my own reference and in case it's of use to anybody else.

Problem: Contents

According to the contents list, there's supposed to be 18 LEDs, comprised of 8 x Red, 5 x Yellow and 5 x Blue. The way they've been bagged up is in a group of 5, 3 and 10. There seems to be no way to determine what colour each is (they just look clear when not turned on) and as I haven't tried plugging them all in, I don't yet know whether they are in fact the right number of each colour or not.

There are also apparently supposed to be 30 male to female jumper wires, but there are actually only 10.

The contents lists 10 buttons, and there are actually 10 buttons…plus another 4 smaller ones that get no mention at all (though are used in the first lesson).

Problem: DVD Size

Rather than ship a full-size DVD with the kit, a mini-DVD is included. The problem with that is that these don't work in slot-loading drives. Luckily for me, I have a PC with a disc-tray type drive on it, so I was able to use that machine to copy the contents of the DVD off and then network share that with other machines.

Problem: Photo/Diagram Size

The booklet with all the lessons in is pretty small:

Small lesson booklet

(Coin included for scale.) The text even more so. Whilst my eyesight is good enough to read the general copy (well, once I've put my glasses on, anyway), I struggle to read the text on some of the diagrams, making them quite hard to interpret.

Problem: Photos Don't Match pictures

Each lesson includes a schematic, a diagram and a photo. The problem is that the photo and the diagram often don't match exactly. Now, I realise that there are an almost infinite number of ways to wire-up the components into the same actual electrical circuit, but as a beginner, it would really help if the photo and diagram exactly replicated each other. I don't really have a grasp yet of how everything connects up and having this discrepancy makes it difficult to spot where I've gone wrong when things don't work.

Another aspect of the photos that don't quite tie up with the instructions is that, in the photo for lessons 1 and 2, the Arduino board is being powered via the DC input, and not via the USB connection. This is a smaller issue than some of the others, but can still be a bit off-putting when trying to follow something to the letter and there is a mis-match between what the text says to do (use the USB cable) and what the photo demonstrates.

Problem: No Explanation Of Breadboards

The lessons do include a "Principle" section providing some background to the current lesson, but one thing it doesn't do at any point is detail how the breadboard works. This caused me some problems as when something didn't work, I didn't have a clear enough understanding of what the underlying electrical circuit was as I didn't know how the holes on the breadboard were actually connected together inside. I ended up searching the internet and came across a good explanation here. I was quite proud of myself, once I'd read this to then be able to fix the problem I was having with lesson 3, Interactive LED Flowing Lights.

Problem: Booklet Lessons Don't Match Website

When I was encountering problems following the lessons in the booklet, I tried visiting the Sunfounder website. Unfortunately, the particular lesson I was having difficulties with (lesson 3, Interactive LED Flowing Lights) does not seem to actually exist there. It has a flowing lights lesson and it has a potentiometer lesson but not one that has the two together as exists in the booklet.

Problem: The Code

The lessons in the booklet are all about the hardware—wiring the components together. The only reference to code in each lesson is when you get to the second step:

Step 2: Program (Please refer to the example code in our CD)

It then goes on to the next step:

Step 3: Compile and debug the program
Step 4: Burn the program into SUNFOUNDER UNO board

This is far from the level of instructions necessary to achieve anything. If you look at the contents of the DVD, it contains a directory for each lesson and one more for "fritzing". At no point is it explained what Fritzing is or what it is for (it turns out that within each lesson directory is a circuit sub-directory that contains a .FZZ file that Fritzing can be used to open—it then displays the diagram that is shown in the booklet).

Also in the lesson directory is a code sub-directory that contains a single .INO file. Nowhere is it stated what the format of this file is (it's actually just a text file) or what application can be used to open it. After some more searching of the Internets, I discovered that .INO files are used to store Arduino sketches. These sketches can be compiled and uploaded to Arduino boards using the Arduino Development Environment. Instructions on how to get started can be found here, which links to getting started instructions for Windows, Linux and Mac.

Problem: Resistors

According to the contents, there are 5 x 10K resistors, 5 x 1K resistors and 8 220R resistors. The resistors are packaged in 3 groups of sizes 8, 5 and 5; thus it seems reasonable to assume that the group of 8 is the 220R resistors, but what about the two groups of five? There's no indication in the booklet about how to differentiate them. There are some coloured bands around them and the labels that the resistors are stuck to have a coloured band on, but nowhere does it state what any of these mean (I still have no idea what the coloured bands on the labels indicate).

Resistor side-by-side comparison

There are various websites that explain how the colour-coding system on resistors works. My main problem though is telling which way round to read them. Since these resistors are 5-band and contain one on the bulge at each end and 3 in the mid-section it doesn't seem possible (to me at least) to work out which way round they should be read.

Inputting the band colours into the calculator here results in a rating of 10K for the green-labelled resistors if read with the green label on the left or 120 if read the other way around. Similarly, for the red-labelled resistors the values are 110 and 1K respectively. This would seem to indicate that the green-labelled resistors are 10K ones and the red-labelled ones are 1K ones. It is slightly worrying though that they have to be read opposite way rounds to each other in order to reach these numbers (i.e. the green-labelled ones should be read with the label on the left and the red-labelled ones should be read with the label on the right). Once removed from the labels it also becomes even harder to know which are which.

Conclusion

That just about sums up the problems I've encountered trying to complete the first 3 lessons in the booklet. Hopefully this will save someone else time in the future so they don't get as frustrated as I did. Enjoy, and good luck!

Here is a photo of my solution to the "Interactive LED Flowing Lights" lesson, complete with working speed control!