I have been playing around with multiple projects on a Raspberry Pi and got tired of answering the install questions over and over again. I.m going to assume you know how to do a default install of Raspbian using the installer.

Step 1:

Modify the cmdline.txt file on the SD card after extracting the installer. You are going to want to append the following after .rootfstype=ext4 rootwait.. You will also want to replace .[IP HERE]. with your tftpd server. Note: This is all one line.

1
2

debian-installer/locale=en_US keyboard-configuration/xkb-keymap=us netcfg/dhcp_timeout=60 netcfg/get_hostname=raspbian netcfg/get_domain=unassigned-domain preseed/url=tftp://[IP HERE]/preseed.cfg

Step 2:

Creating a preseed.cfg file. I used the following, your mileage may very. Note: Watch for word wrapping.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

############################################
# DESCRIPTION OF OPTIONS USED IN THIS FILE #
############################################
# Bypass prompt
d-i mirror/country string manual
#
# Set Raspbian mirror
d-i mirror/http/hostname string mirrordirector.raspbian.org
#
# Set Raspbian mirror directory
d-i mirror/http/directory string /raspbian/
#
# No http proxy specified; If you need one, enter it after the "string"
d-i mirror/http/proxy string
#
# Continue the install without loading kernel modules?
d-i anna/no_kernel_modules boolean true
#
# Set root password as "root"
d-i passwd/root-password password toor
d-i passwd/root-password-again password toor
#
# Bypass normal user account creation; Set to "true" or comment out if you want to create a user
d-i passwd/make-user boolean false
#
# Select your time zone:
d-i time/zone string US/Eastern
#
# Bypass prompt
d-i partman/choose_partition select finish
#
# Write the changes to disk?
d-i partman/confirm boolean true
#
# Continue without installing a kernel?
bootstrap-base base-installer/kernel/skip-install boolean true
#
# Install displays a warning because the security package is not associated with Raspbian.
# Passing the installer an emtpy string on where to find this repository bypasses the error.
d-i apt-setup/security_host string
#
# Participate in the package usage survey?
d-i popularity-contest/participate boolean false
#
# Choose software to install: SSH server, Standard system utilities
d-i tasksel/first multiselect SSH server, Standard system utilities
#
# Continue without boot loader
d-i nobootloader/confirmation_common boolean true

Step 3:

Boot from SD card and go get some coffee.

Final Thoughts

Since I was using windows at the time of this setup I used TFTPD as my server, but I’m sure any ole TFTPD or HTTP url will work.

If you have not heard the news, Google screwed up their iphone app. If you were unlucky (like i was) and updated to the latest version it wiped all of your accounts. I didn.t get hit too hard, I only lost access to two WordPress blogs. Below is how I quickly fixed it.

Step 1:

Login and/or SSH into your host (This will be different depending on your hosting provider) and gain access to your database.

Step 2:

Get a list of all active plugins.

1
SELECT option_value FROM wp_options WHERE option_name = 'active_plugins';

You are going to want to save this value (makes things easier later).

Step 3:

Clear the active plugins.

1
UPDATE wp_options SET option_value = '' WHERE option_name = 'active_plugins';

Step 4:

You may now log into your WordPress blog without Google Authentication. Now you have two options here. Go back and use the WordPress GUI to re-enable your plugins OR if you saved the value from step 2 above you can do the next step.

Step 5:

Quickly re-enable your plugins.

1
UPDATE wp_options SET option_value = '[YOUR STRING HERE]' WHERE option_name = 'active_plugins';

This is the perfect item for your redteamer (or toy) bag. All the little gadgets that normally just flop around on the bottom of my bag are now neatly in one place, and I can find them in a hurry.

In the picture I have the following items:

  • 1gb usb key (with drivers)
  • kit for making an under the door level opener
  • micro 4x microscope with light
  • extra nic (ya never know)
  • some gaffers tape
  • nice non-magnetic pick
  • usb bore-scope
  • id laynard
  • ra ndom id cards

I’m sure ill find some other gadgets in my bag to add to it, but this will have to do for now.

This is the story of how I got my Raspberry Pi to be my OpenVPN Server. I am using Raspbian as my Pi OS.

Step 1:

Check to make sure you are completely updated.

1
2
3
4
su root
apt-get update
apt-get -y dist-upgrade
apt-get clean

Step 2:

Install the needed software.

1
2
apt-get -y install openvpn openssl
apt-get clean

Step 3:

Setup your easy-rsa environment.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
vim /easy-rsa/vars

after export EASY_RSA="`pwd`"
add
export EASY_RSA="/etc/openvpn/easy-rsa"
find KEY_SIZE and change it from 1024 to 2048

press escape
Save and close (:wq)

cd easy-rsa
source vars
./clean-all
./pkitool --initca
ln -s openssl-1.0.0.cnf openssl.cnf

Step 4:

Now we generate some encryption keys.

1
2
3
./build-ca OpenVPN
./build-server server
./build-key client-wik

Step 5:

Generate DH Parameters, 2048 bit key. Warning: this step takes quite a bit of time.

1
./build-dh

Step 6:

Creating the server configuration file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
cd /etc/openvpn
vim openvpn.conf

proto udp
dev tun
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
#uncomment below if you want vpn-users to see each other
#client-to-client
push "redirect-gateway def1"
#setup dns servers for google
#push "dhcp-options DNS 8.8.8.8"
#push "dhcp-options DNS 8.8.4.4"
#setup dns servers for internal dns server
push "dhcp-options DNS 10.8.0.1"
log-append /var/log/openvpn
comp-lzo

press escape
Save and close (:wq)

Step 7:

Enable internet-forwarding for the VPN Clients. Warning: Replace eth0 with the correct network device as needed.

1
2
3
4
5
6
7
8
9
10
11
12
13
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
vim /etc/sysctl.conf

uncomment # from net.ipv4.ip_forward=1

Press escape
Save and close (:wq)

crontab -e
@reboot iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE MASQUERADE

Press Cntl+x and then Y to save

Step 8:

Creating the client.s ovpn file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
cd /etc/openvpn/easy-rsa/keys
vim client-wik.ovpn

setenv FORWARD_COMPATIBLE 1
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
client
proto udp
remote SERVER IP HERE 1194
resolv-retry infinite
server-poll-timeout 4
nobind
persist-key
persist-tun
#LZO commands are pushed by the server at connection time
#the below linle does't disable LOZ
comp-lzo no
verb 3
setenv PUSH_PEER-INFO

<ca>
YOUR CA CERT HERE
</ca>

<cert>
YOUR USER CER CERT HERE
</cert>

<key>
YOUR USER KEY CERT HERE
</key>

key-direction 1

Press escape
Save and close (:wq)

Finally.

Start openvpn with /etc/initi.d/openvpn start

Time for testing. Copy your client-wik.ovpn file to an external device (I used an iphone for testing with the openvpn app). All worked as planned, I was connected, and had the correct external ip address.

UFW Notes

Just some friendly notes, as UFW likes to manage things for you.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
ufw allow 1194

vim /etc/default/ufw

set default_forward_policy = "accept"
save and close

vim /etc/ufw/before.rules
after the first comment add the following:

# nat table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
save and close

ufw disable
ufw enable

From left to right: Mubix, WiK

Thursday

I spent most of my time Thursday over at BSidesLV. I did take some time off to sneak over to the Blackhat Expo. I didn.t have a pass, but it doesn.t take much to sneak into that event and grab some swag. That night I saw Zumanity, it was ok, but overall for a .vegas. show it was a bit disappointing.

Friday

Spent most of my morning in the wireless village as staff, and then checking out the vendor area and everything that was going on.

Saturday

My day consisted of a few talks, staffing the wireless village. I spent most of the nite bouncing all over the events going on at DEFCON, so much to see and do! I had to go to bed a big sooner then one normal does at DEFCON, as I was speaking early the next morning

Sunday

Sunday is always a bit weird for me. I.m ready to be out of vegas and home, yet sad everything is quickly coming to an end. I saw the PIN UP show over at the stratosphere which was the biggest waste of money i ever found. It was neither pinup, and the headlining star didn.t do much but stand still and .giggle. every 10 mins or so. I now know what you do with a playboy playmate if they can.t sing, dance, or act.