Monthly Archives: November 2014

Raspberry Pi – VPN for all devices

Hello everyone. Today I want to show you how you can use your Raspberry Pi to tunnel all your traffic over a VPN connection. (I for example use this solution to watch my favorite TV shows on hulu. (I´m not an American and hulu is blocked outside the USA as you may know)). Ok let´s go.

The first thing you need to do is go to the VPNGate website and search for a VPN server. (one in the United States of America if you want to watch videos on hulu if you are located outside of the United States of America). If you found a VPN server download the ovpn file (OpenVPN) and store it on your Raspberry Pi.

Before we start you need to setup your Raspberry Pi as a Wireless Router like I explained in this post. After this is done we continue with the following:

To prevent issues update your Raspberry Pi first:

sudo apt-get update
sudo apt-get upgrade

Next install OpenVPN:

sudo apt-get install openvpn

Now move the ovpn file you downloaded by running the following command:

sudo mv <ovpn file> /etc/openvpn/openvpn.conf

Next we need to create a text file containing the user and password credentials:

sudo nano /etc/openvpn/user.txt

For a VPNGate VPN server enter vpn as username and vpn as password. Save the data in user.txt:

vpn
vpn

Next adjust the permissions of your user.txt file by running:

sudo chmod 755 /etc/openvpn/user.txt

Next we need to edit the openvpn.conf file (the ovpn file we downloaded earlier):

sudo nano /etc/openvpn/openvpn.conf

Now search for the following line:

#auth-user-pass

And replace it with this line to tell OpenVPN to use the user credentials provided in the user.txt file:

auth-user-pass user.txt

Now adjust the permissions of the openvpn.conf file by running:

sudo chmod 755 /etc/openvpn/openvpn.conf

Next reboot the Raspberry Pi. (It is faster than restarting the necessary services manually.)

sudo reboot

If you now have a look at your interfaces after your Raspberry Pi is has finished rebooting by running:

ifconfig

VPN_tunnel_interface

You will notice that you have a new interface called tun0. This is your new VPN tunnel interface.

If you followed my instructions from this post we need to do some clean up. Run the below command to clean up the iptables configuration:

sudo rm /etc/iptables.ipv4.nat

Next run the below commands to redirect all your traffic through the VPN tunnel interface:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

Save the iptables configuration by running:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Now reboot your Raspberry Pi one last time:

sudo reboot

If you now connect to your Raspberry Pi´s wireless network all your traffic will be redirected through the VPN tunnel interface. (You can check if it works by using this website.)

Here is a picture from hulu without using this solution: (outside of the USA of course)

hulu_blocked

And here is a picture of hulu while using this solution:

hulu_unblocked

That´s it. It´s as simple as that. I hope you liked my post and I hope to see you again next time 🙂

And as always you can download all relevant files I used from here.

Update: Please keep in mind that the VPN relays on VPNGate are run by volunteers and that this means that your experience and the quality may vary. Please keep also in mind that hulu tries to blacklist all kinds of VPNs to make solutions like this useless so this solution might not work anymore in the future.

Sources:

http://www.vpngate.net/en/

http://alphaloop.blogspot.co.at/2014/01/raspberry-pi-as-vpn-wireless-access.html

http://serverfault.com/questions/544285/connection-reset-by-peer-when-im-trying-to-connect-to-server

https://awangga.wordpress.com/2014/03/12/setting-openvpn-client-using-vpngate-on-raspberry-pi/

Tagged

Raspberry Pi – Say Goodbye to Ads with Pi-hole

Hello everyone. Today I stumbled over a great way to get rid of nasty advertisements: The Pi-hole. I thought you might like this too so I wanted to share it. Here is how it works:

The Pi-hole uses a simple technique to get rid of advertisements: First you install a webserver on your Raspberry Pi which will serve an empty web page. Next you download the domain names of the advertisement servers you want to block and create DNS entries for them in the DNS server you install on your Raspberry Pi. And these DNS entries all point to your webserver which will serve you an empty page instead of advertisements. Pretty simple right? It´s practically DNS Spoofing to be specific. Now that we know how this works let´s get going.

Before you start with the steps below please have a look at this post (The IP addresses and configuration files I used in my current post are based on that post) and set up your Raspberry Pi as a wireless router. This way all your clients will be configured correctly by simply connecting to your Raspberry Pi´s wireless network.

The first step is to update your Raspberry Pi to avoid issues:

sudo apt-get update
sudo apt-get upgrade

Now install the webserver which will serve the empty html page for us. To do so run:

sudo apt-get install lighttpd

Now set the necessary permissions for the webserver.

sudo chown www-data:www-data /var/www
sudo chmod 755 /var/www

Next create a new directory called pihole and create and empty html page called index.html in it:

sudo mkdir -p /var/www/pihole
sudo touch /var/www/pihole/index.html

Next edit the lighttpd webservers configuration file.

sudo nano /etc/lighttpd/lighttpd.conf

Add the following line to the end of the file:

$HTTP["host"] =~ ".*" {
url.rewrite = (".*" => "pihole/index.html")
}

Next install the dnsutils and dnsmasq:

sudo apt-get install dnsutils dnsmasq

Stop the dnsmasq service till we finish our configuration.

sudo service dnsmasq stop

Next rename the dnsmasq.conf file (Do not delete it just to be safe):

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak

Now create a new dnsmasq.conf file:

sudo nano /etc/dnsmasq.conf

Add the following code to the file:

domain-needed
interface=wlan0
min-port=4096
cache-size=10000
log-queries
bogus-priv

We use the wlan0 interface since this is the interface where our clients will connect to.

Next you need to edit the resolv.conf file:

sudo nano /etc/resolv.conf

Replace all contents of the file with the following code: (Besides our own DNS server we add Googles DNS servers to resolve domain names)

nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4

Next create the script which will get the DNS domain names from the ad servers we want to block:

sudo nano /usr/local/bin/gravity.sh

Here is the script:

#!/bin/bash
adListURL="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext"
# Address to send ads to (your Raspberry Pi's IP)
piholeIP="192.168.0.1"
adFile="/etc/dnsmasq.d/adList.conf"
eventHorizion="/etc/dnsmasq.d/adList.conf.tmp"
curl $adListURL | sed "s/127\.0\.0\.1/$piholeIP/" > $eventHorizion
if [ -f "$eventHorizion" ];then
mv -f $eventHorizion $adFile
else
echo "Error building the ad list, please try again."
exit 1
fi
service dnsmasq restart

Set the necessary permissions for the script by running:

sudo chmod 755 /usr/local/bin/gravity.sh

Now run the script to get the DNS domain entries of the ad servers into your DNS server:

sudo /usr/local/bin/gravity.sh

Next set up a cronjob to update your DNS entries to keep your network ad-free. To do so run:

sudo crontab -e

Now add the following line to the file to run the update cronjob weekly:

@weekly /usr/local/bin/gravity.sh

Now we need to update the dhcp.conf file to redirect all clients DNS queries to our DNS server on our Raspberry Pi. Edit the file by running:

sudo nano /etc/dhcp/dhcp.conf

Now edit “option domain-name-servers” and make sure to replace the IP addresses with the IP address of your Raspberry Pi (mine is 192.168.0.1):

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.250;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local-network";
option domain-name-servers 192.168.0.1;
}

That´s it. Now reboot your Raspberry Pi to apply the changes.

sudo reboot

Ok. Your Raspberry Pi Pi-hole is now ready to use.

Here is a picture of a website (http://winfuture.de/) with advertisements without the use of Pi-hole:

winfuture_not_ad_free

And here is a picture of the same website without advertisements by using Pi-hole:

winfuture_ad_free

And all that´s necessary is that you are connected to the wireless network of your Raspberry Pi to surf advertisement free. Pretty cool right?

I hope you liked my post and I hope to see you again next time 🙂

Sources:

http://jacobsalmela.com/raspberry-pi-block-ads-adtrap/

Tagged

Raspberry Pi – Use Proxy for “Caging” people

Hello everyone. Today I have something fun for you: You can use your Raspberry Pi Wireless Router (I showed you how to create one in my last post) to replace all pictures from the net with pictures of Nicolas Cage for people who are connected to your wireless network. (Believe me: “Caging” people is pretty funny. I used this prank on my brothers and it was hilarious 🙂 )

For this prank we will use a transparent proxy which replaces all pictures coming from the internet with a picture of Nicolas Cage using a perl script. Here are the steps to do this:

The first step is to update your Pi to avoid issues.

sudo apt-get update
sudo apt-get upgrade

Now install the Proxy software squid. It will help us to do the trick.

sudo apt-get install squid3

The next step is to edit the squid.conf file.

sudo nano /etc/squid3/squid.conf

Press Ctrl + W to search for “acl manager” and write the following line into the configuration file:

acl localnet src 192.168.0.0/24

The above line will define our wireless network (I called it “localnet”). Now search for “cachemgr” and add the following line to your configuration file:

http_access allow localnet

The above line will allow access to our proxy from our wireless network. Next search for “url_rewrite_program” and add the following line:

url_rewrite_program /var/www/scripts/images.pl

The above line will define the path to the script we will use to replace the pictures coming from the internet. (Don´t worry we will create the script soon.)

Next search for “http_port 3128” and add “transparent” to the line. This will turn our squid proxy into a transparent proxy (This way we will not need to configure proxy settings on the clients).

http_port 3128 transparent

Save the changes. And we are ready for the next step. (You can have a look at the full configuration file here.)

Next we need to install apache webserver to host our picture of Nicolas Cage.

sudo apt-get install apache2

Next create the following directories and place your picture into the content directory.

sudo mkdir /var/www/scripts
sudo mkdir /var/www/content

Now go to the scripts directory and create a perl script called images.pl.

cd /var/www/scripts
sudo nano images.pl

Have a look at the script below and modify it according to your environment if necessary: (I got the script from here)


#!/usr/bin/perl
########################################################################
# replaceImages.pl --- Squid Script (Replace every image) #
# g0tmi1k 2011-03-25 #
########################################################################
use IO::Handle;
use POSIX strftime;

$debug = 0; # Debug mode - create log file
$imageURL = "http://192.168.0.1/nicolas-cage.jpg";

$|=1;
$pid = $$;

if ($debug == 1) { open (DEBUG, '>>/tmp/replaceImages_debug.log'); }
autoflush DEBUG 1;

print DEBUG "########################################################################\n";
print DEBUG strftime ("%d%b%Y-%H:%M:%S\n",localtime(time()));
print DEBUG "########################################################################\n";
while (<>) {
chomp $_;
if ($debug == 1) { print DEBUG "Input: $_\n"; }
if ($_ =~ m/.*$imageURL/) {
print "$imageURL\n";
}
elsif ($_ =~ /(.*\.(gif|png|bmp|tiff|ico|jpg|jpeg|swf))/i) { # Image format(s)
print "$imageURL\n";
if ($debug == 1) { print DEBUG "Image Replaced: $_ \n"; }
}
else {
print "$_\n";
if ($debug == 1) { print DEBUG "Output: $_\n"; }
}
}

close (DEBUG);

After you saved the script you need to give it the execution right by running:

sudo chmod +x images.pl

Next you need to edit the default file of your apache webserver:

sudo nano /etc/apache2/sites-available/default

Have a look at the below script and modify the file according to your environment:


<VirtualHost *:80>
ServerAdmin webmaster@localhost
DirectoryIndex nicolas-cage.jpg

DocumentRoot /var/www/content
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/content>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

To redirect all http traffic to our transparent squid proxy we need to setup a new iptables rule. Create the rule by running:

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

To save the above rule permanently run:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

The last step is to run the below command to start our squid proxy at boot:

sudo update-rc.d squid3 enable

That´s it. Reboot your Pi and you are ready to go.

Now if someone connects to your network and opens a website in his/her browser the result will look like this:

raspberry_pi_caging

As you can see it works as expected 🙂

I hope you liked my today´s post and I hope to see you again.

As always you can download all scripts I used in my post from here.

Sources:

http://wiki.ubuntuusers.de/Squid

http://xmodulo.com/squid-transparent-web-proxy-centos-rhel.html

http://failverse.com/creating-the-kittynet/

Tagged