Securi-Pi: Using the Raspberry Pi as a Secure Landing Point

Setting Up OpenVPN Clients

Your client installation depends on the host OS of your client, but you'll need to copy your client certs and keys created above to your client, and you'll need to import those certificates and create a configuration for that client. Each client and client OS does it slightly differently and documenting each one is beyond the scope of this article, so you'll need to refer to the documentation for that client to get it running. Refer to the Resources section for OpenVPN clients for each major OS.

Installing SSLH—the "Magic" Protocol Multiplexer

The really interesting piece of this solution is SSLH. SSLH is a protocol multiplexer—it listens on port 443 for traffic, and then it can analyze whether the incoming packet is an SSH packet, HTTPS or OpenVPN, and it can forward that packet onto the proper service. This is what enables this solution to bypass most port blocks—you use the HTTPS port for all of this traffic, since HTTPS is rarely blocked.

To start, apt-get install SSLH:


root@test:/etc/openvpn/easy-rsa/keys# apt-get 
 ↪install sslh
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  apache2 apache2-mpm-worker apache2-utils 
   ↪apache2.2-bin apache2.2-common
  libapr1 libaprutil1 libaprutil1-dbd-sqlite3 
   ↪libaprutil1-ldap libconfig9
Suggested packages:
  apache2-doc apache2-suexec apache2-suexec-custom 
   ↪openbsd-inetd inet-superserver
The following NEW packages will be installed:
  apache2 apache2-mpm-worker apache2-utils 
   ↪apache2.2-bin apache2.2-common
  libapr1 libaprutil1 libaprutil1-dbd-sqlite3 
   ↪libaprutil1-ldap libconfig9 sslh
0 upgraded, 11 newly installed, 0 to remove 
 ↪and 0 not upgraded.
Need to get 1,568 kB of archives.
After this operation, 5,822 kB of additional 
 ↪disk space will be used.
Do you want to continue [Y/n]? y

After SSLH is installed, the package installer will ask you if you want to run it in inetd or standalone mode. Select standalone mode, because you want SSLH to run as its own process. If you don't have Apache installed, the Debian/Raspbian package of SSLH will pull it in automatically, although it's not strictly required. If you already have Apache running and configured, you'll want to make sure it only listens on localhost's interface and not all interfaces (otherwise, SSLH can't start because it can't bind to port 443). After installation, you'll receive an error that looks like this:


[....] Starting ssl/ssh multiplexer: sslhsslh disabled, 
 ↪please adjust the configuration to your needs
[FAIL] and then set RUN to 'yes' in /etc/default/sslh 
 ↪to enable it. ... failed!
failed!

This isn't an error, exactly—it's just SSLH telling you that it's not configured and can't start. Configuring SSLH is pretty simple. Its configuration is stored in /etc/default/sslh, and you just need to configure the RUN and DAEMON_OPTS variables. My SSLH configuration looks like this:


# Default options for sslh initscript
# sourced by /etc/init.d/sslh
	
# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)
	
RUN=yes

# binary to use: forked (sslh) or single-thread 
 ↪(sslh-select) version
DAEMON=/usr/sbin/sslh
	
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 
 ↪127.0.0.1:22 --ssl 127.0.0.1:443 --openvpn 
 ↪127.0.0.1:1194 --pidfile /var/run/sslh/sslh.pid"

Save the file and start SSLH:


root@test:/etc/openvpn/easy-rsa/keys# 
 ↪/etc/init.d/sslh start
[ ok ] Starting ssl/ssh multiplexer: sslh.

Now, you should be able to ssh to port 443 on your Raspberry Pi, and have it forward via SSLH:


$ ssh -p 443 root@test.linuxjournal.com
root@test:~#

SSLH is now listening on port 443 and can direct traffic to SSH, Apache or OpenVPN based on the type of packet that hits it. You should be ready to go!

Conclusion

Now you can fire up OpenVPN and set your OpenVPN client configuration to port 443, and SSLH will route it to the OpenVPN server on port 1194. But because you're talking to your server on port 443, your VPN traffic won't get blocked. Now you can land at a strange coffee shop, in a strange town, and know that your Internet will just work when you fire up your OpenVPN and point it at your Raspberry Pi. You'll also gain some encryption on your link, which will improve the privacy of your connection. Enjoy surfing the Net via your new landing point!

Resources

Installing and Configuring OpenVPN: https://wiki.debian.org/OpenVPN and http://cryptotap.com/articles/openvpn

OpenVPN client downloads: https://openvpn.net/index.php/open-source/downloads.html

OpenVPN Client for iOS: https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8

OpenVPN Client for Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en

Tunnelblick for Mac OS X (OpenVPN client): https://tunnelblick.net

SSLH—Protocol Multiplexer: http://www.rutschle.net/tech/sslh.shtml and https://github.com/yrutschle/sslh

______________________

Bill Childers is the Virtual Editor for Linux Journal. No one really knows what that means.