Sunday, February 23, 2014

Ultra secure remote access to home network with a raspberry pi

This post is about setting up an ultra secure remote access to home- (or a cooperated) network with a raspberry pi.


We have all heard of the security holes in many DSL routers. Because of that it is important to keep the firmware up2date. Anyway I personally do not really trust the "remote-access" capabilites and the eventual built-in VPN functionalities of those DSL boxes.
Still, eventually I would like to get remote access to e.g. my home network. The idea is to use a raspberry pi as secure bridge into the remote network.

Sure, we can setup VPN on the raspberry pi, anyway most raspberry related VPN howtos require a "logmein" account for an easy VPN setup. I personally prefer to use standard utilities without the need to create an account on a commercial site with all my traffic routed to that site. Also, for me pure "ssh" access is completely sufficiant. This enables the capability for remote-port-forwarding through ssh which is enough for me.

But for any "port-forwarding" on the DSL router at least one open TCP port would be required, how bad!
... but wait, here the "better" idea:

We can use an "active port forwarder" (such as "afp-server/afp-client) to forward the ssh port of the raspberry pi to a remote server (accessible in the internet) through the outgoing connection/communication. 


Here how this basically looks like : 
Please see also http://gray-world.net/images/af.gif

The raspberry pi creates a outgoing connection (allowed through the firewall) to the remote server using "afclient". On the remote server "afserver" picks up this connection and uses it to actively foward the ssh port of the raspberry pi to a port on the remote server.

-> This setup does not even require a single open port on the DSL router!

Howto configure the raspberry pi for "Ultra secure remote access":

  1. Setup a raspberry pi with the standard raspian OS image.
  2. install "apf-client"
  3. make the apf-client (afclient is the binary name) automatically at startup.
Add the following line to /etc/rc.local

                         afclient --ignorepkeys -m 50001 --pass [secure-password] -n [remote-public-server] -p 22 --ar-start --ar-quit


I am using the port 50001 for the af-communication in this example. 
This will connect to a "afserver" on [remote-public-server] via port 50001 using a SSL encryted comminication secured by [secure-password]

Please notice:
The "--ar-start --ar-quit" parameters allowing the afclient to start even when the afserver on the remote server is not accessible or not started yet. In case the network the raspberry pi is located in does not allow direct internet access the afclient/afserver also supports tunneling the af-connection to standard http/https proxy server. For more options please check http://manpages.ubuntu.com/manpages/precise/man1/afserver.1.html



Now the setup on the remote (public accessible) server:

  1. Install "apf-server" (afserver is the binary name)
  2. Start "afserver" to allow and pick up the connection from the client

                         afserver -m 50001 --pass [secure-password] -l 40001

 

This picks up the afclient on port 50001 and forwards the ssh port from the raspberry pi to port 40001 on the remote (public accessible) server using the same password as given for the afclient.

-> you can now ssh to port 40001 on the remote (public accessible) server which will login to the raspberry pi!

From there you can e.g. use "wakeuponlan" to power on systems in the remote network.

More security for this setup:

  • install "failtoban" on the raspberry pi to harden the ssh login - http://www.fail2ban.org/
  • disable "root" ssh-access to the raspberry pi and only permit to use ssh-keys (not passwords)
  • use "iptables" to secure the remote forwarded ssh port on the remote (public accessible) server.
e.g. when you start the "afserver" on the remote server run the following lines to only allow your current IP address to connect to the forwared ssh port

/sbin/iptables -A INPUT -p tcp -m tcp -s [the-IP-address-from-where-you-come-from] --dport 40001 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 40001 -j DROP

  • only start the "afserver" when you need it. When it is not start the forwarded ssh port of the raspberry pi won't be picked up so it won't be accessible.
Links: apf-server homepage and download - http://gray-world.net/pr_af.shtml

Hope its useful for you! Security IS important!