A secure home gateway on the Raspberry Pi in four parts. Part one, Dynamic DNS

First published on
tldr; How I set up this: DDNS to my home ip. Forward 443 & 80 to nginx on raspberry pi. Register free SSL certificates for own domain. basic_auth and proxy_pass to router and torrent box.

I have some very nifty devices lying around in my home:
  • A couple of computers
  • A very smart router with the Tomato firmware
  • A Raspberry Pi model B (the only one you can get right now)
  • A Popcorn Hour A200
Besides that, I have full control over a domain name (waleson.com.).

The amount of cool things you can do with this is enormous. However, until yesterday morning, these devices were working with most of their default settings (BOOOORING). Here's how I made it awesome in one evening.

Part one, dynamic DNS.

Objective: You want to access your home router from over the internet using a domain name. 

The first thing you'll need is an IP address. Well, your ISP gives you one. You can either remember this IP, or set up a DNS record to point a domain to it. We'll use DNS because we're humans. Remembering IP's is for strange people.

The problem is that the IP changes every now and then. Each time your modem reboots, you might find that your ISP has assigned you a new IP. Each time that happens you'll have to change the domain info again, which is tedious. The solution here is Dynamic DNS. Basically, it's like one of those terrible friends who lost a phone and sends you a message: "Hey Jouke, I'm xxxxxx and this is my new phone number because I lost my old one." The router says: "Hey DNS Server, my token is xxxxx and this is my new IP now, because I lost my old one". (As you can see, the DNS service is slightly more reliable than your friend, because it at least uses a random token instead of a name which is common knowledge. For security over 9000, you could consider giving all your friends a new password that they'll have to use in communication towards you.)

FreeDNS

 In your router you can see something like this:


A screen where you can tell your router which dynamic DNS service to contact. I chose freedns.afraid.org because it seemed cool. I registered a free subdomain (jt.nl.am) and set it as an A record to my current IP address.


Where is the token I was supposed to use? It's sort of hidden under the Dynamic DNS page.


If you copy the Direct URL link and paste it into your router settings as in the Tomato screenshot a little up, you should keep only the part after the question mark.

Sidetrack: The token looks like a base64 encoded string, let's see what it entails:

jt@augustine:~$ python
Python 2.7.3 (default, Aug  1 2012, 05:14:39)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.b64decode("THE-FREE-DNS-TOKEN")
'XXX:YYY'
I obfuscated everything in capitals, but this is the thing you'll get. Looks like a random userid XXX and password YYY. Nice.

Sorry for that sidetrack, I could not resist. Well, now we have an ugly domain name that will always point to our current IP. Great! But I already laid in some money for a nice domain...

The solution is simple. Create a new subdomain using your domain manager, whichever one you have. Mine is offered by a iXLHosting.nl. Let that subdomain be a CNAME record to your ugly domain name.

Nifty. Now home.waleson.com always points to my home router! Normally the router will not respond on port 80. If you open up the web interface to the external network, you can now access that from the outside. I wouldn't do that however, because the traffic is not encrypted and you're sending your basic auth settings in every request. Anyone listening in on your connection can then access your router as well.

Nevertheless, objective one accomplished:
jt@augustine:~$ dig -t A home.waleson.com

; <<>> DiG 9.8.1-P1 <<>> -t A home.waleson.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32749
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;home.waleson.com. IN A

;; ANSWER SECTION:
home.waleson.com. 14400 IN CNAME jt.nl.am.
jt.nl.am. 3600 IN A 83.87.81.43

;; AUTHORITY SECTION:
nl.am. 3600 IN NS ns1.afraid.org.
nl.am. 3600 IN NS ns2.afraid.org.
nl.am. 3600 IN NS ns3.afraid.org.
nl.am. 3600 IN NS ns4.afraid.org.

;; Query time: 277 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 14 09:15:35 2012
;; MSG SIZE rcvd: 154
Read on: part two - setting up nginx on the raspberry pi

Comments

Post a Comment

Popular posts from this blog

AI programming tools should be added to the Joel Test

First published on
Here's a wake-up call to all CTOs: AI programming tools are getting freaking amazing and if you don't allow your teams to use them somehow, it will bite you in the ass in a couple of years. You will be slower and you will lose your best people. The infamous Joel Test is a list from the year 2000 of 12 things all great software companies do. Since then most companies have implemented Git and CI/CD, checking of three items, so we have some space left in the 2024 update ;) I believe "Do you allow your developers to use AI assisted development environments?" is a necessary addition. I get that you don't want your source code to end up on some OpenAI / Microsoft / Github server somewhere, sure, but find a way to use your own models or learn to live with it. Note that this is often not the same as "#9 - Do you use the best tools money can buy?" as blocking AI tools is about data security, not money. So why do I think developers need AI programming tools? I&#
Read more

The unreasonable effectiveness of i3, or: ten years of a boring desktop environment

First published on
Image
My wife uses Windows and over the years I've helped her move things to new systems. Win8, 10 and now 11. With every change the UI changes. Now I can't right click the bottom right corner anymore to open Task Manager. The UI feels "fresh" and up-to-date I guess, but does it really matter? My desktop has looked like this since 2008. I love the picture of the gearbox, it's a testament to the hidden precision engineering that goes on inside the built world all the time. I don't see much of the gearbox though, because most of the time my screens look like this: The environment around my background picture has changed a little more, but has been stable for the last 10 years. My experience is very different to my wife's constantly changing system. In 2009 I moved from Windows to Ubuntu, then to Debian using Gnome. Then finally to i3 in 2013 after a brief affair with XMonad in 2012. So by now in early 2024, I've had the same minimal UI for more than 10 years,
Read more

Idea time: RFID+E-Ink, electronic price tags without batteries

First published on
I got this idea years ago, somewhere in 2004 after I had heard both of RFID and E-Ink. The order is irrelevant ;) The idea is simple, we take: 1) RFID readers, which send radio waves to tags, which pick up some of the energy in the wave, do some computations and send a reply. The tags are brilliant: no batteries, no connected power source of any kind except for the antenna. 2) E-Ink displays, which need power only to change pixels. After the power is cut off, the pixels remain in their current state. The result: a small tag with a display. The display gets initialised and updated by an RFID-reader and after that retains its state indefinitely. Perfect for price tags on shelves in supermarkets, which need to be updated every now and then but are hellish to replace. I soon found out in 2004 that Epson had already done this:  http://gizmodo.com/026090/epsons-electronic-ink-%252B-rfid--21st-century-price-tags
Read more