Sunday, 14 October 2012

A secure home gateway on the Raspberry Pi in four parts. Part one, Dynamic DNS

tldr; How I set up this: DDNS to my home ip. Forward 443 & 80 to nginx on raspberry pi. Register free SSL certificates for own domain. basic_auth and proxy_pass to router and torrent box.

I have some very nifty devices lying around in my home:
  • A couple of computers
  • A very smart router with the Tomato firmware
  • A Raspberry Pi model B (the only one you can get right now)
  • A Popcorn Hour A200
Besides that, I have full control over a domain name (waleson.com.).

The amount of cool things you can do with this is enormous. However, until yesterday morning, these devices were working with most of their default settings (BOOOORING). Here's how I made it awesome in one evening.

Part one, dynamic DNS.

Objective: You want to access your home router from over the internet using a domain name. 

The first thing you'll need is an IP address. Well, your ISP gives you one. You can either remember this IP, or set up a DNS record to point a domain to it. We'll use DNS because we're humans. Remembering IP's is for strange people.

The problem is that the IP changes every now and then. Each time your modem reboots, you might find that your ISP has assigned you a new IP. Each time that happens you'll have to change the domain info again, which is tedious. The solution here is Dynamic DNS. Basically, it's like one of those terrible friends who lost a phone and sends you a message: "Hey Jouke, I'm xxxxxx and this is my new phone number because I lost my old one." The router says: "Hey DNS Server, my token is xxxxx and this is my new IP now, because I lost my old one". (As you can see, the DNS service is slightly more reliable than your friend, because it at least uses a random token instead of a name which is common knowledge. For security over 9000, you could consider giving all your friends a new password that they'll have to use in communication towards you.)

FreeDNS

In your router you can see something like this:


A screen where you can tell your router which dynamic DNS service to contact. I chose freedns.afraid.org because it seemed cool. I registered a free subdomain (jt.nl.am) and set it as an A record to my current IP address.


Where is the token I was supposed to use? It's sort of hidden under the Dynamic DNS page.


If you copy the Direct URL link and paste it into your router settings as in the Tomato screenshot a little up, you should keep only the part after the question mark.

Sidetrack: The token looks like a base64 encoded string, let's see what it entails:

jt@augustine:~$ python
Python 2.7.3 (default, Aug  1 2012, 05:14:39)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.b64decode("THE-FREE-DNS-TOKEN")
'XXX:YYY'
I obfuscated everything in capitals, but this is the thing you'll get. Looks like a random userid XXX and password YYY. Nice.

Sorry for that sidetrack, I could not resist. Well, now we have an ugly domain name that will always point to our current IP. Great! But I already laid in some money for a nice domain...

The solution is simple. Create a new subdomain using your domain manager, whichever one you have. Mine is offered by a iXLHosting.nl. Let that subdomain be a CNAME record to your ugly domain name.

Nifty. Now home.waleson.com always points to my home router! Normally the router will not respond on port 80. If you open up the web interface to the external network, you can now access that from the outside. I wouldn't do that however, because the traffic is not encrypted and you're sending your basic auth settings in every request. Anyone listening in on your connection can then access your router as well.

Nevertheless, objective one accomplished:
jt@augustine:~$ dig -t A home.waleson.com

; <<>> DiG 9.8.1-P1 <<>> -t A home.waleson.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32749
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;home.waleson.com. IN A

;; ANSWER SECTION:
home.waleson.com. 14400 IN CNAME jt.nl.am.
jt.nl.am. 3600 IN A 83.87.81.43

;; AUTHORITY SECTION:
nl.am. 3600 IN NS ns1.afraid.org.
nl.am. 3600 IN NS ns2.afraid.org.
nl.am. 3600 IN NS ns3.afraid.org.
nl.am. 3600 IN NS ns4.afraid.org.

;; Query time: 277 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 14 09:15:35 2012
;; MSG SIZE rcvd: 154
Read on: part two - setting up nginx on the raspberry pi