Securi-Pi: Using the Raspberry Pi as a Secure Landing Point

Installing and Configuring BIND

Once you have your platform up and running—whether it's a Raspberry Pi or otherwise—next you're going to install BIND, the nameserver that powers a lot of the Internet. You're going to install BIND as a caching nameserver only, and not have it service incoming requests from the Internet. Installing BIND will give you a DNS server to point your OpenVPN clients at, once you get to the OpenVPN step. Installing BIND is easy; it's just a simple apt-get command to install it:


root@test:~# apt-get install bind9
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9utils
Suggested packages:
  bind9-doc resolvconf ufw
The following NEW packages will be installed:
  bind9 bind9utils
0 upgraded, 2 newly installed, 0 to remove and 
 ↪0 not upgraded.
Need to get 490 kB of archives.
After this operation, 1,128 kB of additional disk 
 ↪space will be used.
Do you want to continue [Y/n]? y

There are a couple minor configuration changes that need to be made to one of the config files of BIND before it can operate as a caching nameserver. Both changes are in /etc/bind/named.conf.options. First, you're going to uncomment the "forwarders" section of this file, and you're going to add a nameserver on the Internet to which to forward requests. In this case, I'm going to add Google's DNS (8.8.8.8). The "forwarders" section of the file should look like this:


forwarders {
    8.8.8.8;
};

The second change you're going to make allows queries from your internal network and localhost. Simply add this line to the bottom of the configuration file, right before the }; that ends the file:


allow-query { 192.168.1.0/24; 127.0.0.0/16; };

That line above allows this DNS server to be queried from the network it's on (in this case, my network behind my firewall) and localhost. Next, you just need to restart BIND:


root@test:~# /etc/init.d/bind9 restart
[....] Stopping domain name service...: bind9waiting 
 ↪for pid 13209 to die
. ok
[ ok ] Starting domain name service...: bind9.

Now you can test nslookup to make sure your server works:


root@test:~# nslookup
> server localhost
Default server: localhost
Address: 127.0.0.1#53
> www.google.com
Server:		localhost
Address:	127.0.0.1#53
	
Non-authoritative answer:
Name:	www.google.com
Address: 173.194.33.176
Name:	www.google.com
Address: 173.194.33.177
Name:	www.google.com
Address: 173.194.33.178
Name:	www.google.com
Address: 173.194.33.179
Name:	www.google.com
Address: 173.194.33.180

That's it! You've got a working nameserver on this machine. Next, let's move on to OpenVPN.

Installing and Configuring OpenVPN

OpenVPN is an open-source VPN solution that relies on SSL/TLS for its key exchange. It's also easy to install and get working under Linux. Configuration of OpenVPN can be a bit daunting, but you're not going to deviate from the default configuration by much. To start, you're going to run an apt-get command and install OpenVPN:


root@test:~# apt-get install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  liblzo2-2 libpkcs11-helper1
Suggested packages:
  resolvconf
The following NEW packages will be installed:
  liblzo2-2 libpkcs11-helper1 openvpn
0 upgraded, 3 newly installed, 0 to remove and 
 ↪0 not upgraded.
Need to get 621 kB of archives.
After this operation, 1,489 kB of additional disk 
 ↪space will be used.
Do you want to continue [Y/n]? y

Now that OpenVPN is installed, you're going to configure it. OpenVPN is SSL-based, and it relies on both server and client certificates to work. To generate these certificates, you need to configure a Certificate Authority (CA) on the machine. Luckily, OpenVPN ships with some wrapper scripts known as "easy-rsa" that help to bootstrap this process. You'll start by making a directory on the filesystem for the easy-rsa scripts to reside in and by copying the scripts from the template directory there:


root@test:~# mkdir /etc/openvpn/easy-rsa
root@test:~# cp -rpv 
 ↪/usr/share/doc/openvpn/examples/easy-rsa/2.0/* 
 ↪/etc/openvpn/easy-rsa/

Next, copy the vars file to a backup copy:


root@test:/etc/openvpn/easy-rsa# cp vars vars.bak

Now, edit vars so it's got information pertinent to your installation. I'm going specify only the lines that need to be edited, with sample data, below:


KEY_SIZE=4096
KEY_COUNTRY="US"
KEY_PROVINCE="CA"
KEY_CITY="Silicon Valley"
KEY_ORG="Linux Journal"
KEY_EMAIL="bill.childers@linuxjournal.com"

The next step is to source the vars file, so that the environment variables in the file are in your current environment:


root@test:/etc/openvpn/easy-rsa# source ./vars
NOTE: If you run ./clean-all, I will be doing a 
 ↪rm -rf on /etc/openvpn/easy-rsa/keys

Building the Certificate Authority

You're now going to run clean-all to ensure a clean working environment, and then you're going to build the CA. Note that I'm changing changeme prompts to something that's appropriate for this installation:


root@test:/etc/openvpn/easy-rsa# ./clean-all
root@test:/etc/openvpn/easy-rsa# ./build-ca
Generating a 4096 bit RSA private key
...................................................++
...................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that 
will be incorporated into your certificate request.
What you are about to enter is what is called a 
Distinguished Name or a DN.
There are quite a few fields but you can leave some 
blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Silicon Valley]:
Organization Name (eg, company) [Linux Journal]:
Organizational Unit Name (eg, section) 
 ↪[changeme]:SecTeam
Common Name (eg, your name or your server's hostname) 
 ↪[changeme]:test.linuxjournal.com
Name [changeme]:test.linuxjournal.com
Email Address [bill.childers@linuxjournal.com]:

______________________

Bill Childers is the Virtual Editor for Linux Journal. No one really knows what that means.