Raspberry-Pi VPN – Introduction
In this post, I’m going to cover how to build your own VPN server, using a Raspberry-Pi.
Making your own Raspberry-Pi VPN is relitavely simple by following this tutorial . As great as the tutorial is, it’s missing several security configurations which I shall discuss below:
1. Change ‘nopasswd’ config file to require a password
Straight out of the box, escalating your privileges to the super-user (su) doesn’t require a password. Change your sudo config settings to require a password.
sudo nano /etc/sudoers.d/<nopasswd filename>
Now that you’re in the text editor, remove ‘NOPASSWD’, so it looks like this:
Save your changes. From this point onwards, you should now have to enter your current user password to gain root privileges.
2. Update your Raspberry-Pi
sudo apt-get update && apt-get upgrade -y
3. Changing your default user passwords
I’m sure we can all agree that not changing your default passwords on any device is a terrible idea! Change your default passwords.
a. 'sudo su' - You will be prompted for your user password. b. 'passwd' - You will be to enter a new UNIX password. c. 'passwd pi' - This is to change the password of your user 'pi'.
It’s really important that you set a strong password and DO NOT use the same password between users! You can read more about this here:
4. Strengthening your SSH configuration
By default, SSH configuration is weak, because it only requires a single password for any user (legitimate or attacker) to connect to the service. Single passwords are vulnerable to a brute force or dictionary attack. It’s far better to impliment key based authentication. With key based authentication, even if a users password is compromised, an attacker is still unable to access the service without the correct key.
Generating a key pair on your host machine
ssh-keygen -b 2048 Enter the name you wish to call the keys (sshpi) Enter your key password (Enter a strong password)
More on key pairs here.
Place your sshpi.pub key in the ‘authorised_keys’ file in the folder ‘.ssh’ of your Raspberry-Pi
Copy all of the text, starting from ‘ssh-rsa’ to the very end. Paste it into your ‘authorised_hosts’ file in the ‘.ssh’ folder of your Raspberry-Pi.
echo "PASTE sshpi.pub KEY HERE" >> authorised_hosts
Now that you’ve added your public key, you need to change ssh config to remove the password option.
nano /etc/ssh/sshd_config > Password Authentication no > remove hashtag
SSH is now set up for certificate based authentication only.
ssh -i sshpi <username>@<IP ADDRESS>
Placeholder – More to follow…