Sunday, February 23, 2014

Ultra secure remote access to home network with a raspberry pi

This post is about setting up an ultra secure remote access to home- (or a cooperated) network with a raspberry pi.


We have all heard of the security holes in many DSL routers. Because of that it is important to keep the firmware up2date. Anyway I personally do not really trust the "remote-access" capabilites and the eventual built-in VPN functionalities of those DSL boxes.
Still, eventually I would like to get remote access to e.g. my home network. The idea is to use a raspberry pi as secure bridge into the remote network.

Sure, we can setup VPN on the raspberry pi, anyway most raspberry related VPN howtos require a "logmein" account for an easy VPN setup. I personally prefer to use standard utilities without the need to create an account on a commercial site with all my traffic routed to that site. Also, for me pure "ssh" access is completely sufficiant. This enables the capability for remote-port-forwarding through ssh which is enough for me.

But for any "port-forwarding" on the DSL router at least one open TCP port would be required, how bad!
... but wait, here the "better" idea:

We can use an "active port forwarder" (such as "afp-server/afp-client) to forward the ssh port of the raspberry pi to a remote server (accessible in the internet) through the outgoing connection/communication. 


Here how this basically looks like : 
Please see also http://gray-world.net/images/af.gif

The raspberry pi creates a outgoing connection (allowed through the firewall) to the remote server using "afclient". On the remote server "afserver" picks up this connection and uses it to actively foward the ssh port of the raspberry pi to a port on the remote server.

-> This setup does not even require a single open port on the DSL router!

Howto configure the raspberry pi for "Ultra secure remote access":

  1. Setup a raspberry pi with the standard raspian OS image.
  2. install "apf-client"
  3. make the apf-client (afclient is the binary name) automatically at startup.
Add the following line to /etc/rc.local

                         afclient --ignorepkeys -m 50001 --pass [secure-password] -n [remote-public-server] -p 22 --ar-start --ar-quit


I am using the port 50001 for the af-communication in this example. 
This will connect to a "afserver" on [remote-public-server] via port 50001 using a SSL encryted comminication secured by [secure-password]

Please notice:
The "--ar-start --ar-quit" parameters allowing the afclient to start even when the afserver on the remote server is not accessible or not started yet. In case the network the raspberry pi is located in does not allow direct internet access the afclient/afserver also supports tunneling the af-connection to standard http/https proxy server. For more options please check http://manpages.ubuntu.com/manpages/precise/man1/afserver.1.html



Now the setup on the remote (public accessible) server:

  1. Install "apf-server" (afserver is the binary name)
  2. Start "afserver" to allow and pick up the connection from the client

                         afserver -m 50001 --pass [secure-password] -l 40001

 

This picks up the afclient on port 50001 and forwards the ssh port from the raspberry pi to port 40001 on the remote (public accessible) server using the same password as given for the afclient.

-> you can now ssh to port 40001 on the remote (public accessible) server which will login to the raspberry pi!

From there you can e.g. use "wakeuponlan" to power on systems in the remote network.

More security for this setup:

  • install "failtoban" on the raspberry pi to harden the ssh login - http://www.fail2ban.org/
  • disable "root" ssh-access to the raspberry pi and only permit to use ssh-keys (not passwords)
  • use "iptables" to secure the remote forwarded ssh port on the remote (public accessible) server.
e.g. when you start the "afserver" on the remote server run the following lines to only allow your current IP address to connect to the forwared ssh port

/sbin/iptables -A INPUT -p tcp -m tcp -s [the-IP-address-from-where-you-come-from] --dport 40001 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 40001 -j DROP

  • only start the "afserver" when you need it. When it is not start the forwarded ssh port of the raspberry pi won't be picked up so it won't be accessible.
Links: apf-server homepage and download - http://gray-world.net/pr_af.shtml

Hope its useful for you! Security IS important!




10 comments:

Anonymous said...

You can upgrade in steps or all at once, but upgrading your software solution incrementally carries much less risk and allows users to learn and adjust more easilytop10-bestvpn Strategize about what needs to be upgraded first and remember to consider third party integrations as well Make sure your other software will still be compatible with software solution once it’s updated, or even upgrade them at all together

Remote home monitor said...

Great blog about ultra security..
Home Security

bubblefootball said...

Great share about security,..
garde du corps

David Ronaldo said...

Thanks for sharing this article about security.
trust

Gennie said...

Home security is one of the biggest responsibility,..
video security cameras Installation los angeles

Gennie said...

Thank you so much for this detailed article./
CCTV Installation Brisbanee

steward said...

Keep sharing more informative blogs like that,
structured wiring

TalariaX Pte Ltd said...

Nice post!!!!.
Secure Remote Access

IamLinkfeeder said...

It was really fun reading ypur article. Thankyou very much. # BOOST Your GOOGLE RANKING.It’s Your Time To Be On #1st Page
Our Motive is not just to create links but to get them indexed as will
Increase Domain Authority (DA).We’re on a mission to increase DA PA of your domain
High Quality Backlink Building Service
Boost DA upto 15+ at cheapest
Boost DA upto 25+ at cheapest
Boost DA upto 35+ at cheapest
Boost DA upto 45+ at cheapest

Sneha Cubestech said...

Hey there

Thanks for sharing this informative article about security, Waiting for more of your updates

Mobile app development company
Best web development company
Best Software Development company