2. Once downloaded, extract the image file from .7z file.
3. Download and open image writing software, I use Etcher.io
4. Flash the extracted image on to the SD card.
5. Eject or remove the SD card. For MAC users, go ahead just remove the SD card on completion of Flash.
The following steps are for raspberry pi zero/w or if you intend to use your pi headless with WiFi:
· Insert the SD card back into the Computer.
· Open the file “dietpi.txt” using your favorite text editor, I like to use nano in terminal.
· Then Look For These Lines:
##### Networking Options #####
# If both Ethernet and Wifi are enabled, Wifi will take priority and Ethernet will be disabled.
# 1=enabled
AUTO_SETUP_NET_ETHERNET_ENABLED=1
AUTO_SETUP_NET_WIFI_ENABLED=0
# Enter your Wifi details below, if applicable (Case Sensitive).
AUTO_SETUP_NET_WIFI_SSID=MySuperDooperWiFi
AUTO_SETUP_NET_WIFI_KEY=0123456789
# available | WPA-PSK / WPA-EAP / NONE | WEP=No longer supported
AUTO_SETUP_NET_WIFI_KEYMGR=WPA-PSK
· If you want WFi enabled , replace 0 with a 1 and enter your SSID by replacing “MySuperDooperWiFi in the following lines and enter your password by replacing 0123456789.
· Save and exit the file followed by ejecting your SD card.
VPN installation:
Insert the SD card into the pi and turn it on.
Let the initial automated process complete.
Headless users will need to find the IP of their PI and ssh into it using Username: root and Password: dietpi
Begin strong swan install by using the following command
· apt-get install strongswan && apt-get install libcharon-extra-plugins
Next, we will run these commands:
· apt-get install libstrongswan-standard-plugins && apt-get install iptables
· apt-get install python
we will use python to run a webserver to copy over the certificate files to a computer, at the end of this tutorial.
Post Installation:
Using terminal open the file /etc/ipsec.conf and remove everything in it and paste the following:
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
auto=start
closeaction=restart
keyexchange=ikev2
ike=aes128-sha256-ecp256
esp=aes128-sha256-ecp256
dpdaction=clear
dpddelay=300s
dpdtimeout = 5s
forceencaps=yes
fragmentation=yes
keyingtries=5
rekey=yes
left=%any
leftfirewall=yes
leftid=YOUR_PUB_IP_ADDRESS
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
leftsendcert=always
mobike=yes
right=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=10.0.0.101/24
type=tunnel
conn IKEv2
rightauth=pubkey
eap_identity=%any
Replace the leftid line with your external IPv4 address (Whatismyip.com).
Next we will edit the file /etc/ipsec.secrets by copy and paste the following at the bottom of the file:
: ECDSA vpnHostKey.pem
Next we will edit /etc/sysctl.conf and remove the hashtag in front of net.ipv4.ip_forward=1 to enable packet forwarding.
Save and exit, then type sysctl –p to enable changes made to sysctl.conf.
Once that's done, edit /etc/rc.local to add the following to the bottom, before exit0. Save and exit when done.
# VPN NAT
iptables -t nat -A POSTROUTING -s 10.0.0.101/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.101/24 -o eth0 -j MASQUERADE
# ISAKMP (handling of security associations)
iptables -A INPUT -p udp --dport 500 --j ACCEPT
# NAT-T (handling of IPsec between NAT-Ted devices)
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
# ESP payload (the encrypted data packets)
iptables -A INPUT -p esp -j ACCEPT
# VPN MSS CLAMPING TO IPSEC/VIRTUAL IP's
iptables -t mangle -A FORWARD -o eth0 \
-p tcp -m tcp --tcp-flags SYN,RST SYN \
-m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360
echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc
Once that's done, change directory to /etc/ipsec.d/. From there, create the file ecsda_certs and make it an executable (chmod +x ecdsa_certs). Then, edit the new file and copy and paste the following into the file:
---------------------------------------------
#!/bin/sh
pubIP=$(curl http://ipecho.net/plain);
clear
echo "strongSwan Certificate Creation"
echo ""
echo "Please make a note of your public IP address: $pubIP"
echo "You'll need it later on in the iPCU/Apple Configurator setup process."
echo ""
echo "Creating Certificate Authority...."
ipsec pki --gen --type ecdsa --size 384 \
--outform pem \
> private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 \
--in private/strongswanKey.pem --type ecdsa \
--dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
--outform pem \
> cacerts/strongswanCert.pem
echo ""
echo "Creating VPN Host Certificate...."
ipsec pki --gen --type ecdsa --size 256 \
--outform pem \
> private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=$pubIP" \
--san $pubIP \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpnHostCert.pem
echo ""
echo "Creating Client Certificate...."
ipsec pki --gen --type ecdsa --size 256 \
--outform pem \
> private/ClientKey.pem
chmod 600 private/ClientKey.pem
ipsec pki --pub --in private/ClientKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=Client Key" \
--san Client_Key \
--outform pem > certs/ClientCert.pem
echo ""
echo "Exporting Client Certificate as PKCS#12 File...."
echo ""
openssl pkcs12 -export -inkey private/ClientKey.pem \
-in certs/ClientCert.pem -name "Client's VPN Certificate" \
-certfile cacerts/strongswanCert.pem \
-caname "strongSwan Root CA" \
-out Client.p12
echo ""
echo "Certificate and .p12 file created!"
Next, run the executable ./ecdsa_certs. Once those keys/certs have been created, transfer the Client.p12, cacerts/strongswanCert.pem and the private/strongSwanKey.pem files onto a flash drive. Make note of the password you've assigned to the .p12 file and make note of the IP address, as you'll need these when creating the client-based profiles
open UDP ports 4500 and 500
open UDP ports 4500 and 500
